The consumer authorisation process allows a data holder to disclose CDR data to an accredited data recipient (ADR) in response to a valid consumer data request, after a consumer has provided consent to the ADR and the identity of the consumer has been appropriately authenticated by the data holder. The authorisation process must comply with the CDR Rules and Standards.

At some point in the duration of a consumer’s consent and authorisation, a data holder might decide to make changes to:

• its CDR implementation (for example, by migrating from one technology solution to another) or
• the products or plans that it offers which may require customers to transfer to different products or plans.

This article highlights the need for data holders to carefully consider the impact of changes on consents and authorisations. It sets out the ACCC’s expectation that data holders take appropriate steps to ensure continuity of ongoing consents and authorisations in accordance with the CDR Rules.

CDR Rules and Standards

The Competition and Consumer Act 2010 (Cth) (CCA) and the CDR Rules and Standards impose a variety of obligations on data holders in relation to authorisations for CDR data. For example, a data holder must:

• disclose data in accordance with a consumer’s consent and authorisation in response to a valid consumer data request (rule 4.6(4)) and
• provide the CDR consumer with an online service that contains the details of each authorisation provided by the consumer to disclose CDR data (rule 1.15(1)).

Rules 4.14 and 4.26 of the CDR Rules respectively set out when a consent or authorisation expires.

Any data holder that disrupts or causes a break in a consent or authorisation or fails to comply with the CDR Rules, including its obligation to disclose CDR data in accordance with a current authorisation, outside the circumstances provided for in the CDR Rules, may be in breach of its obligations.

Rules 4.6(4) and 1.15(1) are civil penalty provisions, meaning that contravention of these rules may give rise to liability for a 'civil penalty' enforceable by a court.

Data holders should be aware that the Consumer Data Standards provide that certain identifier attributes must remain static across data holder interactions with a data recipient and that changes to these attributes will affect existing data sharing arrangements.  These identifiers include the:

• CDR arrangement identifier (static across consents within the one sharing arrangement) 
• account, transaction and other data identifiers (ID Permanence across sessions and consents) and
• end user subject identifier (Pairwise Pseudonymous Identifier).

ACCC expectations

The ACCC expects data holders to manage current consumer consents and authorisations in accordance with the CDR Rules. Disrupting or breaking consents and authorisations outside the circumstances contemplated by the CDR Rules can disrupt the services provided by data recipients, and disadvantage consumers who access and rely on those services.

When progressing a change to a CDR solution or transferring a consumer account to a different product or plan, the ACCC expects data holders to:

• identify early if the change may impact or disrupt current consents and authorisations
• develop and implement strategies, prior to implementing the change, to ensure that current consents and authorisations are not impacted or disrupted
• maintain data sharing, where current consents and authorisations exist, in accordance with the CDR Rules
• maintain the accuracy and availability of consumer dashboards, including historical information, in accordance with the CDR Rules.

Compliance

The ACCC and the OAIC are jointly responsible for monitoring compliance with the CDR framework and pursuing enforcement activity if necessary. Conduct that contravenes the Rules, and which has the outcome of significantly disrupting or frustrating the process of disclosure may fall within the priorities outlined in the ACCC/OAIC Joint Compliance and Enforcement Policy.

OAIC

The OAIC enforces the Privacy Safeguards and privacy-related CDR Rules. During an implementation change, or product or plan migration, a data holder must continue to comply with all privacy-related legislation. This includes the obligations contained in Privacy Safeguard 1 to take steps that are reasonable in the circumstances to implement practices, procedures and systems that ensure compliance with the CCA and the CDR Rules. Data holders must also continue to:

• comply with Privacy Safeguard 10 in relation to notification of disclosures made under an authorisation
• ensure accuracy of CDR data when it is disclosed in accordance with Privacy Safeguard 11 and
• respond to correction requests in accordance with Privacy Safeguards 11 and 13.

If the OAIC considers there is a breach of CDR privacy obligations, it may take regulatory action proportionate to the seriousness of the breach and the level of harm or potential harm.

ACCC

The ACCC considers non-compliance in line with the factors in the ACCC/OAIC Joint Compliance and Enforcement Policy, particularly the actions of the business in relation to the conduct. This includes whether the conduct was self-reported, the timing of the self-report, and whether the business has taken action to mitigate the impact of the breach.

We encourage early engagement with the ACCC regarding any proposed changes to a CDR solution or a product or plan migration. Where a data holder considers termination of current consents or authorisations is unavoidable, it should report this to the ACCC Compliance Team via accc-cdr@accc.gov.au as an instance of potential non-compliance. We advise doing this before an approach to any implementation change or product or plan migration is finalised.