Question

Are there any Data Sovereignty requirements for a Consumer Data Right (CDR) solution developed by a FinTech on behalf of a Data Holder to be hosted in Australian Data Centres (either Cloud Provider or Hosted Solution)? There doesn't appear to be any mention of this in the available CDR specifications.

Answer

There are currently no requirements in the CDR system for CDR data to be stored in Australian data centres. Where the entity is an accredited data recipient, they must not disclose CDR data to a recipient located overseas unless one of the exceptions in Privacy Safeguard 8 applies. We provide further guidance on these exceptions in Chapter 8 of the OAIC’s CDR Privacy Safeguard Guidelines.

In addition, where an accredited data recipient proposes to store CDR data outside of Australia or an external territory, it must specify the countries where it proposes to store the data in its CDR policy. This is required by Privacy Safeguard 1 and CDR Rule 7.2(7). For further information see OAIC’s Guide to developing a CDR policy.