Is it clear who is liable for a data holder's customers' data once it has been disclosed to an accredited data recipient (ADR)? In the Consumer Data Right (CDR) FAQs there is the statement 'The Consumer Data Right regulatory framework, which covers the Competition and Consumer Act 2010 (Cth) (the Act) and the Consumer Data Right Rules, establishes clear principles of liability.' Where are these principles stated? Is liability for data security correctly disclosed to ADRs based on the customer's explicit consent with the ADR?
Below is an extract from the Explanatory Memorandum to the Consumer Data Right Bill which introduced the changes to the Competition and Consumer Act:
Protection from liability
1.465 The CDR applies to data that is captured within designated sectors and data sets. As such, it is primarily about the provision of information by persons within the CDR system and consistently with the consumer data rules, the privacy framework and the Privacy Act 1988.
1.466 If a person provides information to another person or allows that person to access information, in good faith and complying with a CDR system requirement, the person providing the information is protected from liability. That is, a person so protected from liability will not be able to have an action taken against them, whether civil or criminal, for or in relation to the provision of the relevant CDR information. [Schedule 1, item 1, section 56GC]
1.467 A person who wants to rely on a protection from liability bears an evidential burden of proof. This is appropriate given that the person will know whether or not they received evidence of a valid consent or request and otherwise met the obligations in the CDR regime. [Schedule 1, item 1, subsections 56GC(2) and 56GC(3)]
As this explains, a data holder or an accredited data recipient will need to ensure that it has met its obligations under the Act and the Rules, and be able to provide evidence that it has done so.
For ADRs, this includes compliance with data security requirements such as those in the data standards, Schedule 2 of the consumer data rules, and in the privacy safeguards (particularly Privacy Safeguard 12). We would not expect liability to accrue to a data holder in relation to data once disclosed to an ADR but the data holder does have an obligation to notify a consumer of any disclosure (Privacy Safeguard 10) and continuing obligations under the CDR regime such as to ensure that the data that it has disclosed is correct and accurate (Privacy Safeguard 13). Please see the OAIC’s Privacy Safeguard Guidelines.
Please note that the above is to provide you with general advice about the obligations under the CDR regime. We are not able to give legal advice about your operations, circumstances or potential liability.