The privacy and competition watchdogs have outlined how they plan to enforce the rules and laws surrounding the Consumer Data Right, which will be launched into the banking sector in July.
The Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) will crack down on misuse of data as part of the open banking scheme, and have outlined how the various legislation, rules and standards will be enforced.
The Consumer Data Right (CDR) lays the groundwork for more streamlined data-sharing in several industries, with an aim of giving consumers control of their own personal information. It will first be applied to the banking sector.
Open banking officially launches from July 1, with ACCC chair Rod Sims saying the framework was more important in the context of the COVID-19 pandemic environment.
In the Consumer Data Right Compliance and Enforcement Policy, the ACCC and OAIC detail the rules to improve community trust and confidence for the scheme to be successful.
“A strong regulatory framework is in place to protect privacy and build public confidence in the Consumer Data Right, and the Compliance and Enforcement Policy provides increased certainty about how we will uphold these consumer protections,” Australian Information Commissioner Angelene Falk said.
“Economic reforms like the CDR which build consumer confidence in the use of their personal information and encourage innovation will be critical to our recovery after the COVID-19 outbreak.”
The agencies will be able to issue administrative solutions, infringement notices and court-enforceable undertakings, suspend CDR accreditation and launch court proceedings against anyone found to have violated the CDR rules and laws.
They will use a number of information sources and monitoring tools to oversee the scheme, including complaints and feedback from stakeholders and the public, business reporting, audits and assessments and information requests and compulsory notices.
“Consumers must be confident that the CDR regime works as intended and that the regulatory framework put in place will protect their interests,” the policy states.
“Consumers should be able to trust that we are monitoring and enforcing CDR participants’ compliance with the relevant laws, rules and data standards. This is particularly important as the CDR is rolled out more broadly.”
The agencies acknowledge they will not be able to pursue every breach of CDR rules, and that they will prioritise those found to cause significant damage. This includes those involve a data holder refusing to hand over the relevant data, misleading or deceptive conduct surrounding the scheme, the misuse of consumer data and entities with insufficient security controls.
“We cannot pursue all matters that come to our attention. Our role is to focus on those circumstances that will, or have the potential to, cause significant harm to the CDR regime or result in widespread consumer detriment,” it said.
“We prioritise and focus on matters that provide the greatest overall benefit to consumers. In deciding whether to take enforcement action, we will consider each case on its merits and the relevant circumstances.”
The agencies will also consider the extent of the conduct constituting a breach, the size of the businesses involved, whether it was a deliberate act, whether it was overseen by senior management and if it was the result of systemic issues, when looking at pursuing enforcement and compliance action.
Open banking is set to officially launch at the start of July, with banks expected to have limiting banking data available for participating and accredited FinTechs and other third parties to access with permission from the user.