The Office of the Australian Information Commissioner and the Australian Competition and Consumer Commission have updated their joint Compliance and Enforcement Policy for the Consumer Data Right (CDR). The policy outlines the priorities, how the agencies encourage compliance and their approach to enforcement of matters.
The Policy sets out that where OAIC and ACCC consider a breach has occurred, they will take enforcement action proportionate to the seriousness of the breach and the level of harm or potential harm to CDR consumers. The enforcement priorities will include matters that have the following factors:
- conduct that will, or has the potential to, cause harm to the CDR regime, including undermining consumer trust in the security and integrity of the CDR;
- conduct that will, or has the potential to, result in widespread or substantial detriment to CDR consumers;
- conduct that will, or has the potential to, cause harm to vulnerable consumers
- conduct that is of significant public interest or concern; and
- conduct by large CDR participants, recognising the potential for greater consumer detriment from breaches by entities that deal with a greater volume of CDR data, or service a greater number of CDR consumers.