Publication date: June 2020

Introduction

1 The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency established under the Australian Information Commissioner Act 2010 (Cth) (AIC Act).

2 The OAIC has a range of functions and powers directed towards protecting the privacy of individuals by ensuring the proper handling of personal information.

3 In 2019, the AIC Act was amended to extend the Information Commissioner’s privacy functions to include the Consumer Data Right (CDR) scheme.[1]

4 The OAIC co-regulates the CDR scheme, with the Australian Competition and Consumer Commission (ACCC).

5 The OAIC regulates the privacy aspects of the CDR scheme, and can use a range of investigative and enforcement mechanisms under the Competition and Consumer Act 2010 (Cth) and the Privacy Act 1988 (Cth).

6 The ACCC is responsible for the accreditation process entities must go through to participate in the CDR scheme, including accrediting potential data recipients and establishing and maintaining a Register of Accredited Persons. The ACCC is also responsible for making the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) (the CDR Rules)[2] and has a range of enforcement powers it can use to monitor and ensure compliance with the CDR Rules.

7 As co-regulators of the CDR scheme, the OAIC and the ACCC have jointly published the ACCC and OAIC Compliance and Enforcement Policy for the Consumer Data Right (ACCC and OAIC Compliance and Enforcement Policy). The ACCC and OAIC Compliance and Enforcement Policy aims to help entities understand the approach the ACCC and the OAIC will adopt to encourage compliance and prevent breaches of the CDR regulatory framework.

8 For its core privacy and freedom of information regulatory functions, the OAIC has separate regulatory action policies that set out its approach to using those regulatory powers. The OAIC has therefore developed this CDR regulatory action policy to explain the OAIC’s CDR powers and its approach to exercising them in relation to the CDR scheme, as well as the circumstances in which information about regulatory activities may be communicated publicly.

9 The processes around the exercise of each CDR regulatory power are the same as those outlined in the OAIC’s Guide to privacy regulatory action, which is a useful resource about the procedural steps for exercising the specific regulatory powers.

10 CDR stakeholders, including consumers and regulated entities participating in the CDR scheme, should review the ACCC and OAIC Compliance and Enforcement Policy and this CDR regulatory action policy in conjunction with the relevant regulatory processes outlined in the Guide to privacy regulatory action, for a complete understanding of the OAIC’s CDR regulatory powers, policies and processes.

The CDR scheme and the OAIC’s jurisdiction

11 The CDR scheme allows consumers to access particular data in a usable form and to direct an entity to securely transfer that data to an accredited person.

12 The security and integrity of the CDR scheme is maintained by 13 privacy safeguards that are set out in the Competition and Consumer Act, with further particularisation in the CDR Rules.

13 Entities who are authorised under the CDR scheme to collect, use and disclose CDR data will be bound by the privacy safeguards and the CDR Rules, and may also be bound by the Australian Privacy Principles (APPs) set out in the Privacy Act.[3] Further information about the application of the privacy safeguards can be found in the Privacy Safeguard Guidelines.

14 Part IVD of the Competition and Consumer Act provides the Information Commissioner with a range of regulatory powers in relation to the privacy safeguards and CDR Rules that relate to privacy or confidentiality, for the purpose of administering the privacy related aspects of the CDR scheme. Most of the Information Commissioner’s powers can be delegated to and exercised by staff of the OAIC, and the Information Commissioner is able to delegate certain CDR functions to the ACCC. [4]

15 Further, s 56ET(3) of the Competition and Consumer Act extends the application of the OAIC’s regulatory powers under Part V of the Privacy Act to acts or practices that may be a breach of a privacy safeguard, or a privacy or confidentiality related CDR Rule, in relation to the handling of a consumer’s CDR data.[5]

16 CDR consumers include individuals and small businesses (as defined in the Privacy Act), meaning both individuals and small businesses can make a CDR complaint to the OAIC.[6]

17 This policy relates to the use of CDR regulatory powers conferred on the Information Commissioner by the Privacy Act and the Competition and Consumer Act.

Priorities, goals and principles

Priorities

18 The CDR scheme is intended to allow greater choice and control for Australians over how their data is used and disclosed, by entities they can trust. For this reason, the CDR scheme has extended the protections of the Privacy Act to apply to entities seeking to be accredited to receive CDR data via the CDR scheme.[7]

19 The OAIC’s expectation is that entities participating in the CDR scheme are aware of, and actively comply with, their obligations when they handle CDR data. Further, prior to the commencement of the CDR scheme, some entities may have already been bound by the APPs in the Privacy Act and should therefore have good data handling procedures in place.

20 The ACCC and OAIC Compliance and Enforcement Policy sets out forms of conduct that are likely to result in significant detriment to consumers and the integrity of the CDR scheme, which will always give grounds for the consideration of enforcement action. Those forms of conduct particularly relevant to the OAIC, as the regulator of the privacy aspects of the CDR scheme are:

  • compliance with the requirement to obtain valid consent before collecting a consumer’s CDR data, and the requirement to only use and disclose CDR data in line with the consent provided
  • instances of intentional misuse of or improper disclosure of CDR data
  • CDR participants that have insufficient controls and processes to protect CDR data.

Goals of taking CDR regulatory action

21 The OAIC’s goal is to prevent and address harm to consumers from the mishandling of CDR data, and to ensure that privacy safeguards are implemented and observed, as set out in section 56EQ of the Competition and Consumer Act.

22 Taking regulatory action also:

  • ensures compliance with the privacy safeguards or CDR Rules relating to privacy or confidentiality, instilling public confidence in the privacy aspects of the CDR scheme
  • increases public knowledge of the privacy rights of consumers, and the obligations on CDR entities, in relation to the handling of CDR data
  • deters conduct that contravenes CDR obligations
  • seeks to address systemic issues[8] that the OAIC or the ACCC has identified.

Principles

23 When taking CDR regulatory action, the OAIC is guided by the following principles outlined in the ACCC and OAIC Compliance and Enforcement Policy:

  • Accountability – we are accountable for our actions, which can be reviewed by a range of agencies including the Commonwealth Ombudsman, Parliamentary Committees and the courts.
  • Efficiency – we strive to perform our roles in an efficient and timely manner to avoid costly delays and uncertainty for consumers and CDR participants.
  • Fairness – we strive to exercise our powers in a manner which is procedurally fair and provides natural justice.
  • Proportionality – our regulatory measures and actions will be proportionate to the conduct and the resulting harm or potential harm.
  • Transparency – to the extent permitted by law, we will be open and transparent about how we use our regulatory powers, what action we take and why. We will ensure that matters finalised by litigation or other formal resolution are made public.

24 The OAIC also strives to be:

  • Targeted – we are efficient in the allocation of resources, taking appropriate action and responsive to risk and public expectations of Commonwealth regulators.
  • Impartial – we are professional, fair and unbiased when exercising our regulatory powers.
  • Agile – we are collaborative and responsive to changes in technology, legislation, risks and the expectations of the community and government.

25 When taking CDR regulatory action, the Information Commissioner will act consistently with general principles of good decision making, as explained in the Best Practice Guides published by the Administrative Review Council.[9] In particular, the OAIC will act fairly and in accordance with the principles of natural justice (or procedural fairness).

26 When dealing with an alleged contravention of a privacy safeguard or CDR Rule that relates to privacy or confidentiality, the OAIC will consider the conduct on a case-by-case basis, having regard to all relevant circumstances.

27 In any litigation the Information Commissioner will act in accordance with the obligation to act as a model litigant in accordance with the Legal Services Directions 2017.[10]

Compliance and enforcement approach

Fostering compliance

28 As set out in the ACCC and OAIC Compliance and Enforcement Policy, the ACCC and OAIC are committed to driving a high level of compliance, to prevent and address consumer harm, and ensure the effective, efficient and lawful operation of the CDR scheme. The following tools will be used to monitor compliance:

  • intelligence received through stakeholders, and any recognised External Dispute Resolution (EDR) scheme
  • complaints
  • mandatory reports entities provide about their participation in and compliance with the CDR scheme
  • audits and assessments conducted on entities to analyse compliance or remedy identified compliance issues or risks
  • issuing information requests or compulsory notices to entities to help inform compliance and enforcement activities.

29 The OAIC and ACCC will work collaboratively by sharing intelligence gathered from CDR enquiries, reports, complaints, assessments and audits, and assess these factors against a risk matrix to inform decisions around enforcement action.

30 The OAIC will further foster compliance by:

  • providing guidance to entities about their obligations under the privacy safeguards or CDR Rules relating to privacy or confidentiality[11]
  • engaging with entities to promote best practice, for example by directing entities to relevant resources, or notifying entities of any potential compliance risks identified and requesting further information from the entity in response.

Investigating an alleged breach

31 The OAIC is required to investigate a complaint made under the Privacy Act about an act or practice that is alleged to be a breach of a privacy safeguard or privacy or confidentiality related CDR Rule, if certain conditions are satisfied (ss 36, 40), and the complaint is not declined under s 41[12] or referred to an alternative complaint body under s 50.

32 The Information Commissioner may, on his or her own initiative, decide to investigate an act or practice that may be a breach of a privacy safeguard or privacy or confidentiality related CDR Rule, or a breach of Privacy Safeguard 1.[13] The Information Commissioner may decide to commence a Commissioner initiated investigation (CII) following a complaint or notification of a data breach incident or may commence a CII independently of any complaint or notification.[14]

33 In investigating a consumer complaint or conducting a CII, the OAIC may use the formal powers conferred by the Privacy Act to require an individual or entity to provide information and documents (s 44).

34 Other investigative powers the Information Commissioner may exercise include powers to:

  • conciliate complaints (s 40A)
  • make preliminary inquiries of any person to determine whether or not to open an investigation (s 42)
  • decide whether or not to hold a hearing in response to a request from a complainant or respondent (for a complaint), or the respondent (for a CII) (s 43A)
  • require a person to attend a compulsory conference (s 46)
  • examine a witness (s 45), or to enter premises (s 68).

Enforcement powers

35 The Competition and Consumer Act extends some of the Information Commissioner’s existing enforcement powers under the Privacy Act to apply to acts or practices that may be a breach of a privacy safeguard or CDR Rule that relates to privacy or confidentiality, and also provides the Information Commissioner with enforcement powers under the Competition and Consumer Act and the CDR Rules.

36 The Information Commissioner’s enforcement powers in relation to the CDR scheme include powers to:

  • conduct an assessment or audit regarding whether CDR participants are managing and handling CDR data in accordance with the privacy safeguards and the CDR Rules that relate to the privacy or confidentiality of CDR data, as set out in s 56ER of the Competition and Consumer Act and CDR Rule 9.6.
  • report to the Minister, the ACCC or the Data Standards Chair in relation to assessments conducted under s 56ER(3) of the Competition and Consumer Act, or report to the Minister in certain circumstances such as following a CII, monitoring activity or assessment as set out in ss 30 and 32 of the Privacy Act.
  • direct accredited data recipients and designated gateways to notify consumers at risk of serious harm, as well as the Information Commissioner, about an eligible data breach. This is because s 56ES(2) extends the application of Part IIIC of the Privacy Act to accredited data recipients and designated gateways, meaning they must comply with the Notifiable Data Breaches scheme set out in Part IIIC of the Privacy Act.
  • make a determination dismissing a consumer complaint or finding the complaint substantiated, and make a range of declarations, including that a consumer is entitled to compensation, as set out in s 52(1) of the Privacy Act. This is because s 56ET of the Competition and Consumer Act extends the Information Commissioner’s investigative powers from Part V of the Privacy Act to acts or practices that may be a breach of a privacy safeguard, or a CDR Rule that relates to privacy or confidentiality.
  • make a determination following a CII, as set out in s 52(1) of the Privacy Act, and make a range of declarations including that an act or practice is a breach of a privacy safeguard or privacy or confidentiality related CDR Rule, that the entity must take a specified action, or that the consumer/s may be entitled to compensation.
  • bring proceedings to enforce a determination (ss 55A and 62 of the Privacy Act)
  • apply to the court for a civil penalty order for contraventions of the privacy safeguards, as set out in s 56EU of the Competition and Consumer Act, and pursuant to Part 4 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth) (Regulatory Powers Act. The Information Commissioner can also apply to the court for a civil penalty order for a breach of a civil penalty provision from the Privacy Act (s 80U of the Privacy Act and Part 4 of the Regulatory Powers Act).
  • accept and enforce undertakings, set out in s 56EW of the Competition and Consumer Act, and pursuant to Part 6 of the Regulatory Powers Act. The Information Commissioner also has powers to accept and enforce undertakings in relation to the Privacy Act (s 80V of the Privacy Act and Part 6 of the Regulatory Powers Act).
  • seek an injunction against a person to enforce the privacy safeguards, set out in s 56EX of the Competition and Consumer Act, and pursuant to Part 7 of the Regulatory Powers Act. The Information Commissioner also has powers to seek an injunction against a person and enforce the Privacy Act (s 80W of the Privacy Act and Part 7 of the Regulatory Powers Act).

37 In additional, s 56EZ of the Competition and Consumer Act provides the Information Commissioner may delegate CDR enforcement functions or powers to the ACCC. Generally, the OAIC’s preferred regulatory approach is to exercise the CDR enforcement functions or powers within its remit. However, the Information Commissioner may consider delegating some of his or her CDR enforcement functions or powers to the ACCC where it is apparent that the delegation of CDR responsibilities is a more efficient and effective means of ensuring compliance with the privacy aspects of the CDR scheme. The Commissioner will also have regard to the objects of the Privacy Act (set out in s 2A) and the objects of the Consumer Data Right under Part IVD of the Competition and Consumer Act (set out in s 56AA) when considering delegating CDR enforcement functions to the ACCC.

38 It is open to the OAIC to use a combination of regulatory powers to address a particular matter.

Factors considered

39 As outlined in the ACCC and OAIC Compliance and Enforcement Policy, the OAIC will take regulatory action proportionate to the seriousness of the breach and the level of harm or potential harm. In deciding whether to take enforcement action, the OAIC will consider each case on its merits and the relevant circumstances.

40 As co-regulators of the CDR scheme, the OAIC may also engage in consultation with the ACCC, where appropriate, when considering whether to the take regulatory action. In particular, given the OAIC and ACCC both have the power to audit CDR participants, and the OAIC has the additional power to conduct assessments, the OAIC will work closely with the ACCC on audits and assessments to ensure that both agencies utilise these powers with a coordinated preventative and proactive approach to compliance, ensuring efficient consideration of the risks while not over-burdening regulated entities with overlapping audit requirements.

41 Where it has a discretion as to whether to take regulatory action, the OAIC will consider potential CDR regulatory action against the risks and select the most appropriate power in the circumstances.

42 Factors the OAIC will take into account in deciding when to take CDR regulatory action, and what action to take, include the following, some of which are in the ACCC and OAIC Compliance and Enforcement Policy:

  • the objects of the Privacy Act (set out in s 2A) and the objects of the Consumer Data Right under Part IVD of the Competition and Consumer Act (set out in s 56AA)
  • the seriousness of the incident or conduct to be investigated (or the potential impact of a proposal), including:
    • the nature and extent of the conduct constituting the breach, including the period over which the conduct occurred and the number of related breaches
    • the size of the business engaging in the conduct, due to the greater potential for consumer detriment
    • the impact of the conduct, including harm or increased risk of harm to consumers
    • whether the conduct was deliberate, repeated, reckless or inadvertent
    • whether the conduct involved, or was directed or overseen by, senior management
    • the extent of any realised or potential future gain from the conduct
    • whether the conduct requires urgent action or intervention by the OAIC
  • whether the conduct indicates systemic issues that may pose ongoing compliance or enforcement risks
  • whether action is already being taken to address the issue by another enforcement agency or other organisation (for example, an EDR body)
  • the actions of the entity in relation to the conduct, including whether the conduct was self-reported, the timing of the self-report and whether the entity has taken any action to rectify the breach and avoid reoccurrence
  • whether the entity has displayed a corporate culture of compliance, including effective compliance programs, and whether corrective measures have been taken in response to any past breaches
  • the specific and general educational, deterrent or precedent value of enforcement action, including whether pursuing court action (where applicable) would test or clarify the law
  • the level of public interest or concern relating to the conduct, proposal or activity (with regulatory action more likely to be taken where significant public interest or concern exists)
  • the time since the conduct occurred
  • where relevant, whether there is adequate evidence available and admissible in a court to prove a contravention on the balance of probabilities
  • any other factors which the OAIC considers relevant in the circumstances, including factors which are relevant to the specific regulatory power being used.

Sources of information

43 In addition to responding to matters that are brought to the OAIC’s attention through a complaint, audit or assessment, the OAIC will also utilise a range of other methods to identify systemic or serious issues that may warrant CDR regulatory action. The OAIC will reference a range of sources for this purpose, including:

  • CDR complaint and data breach notification trends
  • international developments
  • media reports
  • informants
  • surveys
  • privacy audits and assessments
  • CIIs
  • credit reporting body annual reports
  • information from other enforcement bodies such as the ACCC, and from recognised EDR bodies
  • reports from CDR data holders and accredited data recipients which provide a range of information, including a summary of CDR complaint data.

44 The information may also be used to identify risks in particular sectors covered by the CDR scheme, or recurring acts or practices, that warrant CDR regulatory action. In such cases, CDR regulatory action will be taken to mitigate the risks to the protection and handling of the privacy aspects of CDR data. For example, if its complaints statistics showed that a significant number of CDR complaints relate to a particular industry covered by the CDR scheme, that industry may be identified for further investigation and possible regulatory action.

Public communication as part of CDR regulatory action

45 Public communication of the work of the OAIC is an important element in CDR regulatory action, as it:

  • encourages CDR compliance by increasing awareness and knowledge of CDR rights and obligations, and deterring breaches of the privacy safeguards or CDR Rules that relate to privacy or confidentiality
  • promotes public confidence in the regulatory activities of the OAIC, by publicising actions taken to address breaches of the privacy safeguards or CDR Rules that relate to privacy or confidentiality and entities that are not complying with their privacy related obligations under the CDR scheme, and
  • ensures transparency and accountability around the OAIC’s use of its CDR regulatory powers.

Communications approach

46 A decision to publicly communicate information will be guided by the principles outlined in this policy. In addition, the OAIC will strive to ensure that:

  • all public statements are accurate, fair and balanced
  • it is clear that an allegation of a breach of a privacy safeguard or privacy or confidentiality related Rule is no more than an allegation until substantiated by the OAIC, a tribunal or a court
  • all public statements comply with the OAIC’s legal obligations, including privacy, confidentiality and secrecy obligations and court or tribunal orders, and
  • if the OAIC has previously commented publicly that it is investigating an alleged CDR breach by an entity, and later finds that a CDR breach was not substantiated, a public statement to that effect will generally be made.

47 The OAIC is committed to dealing fairly with any entity that may be the subject of CDR regulatory action when making any public statement relating to that regulatory action. The OAIC is mindful of the negative inferences and reputational damage to an entity that may arise from the fact that an investigation has been opened or that a breach of a privacy safeguard or privacy or confidentiality related Rule has been alleged.

48 Where making a public statement in connection with CDR regulatory action, the OAIC will aim to contact the respondent entity in advance of making the statement if it is possible and appropriate in the circumstances. However, it will generally not provide an individual or entity with an assurance that the OAIC will not publicise its regulatory action or that it will always give advance warning.

49 To the extent possible, the OAIC will publish reports and other documents relevant to the exercise of regulatory powers in full or in an abridged version on the OAIC website. It is sometimes inappropriate to publish all or part of a report or document because of statutory secrecy provisions or for reasons including privacy, confidentiality, commercial sensitivity, security or privilege.

Examples of communications

50 The OAIC may publicly communicate the outcome of CDR regulatory action, in the following ways:

  • issuing a public report following an audit or assessment
  • publishing a determination made by the Information Commissioner
  • publishing an enforceable undertaking accepted by the Information Commissioner
  • issuing a public statement at the commencement and conclusion of a CII
  • publishing de-identified complaint resolution outcomes
  • issuing a public statement where the OAIC commences court proceedings and upon finalisation of those proceedings.

51 The OAIC generally will not comment publicly about ongoing complaint investigations, complaint conciliations, CIIs, the content of data breach notifications or the exercise of investigative powers. However, where a particular incident is of sufficient community concern, or has already been reported in the media, the OAIC may confirm publicly that it is investigating or making inquiries in relation to the matter, but will not generally comment further until the inquiry or investigation is complete. The OAIC may also comment publicly on a particular incident where there is a public interest in it doing so, for example to enable members of the public to respond to a data breach.

52 The OAIC will publish statistics which reflect both its privacy regulatory action processes and regulatory outcomes, which extends to the CDR scheme.[15] These statistics will be contained in the annual report, and include:

  • complaints received
  • the stage at which complaints were closed
  • complaints declined via the various decline powers contained in s 41 of the Privacy Act
  • complaint outcomes
  • CIIs undertaken
  • data breach notifications received, and
  • audits or assessments undertaken.

Working with other complaint handling and regulatory bodies

53 The OAIC will work in partnership with other regulators, recognising the practical and resource advantages in doing so. This may include agreeing to a written protocol or principles for collaboration, regular communication about privacy issues related to the CDR scheme, sharing information and experience, and coordinating the regulatory processes of the OAIC with other regulators. However, the OAIC will always operate within its legislative framework, including limits on its ability to share information.

54 In carrying out its CDR regulatory functions, the OAIC may engage with other relevant agencies, such as the Treasury, which is responsible for designating the sectors to which the CDR scheme applies, and the Data Standards Body[16] appointed by the Treasurer. The Data Standards Body is responsible for setting the technical standards relating to transmission of data, data format, information security and consumer experience associated with the CDR scheme.

55 The CDR scheme applies a ‘no wrong door approach’, whereby if the OAIC or ACCC, as co-regulators of the scheme, receive a matter that is best dealt with by the other regulator, or by an EDR scheme, the matter will be transferred across to that body.[17] Further information about the OAIC’s complaint handling process that applies to CDR complaints, including the transfer of complaints, can be found in Chapter 1 of the Guide to privacy regulatory action.

Interaction with the ACCC

56 The OAIC and the ACCC each have compliance and enforcement responsibilities in relation to the CDR scheme, as it concerns both competition and consumer matters as well as the privacy and confidentiality of consumer data.

57 Section 29(2)(aa)(iv) of the AIC Act allows the OAIC to disclose information to the ACCC that is acquired when undertaking a CDR function, or any information held by the OAIC that is relevant to the ACCC’s regulatory functions under the CDR scheme.

58 Similarly, s 157AA of the Competition and Consumer Act allows the ACCC to disclose any information that is relevant to the OAIC’s regulatory functions under the CDR scheme to the Information Commissioner.

59 Consequently, the OAIC has ongoing engagement with the ACCC in its capacity as the co-regulator of the CDR scheme.

Interaction with EDR schemes

60 Section 50 of the Privacy Act provides that the Information Commissioner may transfer a complaint to an alternative complaint body, which includes, amongst other bodies, recognised EDR schemes.

61 Under s 56DA of the Competition and Consumer Act, the ACCC may recognise an EDR scheme to handle particular CDR related disputes.

62 Where the OAIC receives a CDR complaint that is more appropriately dealt with by an EDR body, the matter will be transferred directly to the recognised EDR scheme, pursuant to s 50 of the Privacy Act.

63 EDR schemes provide reporting information to the ACCC and OAIC outlining the number of CDR complaints received in a specified period and the types of issues raised. The information may be used to identify and address sector specific risks.

64 Generally, the OAIC will seek to work in partnership with EDR schemes that the ACCC has recognised to handle CDR complaints, with a view to achieving consistent and efficient regulatory outcomes. The OAIC will seek to implement open communication practices to ensure information and experience is shared between the OAIC and the schemes, and that clear procedures are established to enable information about complaints to be transmitted.

Interaction with foreign regulators

65 Many privacy threats and challenges extend beyond national boundaries. A coordinated and consistent global response can be an effective regulatory response to a global privacy issue.

66 In dealing with privacy risks associated with the CDR scheme that transcend national boundaries, there can be practical and resource advantages in liaising with other global privacy or competition regulators to avoid duplication by sharing information.

67 The OAIC will seek to work in partnership with privacy or competition regulators in foreign jurisdictions where there is a shared interest in working together to address privacy risks related to the operation of the CDR scheme. Through such partnerships, the OAIC will share knowledge and expertise with a view to ensuring a consistent and harmonised approach to regulatory action. If appropriate, it may coordinate regulatory activities and share investigative information with foreign privacy or competition regulators. Where information is shared, only necessary information will be shared and the information exchange will occur under an information sharing arrangement which protects the confidentiality of the information.

68 As part of this commitment to international cooperation and privacy enforcement, the OAIC will continue to actively engage with global privacy networks, including the Global Privacy Assembly, the Asia Pacific Privacy Authorities Forum (APPA), the Global Privacy Enforcement Network (GPEN) and the APEC Cross Border Privacy Enforcement Arrangement.

Footnotes

[1] Section 9(1)(b) of the AIC Act.

[2] CDR Rules is an instrument made under s 56BA of the Competition and Consumer Act.

[3] This will be the case for entities that are existing Australian Privacy Principle entities, or where a small business that becomes an accredited data recipient becomes an organisation bound by the Privacy Act, see s 6E(1D).

[4] See s 25 of the AIC Act, s 56EZ of the Competition and Consumer Act, and paragraph 37 of this policy.

[5] Section 56ET(1)(e) of the Competition and Consumer Act.

[6] Note that this only applies in relation to CDR complaints, and that small businesses cannot make complaints about any other act or practice that may be an interference with privacy as defined in s 13 of the Privacy Act. An individual may make a complaint under s 36 of the Privacy Act, and “individual” is defined in s 6 of the Privacy Act to mean a natural person.

[7] Section 6E(1D) of the Privacy Act.

[8] A systemic CDR issue is an issue that may have implications or an effect beyond a particular incident. This may occur where an incident indicates there is an ongoing or underlying problem with practices, procedures or systems that relate to CDR compliance, adherence to those practices, procedures or systems, or with attitudes to CDR compliance.

[9] The Administrative Review Council Best Practice Guides are published at the Administrative Review Council Publications page.

[10] The obligation to act as a model litigant extends to Commonwealth agencies involved in merits review proceedings (Appendix B to Legal Services Directions 2017).

[11] Section 56EQ of the Competition and Consumer Act.

[12] The OAIC’s approach to using the decline powers in s 41 is outlined in the Guide to privacy regulatory action. Circumstances in which a complaint may be declined include where it is frivolous, vexatious, misconceived, lacking in substance or not made in good faith; an investigation is not warranted having regard to all the circumstances; the complaint was made more than 12 months after the complainant became aware of the relevant act or practice; and the complaint would be more effectively or appropriately dealt with by a recognised external dispute resolution scheme.

[13] See s 56ET of the Competition and Consumer Act, and s 40(2) of the Privacy Act.

[14] For more information on when a CII may be commenced, see Chapter 3 of the Guide to privacy regulatory action.

[15] Section 30 of the AIC Act.

[16] Data 61 was appointed to be the Data Standards Body for the CDR Scheme.

[17] Section 29(2)(aa)(iv) of the AIC Act, s 157AA of the Competition and Consumer Act and s 50 of the Privacy Act.