CDR representative model – Privacy obligations of CDR principals
23 December 2021
The CDR representative model is intended to facilitate the participation of a broader array of business models in the CDR system.
It allows an unaccredited person (known as a ‘CDR representative’) to provide CDR goods or services directly to a consumer, where they have a written contract in place with an unrestricted accredited person (known as a ‘CDR principal’).
Under this arrangement, the CDR principal is liable for the actions of the CDR representative. This page outlines the key privacy obligations for CDR principals, which fall under the following topics:
- Collection and disclosure
- Requirements of the written contract
- CDR policy
- Record keeping, reporting and access
- Dispute resolution
These obligations have been introduced by Version 3 of the CDR Rules (being the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021) and have been binding since 19 October 2021. The CDR Privacy Safeguard Guidelines will be updated to reflect this content.
These obligations apply in addition to a CDR principal’s privacy obligations as an accredited person and accredited data recipient (for example, to comply with the privacy safeguards).
For information regarding a CDR principal’s accreditation obligations, see the ACCC’s Accreditation Guidelines.
For information on the privacy obligations for CDR representatives, see CDR representative model – Privacy obligations of CDR representatives.
- A CDR principal is a person who has received accreditation at the unrestricted level and has engaged a CDR representative under a written contract that meets the requirements in the CDR Rules.
- A CDR principal collects CDR data on behalf of their CDR representative so that the representative may provide goods or services directly to the consumer using that data.
- While the CDR representative has the consumer-facing relationship, the CDR principal retains obligations in relation to the consumer for a range of matters, including providing the dashboard and notifications. Some of these obligations may be delegated to the CDR representative.
- The written contract is known as a ‘CDR representative arrangement’ in the CDR Rules and must contain the minimum requirements set out in CDR Rule 1.10AA.
- The CDR principal is liable for the actions of their CDR representative, including breaches of the privacy safeguards.
- A CDR principal may have more than one CDR representative.
- For examples of situations in which a CDR principal could engage a CDR representative, see page 17 of the explanatory statement to the amending instrument for the Version 3 CDR Rules.
Collection and disclosure
A CDR principal collects CDR data on behalf of their CDR representative, and discloses that data to the CDR representative so they may provide goods or services to consumers using that data.
A CDR representative is permitted under the CDR Rules to collect CDR data only from their CDR principal. They are not permitted under the CDR Rules to collect CDR data directly from data holders or accredited data recipients (other than their CDR principal).
This section outlines the three key steps that a CDR principal must go through to collect data, and the requirements that apply at each step. The key steps are:
- Receiving a valid request
- Making a consumer data request
- Disclosing data
A CDR principal may only collect CDR data on behalf of their CDR representative in response to a ‘valid request’ from the consumer (CDR Rule 4.3A).
A ‘valid request’ is made where the CDR representative has obtained the following consents from a consumer in accordance with Division 4.3 of the CDR Rules (as modified by CDR Rule 4.3C(1)):
- a collection consent for the CDR principal to collect CDR data from a CDR participant
- a use consent
- for the CDR principal to disclose that data (once collected) to the CDR representative, and
- for the CDR representative to provide the requested goods or services to the consumer.
A request is no longer a ‘valid request’ if the consumer withdraws their collection consent. If this occurs, the CDR principal must not collect any CDR data.
If a CDR principal seeks to collect CDR data without a ‘valid request’, they may be in breach of Privacy Safeguard 3.
Consumer data request
Upon receiving a valid request from the consumer, a CDR principal collects CDR data by making a consumer data request to the relevant CDR participant. The requirements for making a consumer data request are outlined in:
- CDR Rule 4.4 (where the data is to be collected from a data holder)
- CDR Rule 4.7A (where the data is to be collected from an accredited data recipient)
The CDR principal must comply with the data minimisation principle when making a consumer data request.
A CDR principal may disclose CDR data collected on behalf of its CDR representative to that CDR representative for the following purposes, being to:
- use the CDR data to provide goods or services (in accordance with a use consent, and the data minimisation principle)
- de-identify data to use for general research or to disclose (including by sale) (in accordance with a use consent)
- transform, analyse or otherwise derive CDR data in order to use the CDR data for the two purposes outlined above
- disclose to the CDR consumer any of their own CDR data, to provide the consumer with the requested goods or services
- otherwise disclose the consumer’s CDR data in accordance with a current disclosure consent
- send the CDR consumer information about the following matters (in accordance with a direct marketing consent):
- upgraded or alternative goods or services
- offers to renew existing goods or services
- information about the benefits of existing goods or services, or
- information about other goods or services provided by another accredited person, or
- use the CDR data (including by analysing it) in order to send the consumer the above information (in accordance with a direct marketing consent).
See CDR Rules 7.5(1)(h) and 7.5(3)(d) for further information.
While the CDR principal’s role in the CDR representative model is to collect the CDR data, it is the CDR representative that seeks the relevant consents from the consumer, including the consent for the principal to collect the consumer’s CDR data.
A CDR principal must ensure that their CDR representative seeks a consumer’s consents in accordance with Division 4.3 of the CDR Rules, as modified by CDR Rule 4.3C(1). The CDR principal is liable for any breach of Division 4.3 by its CDR representative (CDR Rule 4.3C(2)).
Division 4.3 sets out the requirements for seeking consent, including the processes for asking for consent and restrictions when doing so. As the Division 4.3 requirements are drafted to apply to accredited persons, CDR Rule 4.3C(1) sets out how these are to be modified to apply to an unaccredited CDR representative.
For example, while Division 4.3 usually requires an accredited person to provide the consumer with their accreditation number, CDR Rule 4.3C(1) modifies Division 4.3 to require the CDR representative to provide their CDR principal’s accreditation number (as the representative does not have one).
A CDR principal is liable for its CDR representative’s handling of CDR data. This includes the CDR representative’s collection, use, disclosure and correction of CDR data (see generally Part 7 of the CDR Rules). A CDR principal is also liable for its CDR representative’s actions when seeking consent from consumers (CDR Rule 4.3C(2)).
For example, where a CDR representative uses or discloses CDR data in breach of Privacy Safeguard 6 (s 56EI of the Competition and Consumer Act), the CDR principal will be in breach of that privacy safeguard. This will be the case whether or not the use or disclosure was made in accordance with the written contract between the parties (CDR Rule 7.6(4)). The written contract is explained in the following section.
The CDR Rules that establish a CDR principal’s liability for their CDR representative are CDR Rules 4.3C(2), 7.3(2), 7.3A, 7.6(4), 7.8A, 7.9(5), 7.10A, 7.11(2), 7.12(3) and 7.16.
Requirements of the written contract
A CDR principal must have a written contract with its CDR representative that meets the minimum requirements listed in CDR Rule 1.10AA(2). This written contract is known in the CDR Rules as a ‘CDR representative arrangement’.
The purpose of the written contract is to govern the CDR representative’s handling of CDR data disclosed to it by the CDR principal.
The minimum terms that must be contained in this contract include a requirement for the CDR representative to comply with a number of privacy safeguards (CDR Rule 1.10AA(2)(d)).
A CDR principal must ensure that the CDR representative complies with the requirements of the written contract (CDR Rule 1.16A).
The CDR principal will breach CDR Rule 1.16A if the CDR representative breaches any of the requirements listed in CDR Rule 1.10AA(2).
Additional terms in the written contract
A CDR principal must provide a consumer dashboard for each consumer who has provided a consent in relation to their CDR data.
For consumers that provide their consent to a CDR representative, a CDR principal may choose for the relevant CDR representative to provide the dashboard on their behalf (CDR Rules 1.14(1) and 1.14(5)).
The CDR principal must notify the consumer of the following matters:
- Where a CDR principal collects a consumer’s CDR data on behalf of a CDR representative, they must notify the consumer of that collection under Privacy Safeguard 5.
- Where a CDR representative discloses a consumer’s CDR data, the CDR principal must notify that consumer of the disclosure under Privacy Safeguard 10.
- A CDR principal must also notify the consumer of other matters as set out in subdivision 4.3.5 of the CDR Rules. See Chapter C (Consent) for further information (‘Notification requirements’).
Under CDR Rule 1.14(5), a CDR principal may arrange for the CDR representative to provide the consumer dashboard on its behalf.
A CDR principal must ensure their CDR policy includes:
- a list of their CDR representatives, and
- for each CDR representative, information about the nature of the goods and services provided by that CDR representative using CDR data (CDR Rule 7.2(4)).
Record keeping, reporting and access
A CDR principal must keep and maintain records in relation to each of their CDR representatives. The required records are set out in CDR Rule 9.3(2A).
A CDR principal must prepare and submit a report to the Office of the Australian Information Commissioner and Australian Competition and Consumer Commission on a bi-annual basis. This report must contain the information set out in CDR Rule 9.4(2A) about each of their CDR representatives. See CDR Rule 9.4 for further information.
Upon request from a consumer, a CDR principal must provide a copy of records relating to certain information in CDR Rule 9.3(2A) that relates to the consumer. See CDR Rule 9.5 for further information.
A CDR principal is responsible for dispute resolution in relation to its CDR representatives. Consumers may however complain directly to the CDR representative about that CDR representative’s provision of goods or services. Such complaints will trigger the CDR principal’s internal dispute resolution obligations in CDR Rule 5.12(1)(b).