24 February 2020

Guidelines for business on how to safeguard consumers’ privacy under the Consumer Data Right (CDR) have been released by the Office of the Australian Information Commissioner (OAIC) today.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the guidelines aim to help businesses participating in the CDR system understand their privacy obligations to consumers.

“Strong privacy protections have been built into the Consumer Data Right system, which strengthens consumers’ rights to control and use their data and enables greater competition, consumer benefits and economic growth,” Commissioner Falk said.

“Data can only be shared at the consumer’s request, for a specific purpose and for a limited time period. Consumers also have the right to ask for their data to be deleted if the business no longer needs it.”

The Consumer Data Right will first be implemented in the banking sector from July 2020 and will allow consumers to safely transfer their data to accredited recipients so they can compare services. It will then be extended to other sectors of the economy, starting with energy and telecommunications.

The OAIC will regulate and enforce the privacy aspects of the CDR system and handle consumer complaints.

The CDR Privacy Safeguard Guidelines have been finalised following consultation with industry, the Australian Competition and Consumer Commission (ACCC) and other stakeholders. They complement the ACCC’s CDR Rules which came into force on 6 February 2020.

“The CDR Privacy Safeguard Guidelines set out how businesses must protect consumers’ data under the new Consumer Data Right,” Ms Falk said. “They build on Australia’s existing privacy framework and provide detailed guidance for businesses handling consumers’ data in the new system to ensure it is protected.”

The OAIC received a number of submissions providing useful feedback as part of its public consultation on the guidelines from a range of industry and consumer organisations and other key stakeholders.

The OAIC is working closely with the ACCC and the Data Standards Body, Data61, to implement the CDR system in July 2020 and will release more advice for consumers and business on privacy safeguards and complaint processes over coming months.