Stay in the know
We’ll send you the latest insights and briefings tailored to your needs
The Competition and Consumer (Consumer Data Right) Rules 2020 (the Rules) were recently amended to allow accredited third party service providers to provide additional services within the Consumer Data Right (CDR) ecosystem.1 Subject to consumer consent, the amendments permit accredited intermediaries to collect CDR data from data holders (in addition to using or disclosing CDR data) on behalf of accredited data recipients (ADRs).
The role of intermediaries in facilitating the implementation of the CDR regime has been an ongoing area of focus, including in public consultations undertaken by the Australian Competition and Consumer Commission (ACCC) earlier this year. This reflects the “important role of intermediaries in facilitating the efficient and secure collection of data.”2
Before the recent amendments were implemented, the Rules already provided for CDR outsourcing arrangements which allow an ADR to disclose CDR data to an outsourced service provider (OSP), who can then use or disclose that CDR data on the ADR’s behalf. Such data sharing benefits ADRs by enabling OSP-provided capability and capacity such as data infrastructure and tools to derive novel insights.
Under the amended Rules, the scope of CDR outsourcing arrangements has been expanded to allow an intermediary accredited to the ‘unrestricted’ level (the Provider) to not only use and disclose, but also collect CDR data on behalf of an ADR (the Principal), with the consent of a CDR consumer. This type of outsourcing structure is called a Combined Accredited Person (CAP) arrangement.
The amendments seek to:
As both Principals and Providers are accredited persons, they must comply with all of the obligations for accredited persons under the Rules. However, for certain obligations in relation to CDR data, the two parties to a CAP arrangement can determine who is best placed to fulfil the relevant obligation on behalf of both entities. For example, either the Principal or Provider can provide the CDR consumer with a CDR receipt to satisfy this requirement under the Rules for both entities. This said, each party must still fulfil certain ongoing accreditation requirements (e.g. regarding insurance and information security) on their own accord.
The amended Rules also apply strengthened measures to promote data security and transparency. In the process of giving consent to a Principal, CDR consumers must be provided with the relevant Provider’s name and accreditation number. Accordingly, although a Principal will remain the consumer-facing entity, the Provider’s role will always be known to the CDR consumer, promoting transparency within the CDR ecosystem.
The amendments also impose two new minimum information security controls for CDR outsourcing arrangements:
These additional protections are intended to ensure that CDR data remains protected at all points in the CDR ecosystem.
While both Principals and Providers are subject to normal CDR privacy safeguards and general accreditation requirements, the amendments also make clear that ultimate responsibility for fulfilling key CDR obligations rests with Principals. Accordingly, Principals are liable for any acts and omissions of Providers (as is the case when ADRs outsource services to OSPs), even if Providers act beyond the scope of their engagement. Including contractual controls may help to reduce this risk, but it does not completely mitigate regulatory or reputational risk for Principals. Accordingly before entering into CDR outsourcing arrangements with Providers, Principals should consider:
The amendments to the Rules (which entered into force on 2 October 2020) are an important step towards facilitating greater participation of intermediaries in the CDR ecosystem, while still maintaining high standards for accreditation and security. Allowing entities to participate in the CDR ecosystem at lower accreditation levels is likely the next critical step to further opening up the CDR ecosystem and promoting more innovative service offerings that will benefit CDR consumers.
The ACCC are currently consulting on an expansion of the Rules, including to address this next step, and is hoping to further amend the Rules to address this issue in December this year. Accordingly it is more important than ever for interested entities to proactively consider what functions they want to play in the CDR ecosystem and what actions they may need to take to achieve that role.
For more information on the CDR, visit our dedicated hub.
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2024
We’ll send you the latest insights and briefings tailored to your needs