Exterro's Legal GRC Breakdown

Get your daily dose of news, best practices, and technology from Exterro's e-discovery, privacy, and digital forensics experts here.


Data Privacy Alert: Australian Competition and Consumer Commission Issues First Fine Under Consumer Data Right Rules

Created on September 16, 2022

Legal GRC Market Analyst at Exterro

The Consumer Data Right (CDR) Rules enables Australians to use the data businesses hold about them for their own benefit. In July 2022, the Australian Competition and Consumer Commission (ACCC) levied its first fine under the CDR, since the rule has applied to all banks dating from July 2021.


On July 13, 2022, the ACCC issued a fine of AUD 133,200 against the Bank of Queensland Ltd., for its failure to provide a service enabling consumers' data to be shared as required by the Australian CDR. Under the CDR rules, the Bank was required to be in a position to share data for financial products, including savings accounts, term deposits and credit cards, by 1 July 2021. Since the Bank of Queensland didn’t make the data sharing services available until mid-December 2021, its customers were unable to take advantage of services to which they were entitled for over five months.

Under the CDR, consumers have a right to share certain data safely and securely with accredited providers, including financial technology companies and other third parties, who can then use that data to provide customized products and services to consumers. With rising interest rates, consumers benefit from greater access to information and tools to help them compare products and make informed banking decisions—exactly what the CDR aims to do.

Download the Alert Here!

Who It Applies To

While the Bank of Queensland Ltd. is to date the only entity fined under the CDR, the regulation applies to the entire banking industry in Australia. Major banks came under regulation in July 2020 and the rest of the industry in July 2021. The rules also apply to the energy sector and are proposed to roll out in the telecommunications industry next; they will eventually apply to the entire economy. All Australian consumers 18 and older are entitled to the rights enumerated by the CDR; small businesses may avail themselves of the rights to help manage their finances.

What It Covers

In November 2017, the Australian Government introduced the CDR in Australia to allow consumers to have greater access to and control over their data. Its goal is to improve consumers’ ability to compare and switch between products and services, encouraging competition, reducing prices, and driving innovation.


The ACCC and the Office of the Australian Information Commissioner are responsible for ensuring organizations comply with their CDR obligations. The ACCC issued its fine of AUD 133,200 against the Bank of Queensland for its failure to make data sharing services available to its customers until five months past the deadline.

Expert Analysis by Peter Stockburger, Partner, Data Privacy and Security, Dentons 

This pronouncement by the ACCC is part of a trend of rising enforcement of data protection laws throughout the world. Whether your organization is operating in Australia, the United States, or elsewhere in the globe, it’s now more important than ever for organizations of all sizes to re-examine how they collect, use, store, and transfer the data of their consumers, ensure appropriate notices are in place, and implement privacy by design wherever possible and appropriate. In particular, as can be reflected in the ACCC’s decision, an organization’s use and storage of consumer data may be subject to myriad rules and restrictions, which may overlap and/or conflict with obligations elsewhere in the world. To mitigate risk, organizations must understand and map their data environments, ensure appropriate notices and controls are in place, and stay abreast of the latest regulatory pronouncements and legal changes.

Data Privacy Tip 

Make sure you understand the requirements of data subject access requests of all sorts with Exterro’s guide The Basics of Data Privacy: Data Subject Access Requests.