On 28 May 2025, the Australian Privacy Commissioner (the AU Commissioner) published its first determination in relation to the Australian Consumer Data Right (CDR) regime. Under this determination, Regional Australia Bank (RAB), as the data holder, was deemed to be responsible for the data processing of its third-party service provider, Biza Pty Ltd (Biza).
This determination serves as a helpful reminder that organisations that rely on agents, subcontractors or service providers to process data on their behalf will still be responsible for that data processing. While the outcome is consistent with how the New Zealand Privacy Act 2020 allocates responsibility for an agent's processing of personal information, the determination may be of particular note for the banking sector, as New Zealand's own Customer and Product Data Act 2025 (C and P Data Act) will come into force for the banking sector from 1 December 2025.
Australian CDR determination
The AU Commissioner's determination relates to a privacy breach where the CDR data of up to 197 consumers was co-mingled and inaccurately disclosed. This was caused by software issues within systems managed by Biza. The breach was only identified as a result of an accredited data recipient identifying that a consumer had transactions in their banking history that did not belong to them.
While the privacy breach occurred due to Biza's data practices, the AU Commissioner found that RAB was liable, despite not being aware of the relevant breaches and not being in a position where it was able to take steps to prevent or address them. In particular, the AU Commissioner found that the following CDR privacy safeguards had been breached:
- Safeguard 1: Data holders are required to implement effective data governance frameworks for managing, securing and maintaining the integrity of consumer data.
- Safeguard 11: Data holders are required to take reasonable steps to ensure that CDR data is accurate, current, and complete.
The determination highlights that outsourcing of data processing does not relieve a data holder of its ongoing responsibility to ensure that relevant third-party is "doing the right thing" and that individuals' data is protected.
Lessons for New Zealand
While there are differences between the Australian CDR regime and the C and P Data Act in New Zealand, this determination demonstrates principles that will also be relevant in the New Zealand context:
- Outsourcing data processing to a third-party service provider will not relieve data holders of liability under their obligations under the C and P Data Act (or the New Zealand Privacy Act 2020).
- Outsourcing decisions need be made carefully. In addition to having robust onboarding and due diligence requirements, data holders should ensure that their contractual arrangements with third-party service providers are comprehensive, including in relation to how security risks and data accuracy and reliability will be managed in practice. It will not be enough for a contract to state that the risk needs to be met by the relevant service provider.
- Data holders should not assume that "no news is good news". In practice this requires that there are ongoing audit or assurance frameworks in place to ensure that risks are being managed appropriately.
If you have any questions about this determination or the C and P Data Act, get in touch with one of our team.
This article was co-authored by Alex Chapman (special counsel), Renee Stiles (partner), Keri Johansson (partner) and Emily Newbury (law clerk).
