Preparing for an ‘Open’ Economy with the Consumer Data Right Regime

16 December 2022

With the introduction of new regulations aimed at providing better outcomes for consumers, the Consumer Data Right (CDR) introduced ‘Open Banking’. The intention behind the government regime is to increase customer value and redefine competition across various economic sectors. As the CDR requirements and regulations are introduced across Australia in the next few years, it is important for all participants to consider the real consequences of failing to comply.

What is the CDR?

The CDR regime was initially proposed by the Australian Government in 2018 under the Treasury Laws Amendment (Consumer Data Right) Bill 2018 (Cth). The introduction of the regime extended the law concerning data protection in Australia, particularly for consumers. Under the regime, consumers are afforded an increased control over the personal data and information they share with business entities and associated third parties.

Regulatory bodies the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) jointly manage the functionality and implementation of the CDR regime, with the power to issue penalties being granted to the ACCC.

How is the CDR implemented?

As previously mentioned, the CDR has already been implemented in the banking sector, with its initial July 2020 launch limited to the four major authorised deposit-taking institutions (ADIs).

The CDR process involved three separate phases, which are as follows:

  • Phase 1: banking data from various personal accounts of customers are shared;
  • Phase 2: banks share data concerning consumers’ all other personal accounts and home loans; and
  • Phase 3: all remaining banking data is to be shared, including information regarding bank overdrafts and business finance.

Each phase was specific to a category of provider, being Major ADIs, Non-major ADIs and Reciprocal data holders. The same process is expected to be applied across all future sectors, including energy, telecommunications, superannuation and insurance.

Although many banks remain exempt from participating under the CDR, there are almost 80 ADIs recognised as active CDR Data Holders in Australia with that number expected to increase.

What are my rights as a consumer or business under the CDR?

To ensure CDR rules and standards are complied with, businesses and consumers across all sectors have fundamental roles and obligations within the regime.

Rights as a Consumer

A CDR Consumer is broadly defined (including individuals, businesses and trusts) and has two fundamental rights, being:

  • the ability to direct businesses on when to transfer their designated data and to which trusted recipients; and
  • the ability to grant access to all designated data they choose to provide any business in a form that is usable.

Consumers are afforded the control in how their data is transferred under the regime through the creation of the ‘opt-in’ feature. This feature enables a consumer to provide consent and withdraw it at any given time. The purpose of creating a flexible and independent environment for consumers is to allow data to be used to compare providers. For example, consumers within the banking sector are able to compare interest rates and fees between ADIs, allowing consumers to decide whether they wish to remain with their current bank or safely transfer their data to another.

Consumers can share their data through fintech, such as Frollo. This money management app is the first of its kind to be accredited as a CDR data recipient and allows its users to sync all existing bank accounts with various banks’ products to gain a comprehensive understanding of their finances. The app can be downloaded onto ‘smart’ phones and takes a mere 30 seconds to collate 12 months of data.

Accredited Data Recipient and Data Holders

Businesses regarded as Accredited Data Recipients (ADRs) may only receive data upon the acquirement of CDR Consumers Accreditation. The ACCC monitors the accreditation process and determines whether a business satisfies the relevant CDR criteria for the specific industry. All applications are submitted through the CDR Participant Portal and are subject to approval by the regulator.

Data Holders have the important obligation of sharing consumer data with ADRs upon the request of their CDR Consumers and are businesses determined under the specific CDR categories. For example, the four major Australian banks were considered to be the initial Data Holders prior to attaining accreditation under the banking sector, along with other authorised banks.

Further information regarding ADRs and Data Holders can be accessed via the official Consumer Data Right website.

What are my obligations under the CDR?

Whether you are an ADR or a Data Holder, all participants of the CDR are obligated to uphold the Privacy Safeguards and Rules governed by the Competition and Consumer Act 2010 (CCA). A list outlining the 13 Safeguards can be viewed on the OAIC website.

The Privacy Safeguards are legally binding and are intended to protect the privacy rights of consumers and the management of their data. However, the Safeguards only offer a general outline of obligations expected of ADRs and Data Holders. The fundamental responsibilities regarding CDR data can be adduced from the CDR legislation and are as follows:

Legal requirements of ADRsData Holder obligations

  • Define and develop a privacy plan

  • Determine data environment

  • Compliance with security controls

  • Implementation of controls assessment program

  • Reporting of security incidents

  • Readability of data

  • Publications of general data

  • CDR policy

  • Maintenance of data records

  • Submission of reports to ACCC and OAIC

Are there any penalties for breaching the CDR?

Yes, and they are not minor penalties. The Bank of Queensland was the first ADI under the CDR to be issued with an infringement notice of $133,200 for “failing to provide a service enabling consumers’ data to be shared”1.

If the requirements and obligations listed above are not complied with, you may be at risk of being issued with a penalty from the ACCC. Failure to comply can be penalised in various forms, including:

  • infringement notices;
  • accreditation suspension or revocation;
  • court proceedings; or
  • administrative resolutions.

How can I ensure I uphold my obligations under the CDR?

To ease the transition for involved participants, the ACCC has developed free online tools to enable consumers and Data Holders to gain a practical understanding of the CDR. The ACCC’s recently developed tool, the Consumer Data Right Sandbox, creates a mock CDR environment to allow participants to set up their own software solutions and test/develop their processes.

Other tools developed by the ACCC all involve a simulated CDR environment but are intended for specific testing purposes. The Consumer Data Right GitHub is a solution tool that allows businesses to develop and test their CDR-related solutions while the Conformance Test Suite enables participants to assess whether software complies with CDR standards prior to formally entering the CDR system. The ACCC has now made it a requirement for all new participants to successfully complete the Conformance Test Suite before they are active under the CDR.

Recent developments

The Australian Government released draft legislation in September intending to develop the CDR even further. It has been proposed to implement “action initiation”, allowing consumers and businesses to easily and safely open and close accounts, make payments and apply services all through the CDR. Such improvement to the regime is to reduce “complexity, time and cost for consumers”2.

Importantly, the framework governing the CDR was recently exposed to independent statutory review to ensure the rules and regulations truly do uphold the objectives of consumer protection and freedom. The Report released by the Albanese Government on 29 September 2022 noted that the “statutory framework is sufficiently flexible and robust”3.

What now?

As the attention shifts to the energy sector, and the number of accredited entities continue to increase in the banking sector, it is an opportune time for organisations and businesses to consider engaging with the CDR process and become involved within the competitive environment.

Whether you intend on participating in the CDR as a Data Holder or Recipient, it is important you understand the requirements and obligations relevant to your role, along with:

  • preparing a CDR policy;
  • developing policies and procedures regarding the CDR within your business;
  • considering staff training on the CDR; and
  • reviewing IT security and internal dispute handling procedures currently implemented in the business.

If you have any queries or concerns regarding the potential impact of the CDR on your business or as a consumer, please feel free to contact a member of our IP, Technology & Media team for advice and assistance.

This article was written by Luke Dale, Partner and Alexia Daminato, Law Clerk.


Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us