In 2019, the CDR regime was introduced following recommendations in 2017 on data portability rights including in the Productivity Commission’s report on Data Availability and Use 2017, and the Treasury-commissioned Review into Open Banking in Australia 2017.
The CDR was enacted via the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Cth) in August 2019 amending the Competition and Consumer Act 2010 (Cth), the Australian Information Commissioner Act 2010 (Cth) and the Privacy Act 1988 (Cth). Together, these amendments established the overarching framework of the CDR regime, empowering the Treasurer to apply the CDR to new sectors of the economy, setting out the roles and functions of relevant regulatory bodies and enshrining minimum privacy protections. The underlying rules of the CDR regime are contained in the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) ("CDR Rules").
The CDR regime is intended to provide consumers (businesses and individuals) with more control over their information, such that they can make better informed decisions with respect to goods and services. The government considered that the implementation of the CDR regime would increase competition, enable consumers to fairly harvest the value of their data and enhance consumer welfare.
Under the CDR regime, consumers can access and share their data with Accredited Data Recipients (ADRs) and limited others (such as CDR Representatives). ADRs are organisations accredited by the ACCC and provide goods and services to CDR consumers. The CDR regime is currently active in the banking and energy sectors (with telecommunications, insurance and superannuation currently on pause).
Various developments to the CDR regime have occurred since its introduction, including the implementation of the Amending Rules.
The Amending Rules
A draft of the Amending Rules was first introduced in September 2022 to support further business participation in the CDR regime, to implement other operational enhancements and to expand the CDR regime to the telecommunications sector.
Treasury has since announced that the CDR expansion into superannuation, insurance and telecommunications sectors are on pause to allow time for the CDR regime to “mature across the banking and energy sectors and to implement lessons learned to date”.
A strategic assessment is planned by Treasury in late 2024 to inform future expansions and the implementation of action initiation for the CDR regime.
The Amending Rules, as passed, focus on supporting business consumer participation and other operational amendments.
The Key takeaways of the Amending Rules are below.
1. CDR business consumers: The Amending Rules distinguish between individual CDR consumers and CDR business consumers. A CDR business consumer is someone that is not an individual and/or has an active ABN. An ADR must take reasonable steps to confirm whether the consumer is a business or individual. The Amending Rules provide greater choice for the use of CDR data for CDR business consumers, as set out below.
2. Increased data sharing with third parties for businesses: Previously, CDR consumers were restricted to only a limited set of unaccredited parties to which they could ask an ADR to disclose CDR data. This was known as the “Trusted Advisor disclosure consent” and was limited to lawyers, accountants, mortgage brokers and financial advisors. Under the Amending Rules, CDR business consumers may now consent to share their CDR data to a larger range of unaccredited third parties (known as the “Business consumer disclosure consent”). These parties include bookkeepers, consultants and other advisers. These changes will allow business consumers (particularly small businesses) and accounting platforms to participate in the CDR regime. This change will take effect on the earlier of 1 December 2023 and the date relevant data standards are made. Note that it is prohibited to deal with a CDR person as a CDR business consumer before the earlier of these dates.
3. Expanded outsourcing arrangements for CDR Representatives: From 22 July 2023, the Amending Rules now allow CDR Representatives to engage ‘outsourced service providers’ (OSPs) to assist the CDR Representative with providing goods and services to CDR consumers using CDR data. Previously, the CDR regime prohibited CDR Representatives engaging OSPs, meaning that CDR Representatives could not rely on third parties for CDR data management, which limited the ability for CDR Representatives to participate in the CDR regime. For those new to the CDR regime, a CDR Representative is an unaccredited person who has been engaged by an ADR under a written contract that meets the requirements in the CDR Rules. A CDR Representative may then provide goods and services to the CDR consumers using the CDR data.
4. Clarifications on OSP arrangements: The Amending Rules also clarify the circumstances in which OSPs can disclose CDR data to third parties. ADR and CDR Representatives can, from 22 July 2023, engage in multiple OSP arrangements to authorise their OSPs to share CDR data directly with one-another. Previously, an OSP was not authorised to share the CDR data with anyone other than the ADR.
5. Extension of business consumer use and disclosure consents: The maximum duration of certain use and disclosure consents given by a CDR business consumer to an ADR has been extended from 12 months to seven years. The previous limitation on the duration of use and disclosure consents to 12 months did not adequately reflect business needs, such as record-keeping obligations and ensuring CDR data could assist in maintaining business operations.
6. Delayed reciprocal data sharing obligations: From 22 July 2023, the Amending Rules delay the requirement for newly accredited persons in the banking sector to respond to consumer data requests, as holders of banking data sets, until 12 months after they become an ADR. Previously, accredited persons were required to respond to such requests as data holders as soon as they became an ADR.
7. Exemption from data sharing obligations: To incentivise CDR data holders to introduce innovative new products in the banking sector, the Amending Rules now enable data holders to publicly offer small-scale pilot products (for up to 1,000 customers and for a 6-month maximum duration) without being subject to data sharing obligations. Only when the pilot product exceeds the customer or duration thresholds will the data become subject to the CDR data sharing obligations.
For advice and assistance in navigating these changes, please contact one of our experts.