Australia: Enhancing the Consumer Data Right

Changes to the Consumer Data Right have been implemented, improving access to and use of CDR data by business consumers and other operational amendments

In brief

On 22 July 2023, the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2023 ("Amending Rules") commenced.

The Amending Rules enhance the existing Consumer Data Right (CDR) regime for business consumers by improving access to and use of CDR data for businesses and enabling more participants in the CDR regime to use third-party service providers.  


In 2019, the CDR regime was introduced following recommendations in 2017 on data portability rights including in the Productivity Commission’s report on Data Availability and Use 2017, and the Treasury-commissioned Review into Open Banking in Australia 2017.

The CDR was enacted via the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Cth) in August 2019 amending the Competition and Consumer Act 2010 (Cth), the Australian Information Commissioner Act 2010 (Cth) and the Privacy Act 1988 (Cth). Together, these amendments established the overarching framework of the CDR regime, empowering the Treasurer to apply the CDR to new sectors of the economy, setting out the roles and functions of relevant regulatory bodies and enshrining minimum privacy protections. The underlying rules of the CDR regime are contained in the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) ("CDR Rules").

The CDR regime is intended to provide consumers (businesses and individuals) with more control over their information, such that they can make better informed decisions with respect to goods and services. The government considered that the implementation of the CDR regime would increase competition, enable consumers to fairly harvest the value of their data and enhance consumer welfare.

Under the CDR regime, consumers can access and share their data with Accredited Data Recipients (ADRs) and limited others (such as CDR Representatives). ADRs are organisations accredited by the ACCC and provide goods and services to CDR consumers. The CDR regime is currently active in the banking and energy sectors (with telecommunications, insurance and superannuation currently on pause).

Various developments to the CDR regime have occurred since its introduction, including the implementation of the Amending Rules.

The Amending Rules

A draft of the Amending Rules was first introduced in September 2022 to support further business participation in the CDR regime, to implement other operational enhancements and to expand the CDR regime to the telecommunications sector. 

Treasury has since announced that the CDR expansion into superannuation, insurance and telecommunications sectors are on pause to allow time for the CDR regime to “mature across the banking and energy sectors and to implement lessons learned to date”.

A strategic assessment is planned by Treasury in late 2024 to inform future expansions and the implementation of action initiation for the CDR regime.

The Amending Rules, as passed, focus on supporting business consumer participation and other operational amendments.

The Key takeaways of the Amending Rules are below.

Key takeaways

1. CDR business consumers: The Amending Rules distinguish between individual CDR consumers and CDR business consumers. A CDR business consumer is someone that is not an individual and/or has an active ABN. An ADR must take reasonable steps to confirm whether the consumer is a business or individual.  The Amending Rules provide greater choice for the use of CDR data for CDR business consumers, as set out below.

2. Increased data sharing with third parties for businesses: Previously, CDR consumers were restricted to only a limited set of unaccredited parties to which they could ask an ADR to disclose CDR data. This was known as the “Trusted Advisor disclosure consent” and was limited to lawyers, accountants, mortgage brokers and financial advisors. Under the Amending Rules, CDR business consumers may now consent to share their CDR data to a larger range of unaccredited third parties (known as the “Business consumer disclosure consent”). These parties include bookkeepers, consultants and other advisers. These changes will allow business consumers (particularly small businesses) and accounting platforms to participate in the CDR regime. This change will take effect on the earlier of 1 December 2023 and the date relevant data standards are made. Note that it is prohibited to deal with a CDR person as a CDR business consumer before the earlier of these dates.

3. Expanded outsourcing arrangements for CDR Representatives: From 22 July 2023, the Amending Rules now allow CDR Representatives to engage ‘outsourced service providers’ (OSPs) to assist the CDR Representative with providing goods and services to CDR consumers using CDR data. Previously, the CDR regime prohibited CDR Representatives engaging OSPs, meaning that CDR Representatives could not rely on third parties for CDR data management, which limited the ability for CDR Representatives to participate in the CDR regime. For those new to the CDR regime, a CDR Representative is an unaccredited person who has been engaged by an ADR under a written contract that meets the requirements in the CDR Rules. A CDR Representative may then provide goods and services to the CDR consumers using the CDR data. 

4. Clarifications on OSP arrangements: The Amending Rules also clarify the circumstances in which OSPs can disclose CDR data to third parties. ADR and CDR Representatives can, from 22 July 2023, engage in multiple OSP arrangements to authorise their OSPs to share CDR data directly with one-another. Previously, an OSP was not authorised to share the CDR data with anyone other than the ADR. 

5. Extension of business consumer use and disclosure consents: The maximum duration of certain use and disclosure consents given by a CDR business consumer to an ADR has been extended from 12 months to seven years. The previous limitation on the duration of use and disclosure consents to 12 months did not adequately reflect business needs, such as record-keeping obligations and ensuring CDR data could assist in maintaining business operations.

6. Delayed reciprocal data sharing obligations: From 22 July 2023, the Amending Rules delay the requirement for newly accredited persons in the banking sector to respond to consumer data requests, as holders of banking data sets, until 12 months after they become an ADR. Previously, accredited persons were required to respond to such requests as data holders as soon as they became an ADR.

7. Exemption from data sharing obligations: To incentivise CDR data holders to introduce innovative new products in the banking sector, the Amending Rules now enable data holders to publicly offer small-scale pilot products (for up to 1,000 customers and for a 6-month maximum duration) without being subject to data sharing obligations. Only when the pilot product exceeds the customer or duration thresholds will the data become subject to the CDR data sharing obligations.

For advice and assistance in navigating these changes, please contact one of our experts.

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.