Reading time: 6 minutes

The Consumer Data Right, also known as the CDR, is a new law which will give consumers control over their data. CDR is being rolled out progressively across different industry sectors, starting with the Big 4 banks from 1 July 2020, as part of Open Banking. The energy and telecommunications sectors will follow. Eventually, CDR will apply to numerous sectors in the Australian economy. 

The CDR will change the current processes for moving consumer data between businesses and for providing consumer data to consumers. It is vital that businesses are ready for these changes. In this article, we look at the basics of what the CDR means if your business is affected.

What Rights Does the CDR Create?

The CDR creates the right for consumers to:

  • direct a business to securely transfer their designated data to a trusted recipient; and
  • access their designated data held by a business in a usable form.

Consumers can be individuals and they can also be businesses. Whether you are an individual or business under the CDR depends on whether you are reasonably identifiable from the CDR data.

The CDR also includes 13 Privacy Safeguards which will apply if your business is subject to the CDR. The goal of the Privacy Safeguards is to protect the personal information of consumers handled under the CDR.

Which Data Do the CDR Apply to?

The CDR law has been added into existing competition and consumer law. Further CDR rules and standards will be implemented for each industry sector, and will set out how the CDR applies to that sector. This includes how the CDR will apply to specific data types for that sector. 

For example, in the banking sector, the CDR will apply to consumer usage data for credit and debit card, deposit and transaction accounts. This will later be extended to include mortgage and personal loan data.  

The CDR rules and standards will also designate which businesses the CDR will apply to and from which date it will apply.

For example, in the banking sector, there is a staged rollout. For the Big 4 banks, the requirement to share: 

  • product data started on 6 February 2020;
  • consumer data with accredited recipients will start on 1 July 2020; 
  • consumer data with consumers will start on 1 November 2020. 

Smaller banks will adhere to the CDR in later stages

Which Businesses Does the CDR Apply to?

As and when CDR rules and standards are implemented for each sector, they will specify which businesses are impacted. The CDR may apply to a business within the sector as a data holder, a data recipient or as a designated gateway.

Data Holders

The CDR will list specific categories of businesses considered to be data holders.

For example, with the rollout in the banking sector, the initial data holders are the Big 4 banks. Later, other authorised deposit-taking institutions will be included.

Data Recipient

Only accredited data recipients can receive data as part of the CDR. Your business must apply to become an accredited data recipient. Therefore, if your business is not a data holder, the CDR is opt-in.

To apply for accreditation, your business must meet the criteria for accreditation identified in the CDR rules.

Your business must use the accreditation portal to submit its application; accreditation is subject to approval by the regulator. 

Once accredited as a data recipient, you will have ongoing obligations to maintain accreditation, such as keeping records, reporting to the regulators and being audited.  

Designated Gateway

The government may select a designated gateway to facilitate data transfer under the CDR. The gateway will transfer data between the data holder and an accredited data recipient. 

It is not expected that businesses will be designated gateways. Instead, it is likely designated gateways will be government-controlled bodies or entities.

What Steps Should Your Business Take Now?

If your business is in the banking sector you should consider whether you are a data holder under the CDR.

You should also consider if you should apply to become an accredited data recipient. Even if your business is not a deposit-taking institution, becoming an accredited data recipient may be beneficial for you. For example, as a fintech business, it may be useful to be eligible to receive consumer data from the banks.

If you will participate in the CDR as a data holder or data recipient, you will need to:

  • produce a customer-facing CDR policy;
  • develop internal policies and procedure on the CDR for your staff;
  • provide training for your staff on the CDR; and
  • review your dispute handling process and IT security if you intend to become accredited and maintain your accreditation.

Who Regulates the CDR?

The CDR will be regulated by two core regulatory bodies. The Australian Competition and Consumer Commission (ACCC) will be the lead regulator with a focus on consumer benefit from the CDR. The Office of the Australian Information Commissioner will work closely with the ACCC, with a focus on privacy by design and strong privacy protections for consumers.

The law includes penalties which may be imposed against businesses for non-compliance.

For corporations, this can be:

  • up to $10 million per breach;
  • three times the value of the benefit obtained as a result of the breach; or
  • if the benefit cannot be calculated, 10% of the corporation’s annual turnover.

Key Takeaways

The CDR introduces new rights for consumers and new considerations for businesses. It will initially only apply in the banking sector and will be rolled out over time. However, now is the time to understand how the CDR may apply to your business. For example, it is useful to consider now whether you should apply to become an accredited data recipient. If so, it is important to understand the criteria for applying, your ongoing obligations and to prepare the required internal and external documentation.

A LegalVision commercial lawyer can provide you with guidance on how the CDR applies to your business, the accreditation requirements and assist your business with important policies such as your external CDR policy. Just call 1300 544 755 or fill in the form on this page.


Key Considerations When Buying a Business

Thursday 11 November | 11:00 - 11:45am

Learn which questions to ask when buying a business to avoid legal and operational pitfalls, so you can hit the ground running. Join our free webinar.
Register Now

Innovation Nation: How to Make the Most of Australia’s Business Innovation and Investor Visas

Thursday 18 November | 11:00 - 11:45am

Want to expand your business into Australia? You need the right visa. Register for our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer