Reading time: 6 minutes

The Consumer Data Right, also known as the CDR, is a new law which will give consumers control over their data. CDR is being rolled out progressively across different industry sectors, starting with the Big 4 banks from 1 July 2020, as part of Open Banking. The energy and telecommunications sectors will follow. Eventually, CDR will apply to numerous sectors in the Australian economy. 

The CDR will change the current processes for moving consumer data between businesses and for providing consumer data to consumers. It is vital that businesses are ready for these changes. In this article, we look at the basics of what the CDR means if your business is affected.

What Rights Does the CDR Create?

The CDR creates the right for consumers to:

  • direct a business to securely transfer their designated data to a trusted recipient; and
  • access their designated data held by a business in a usable form.

Consumers can be individuals and they can also be businesses. Whether you are an individual or business under the CDR depends on whether you are reasonably identifiable from the CDR data.

The CDR also includes 13 Privacy Safeguards which will apply if your business is subject to the CDR. The goal of the Privacy Safeguards is to protect the personal information of consumers handled under the CDR.

Which Data Do the CDR Apply to?

The CDR law has been added into existing competition and consumer law. Further CDR rules and standards will be implemented for each industry sector, and will set out how the CDR applies to that sector. This includes how the CDR will apply to specific data types for that sector. 

For example, in the banking sector, the CDR will apply to consumer usage data for credit and debit card, deposit and transaction accounts. This will later be extended to include mortgage and personal loan data.  

The CDR rules and standards will also designate which businesses the CDR will apply to and from which date it will apply.

For example, in the banking sector, there is a staged rollout. For the Big 4 banks, the requirement to share: 

  • product data started on 6 February 2020;
  • consumer data with accredited recipients will start on 1 July 2020; 
  • consumer data with consumers will start on 1 November 2020. 

Smaller banks will adhere to the CDR in later stages

Which Businesses Does the CDR Apply to?

As and when CDR rules and standards are implemented for each sector, they will specify which businesses are impacted. The CDR may apply to a business within the sector as a data holder, a data recipient or as a designated gateway.

Data Holders

The CDR will list specific categories of businesses considered to be data holders.

For example, with the rollout in the banking sector, the initial data holders are the Big 4 banks. Later, other authorised deposit-taking institutions will be included.

Data Recipient

Only accredited data recipients can receive data as part of the CDR. Your business must apply to become an accredited data recipient. Therefore, if your business is not a data holder, the CDR is opt-in.

To apply for accreditation, your business must meet the criteria for accreditation identified in the CDR rules.

Your business must use the accreditation portal to submit its application; accreditation is subject to approval by the regulator. 

Once accredited as a data recipient, you will have ongoing obligations to maintain accreditation, such as keeping records, reporting to the regulators and being audited.  

Designated Gateway

The government may select a designated gateway to facilitate data transfer under the CDR. The gateway will transfer data between the data holder and an accredited data recipient. 

It is not expected that businesses will be designated gateways. Instead, it is likely designated gateways will be government-controlled bodies or entities.

What Steps Should Your Business Take Now?

If your business is in the banking sector you should consider whether you are a data holder under the CDR.

You should also consider if you should apply to become an accredited data recipient. Even if your business is not a deposit-taking institution, becoming an accredited data recipient may be beneficial for you. For example, as a fintech business, it may be useful to be eligible to receive consumer data from the banks.

If you will participate in the CDR as a data holder or data recipient, you will need to:

  • produce a customer-facing CDR policy;
  • develop internal policies and procedure on the CDR for your staff;
  • provide training for your staff on the CDR; and
  • review your dispute handling process and IT security if you intend to become accredited and maintain your accreditation.

Who Regulates the CDR?

The CDR will be regulated by two core regulatory bodies. The Australian Competition and Consumer Commission (ACCC) will be the lead regulator with a focus on consumer benefit from the CDR. The Office of the Australian Information Commissioner will work closely with the ACCC, with a focus on privacy by design and strong privacy protections for consumers.

The law includes penalties which may be imposed against businesses for non-compliance.

For corporations, this can be:

  • up to $10 million per breach;
  • three times the value of the benefit obtained as a result of the breach; or
  • if the benefit cannot be calculated, 10% of the corporation’s annual turnover.

Key Takeaways

The CDR introduces new rights for consumers and new considerations for businesses. It will initially only apply in the banking sector and will be rolled out over time. However, now is the time to understand how the CDR may apply to your business. For example, it is useful to consider now whether you should apply to become an accredited data recipient. If so, it is important to understand the criteria for applying, your ongoing obligations and to prepare the required internal and external documentation.

A LegalVision commercial lawyer can provide you with guidance on how the CDR applies to your business, the accreditation requirements and assist your business with important policies such as your external CDR policy. Just call 1300 544 755 or fill in the form on this page.


New Kid on the Blockchain: Understanding the Proposed Laws for Crypto, NFT and Blockchain Projects

Wednesday 25 May | 10:00 - 10:45am

If you operate in the crypto space, ensure you understand the Federal Government’s proposed licensing and regulation changes. Register today for our free webinar.
Register Now

How to Expand Your Business Into a Franchise

Thursday 26 May | 11:00 - 11:45am

Drive rapid growth in your business by turning it into a franchise. To learn how, join our free webinar. Register today.
Register Now

Day in Court: What Happens When Your Business Goes to Court

Thursday 2 June | 11:00 - 11:45am

If your business is going to court, then you need to understand the process. Our free webinar will explain.
Register Now

How to Manage a Construction Dispute

Thursday 9 June | 11:00 - 11:45am

Protect your construction firm from disputes. To understand how, join our free webinar.
Register Now

Startup Financing: Venture Debt 101

Thursday 23 June | 11:00 - 11:45am

Learn how venture debt can help take your startup to the next level. Register for our free webinar today.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards