The Consumer Data Right, also known as the CDR, is a new law which will give consumers control over their data. CDR is being rolled out progressively across different industry sectors, starting with the Big 4 banks from 1 July 2020, as part of Open Banking. The energy and telecommunications sectors will follow. Eventually, CDR will apply to numerous sectors in the Australian economy. 

The CDR will change the current processes for moving consumer data between businesses and for providing consumer data to consumers. It is vital that businesses are ready for these changes. In this article, we look at the basics of what the CDR means if your business is affected.

What Rights Does the CDR Create?

The CDR creates the right for consumers to:

  • direct a business to securely transfer their designated data to a trusted recipient; and
  • access their designated data held by a business in a usable form.

Consumers can be individuals and they can also be businesses. Whether you are an individual or business under the CDR depends on whether you are reasonably identifiable from the CDR data.

The CDR also includes 13 Privacy Safeguards which will apply if your business is subject to the CDR. The goal of the Privacy Safeguards is to protect the personal information of consumers handled under the CDR.

Which Data Do the CDR Apply to?

The CDR law has been added into existing competition and consumer law. Further CDR rules and standards will be implemented for each industry sector, and will set out how the CDR applies to that sector. This includes how the CDR will apply to specific data types for that sector. 

For example, in the banking sector, the CDR will apply to consumer usage data for credit and debit card, deposit and transaction accounts. This will later be extended to include mortgage and personal loan data.  

The CDR rules and standards will also designate which businesses the CDR will apply to and from which date it will apply.

For example, in the banking sector, there is a staged rollout. For the Big 4 banks, the requirement to share: 

  • product data started on 6 February 2020;
  • consumer data with accredited recipients will start on 1 July 2020; 
  • consumer data with consumers will start on 1 November 2020. 

Smaller banks will adhere to the CDR in later stages

Which Businesses Does the CDR Apply to?

As and when CDR rules and standards are implemented for each sector, they will specify which businesses are impacted. The CDR may apply to a business within the sector as a data holder, a data recipient or as a designated gateway.

Data Holders

The CDR will list specific categories of businesses considered to be data holders.

For example, with the rollout in the banking sector, the initial data holders are the Big 4 banks. Later, other authorised deposit-taking institutions will be included.

Data Recipient

Only accredited data recipients can receive data as part of the CDR. Your business must apply to become an accredited data recipient. Therefore, if your business is not a data holder, the CDR is opt-in.

To apply for accreditation, your business must meet the criteria for accreditation identified in the CDR rules.

Your business must use the accreditation portal to submit its application; accreditation is subject to approval by the regulator. 

Once accredited as a data recipient, you will have ongoing obligations to maintain accreditation, such as keeping records, reporting to the regulators and being audited.  

Designated Gateway

The government may select a designated gateway to facilitate data transfer under the CDR. The gateway will transfer data between the data holder and an accredited data recipient. 

It is not expected that businesses will be designated gateways. Instead, it is likely designated gateways will be government-controlled bodies or entities.

What Steps Should Your Business Take Now?

If your business is in the banking sector you should consider whether you are a data holder under the CDR.

You should also consider if you should apply to become an accredited data recipient. Even if your business is not a deposit-taking institution, becoming an accredited data recipient may be beneficial for you. For example, as a fintech business, it may be useful to be eligible to receive consumer data from the banks.

If you will participate in the CDR as a data holder or data recipient, you will need to:

  • produce a customer-facing CDR policy;
  • develop internal policies and procedure on the CDR for your staff;
  • provide training for your staff on the CDR; and
  • review your dispute handling process and IT security if you intend to become accredited and maintain your accreditation.

Who Regulates the CDR?

The CDR will be regulated by two core regulatory bodies. The Australian Competition and Consumer Commission (ACCC) will be the lead regulator with a focus on consumer benefit from the CDR. The Office of the Australian Information Commissioner will work closely with the ACCC, with a focus on privacy by design and strong privacy protections for consumers.

The law includes penalties which may be imposed against businesses for non-compliance.

For corporations, this can be:

  • up to $10 million per breach;
  • three times the value of the benefit obtained as a result of the breach; or
  • if the benefit cannot be calculated, 10% of the corporation’s annual turnover.

Key Takeaways

The CDR introduces new rights for consumers and new considerations for businesses. It will initially only apply in the banking sector and will be rolled out over time. However, now is the time to understand how the CDR may apply to your business. For example, it is useful to consider now whether you should apply to become an accredited data recipient. If so, it is important to understand the criteria for applying, your ongoing obligations and to prepare the required internal and external documentation.

A LegalVision commercial lawyer can provide you with guidance on how the CDR applies to your business, the accreditation requirements and assist your business with important policies such as your external CDR policy. Just call 1300 544 755 or fill in the form on this page.

COVID-19 Business Survey
LegalVision is conducting a survey on the impact of COVID-19 for businesses across Australia. The survey takes 2 minutes to complete and all responses are anonymous. We would appreciate your input. Take the survey now.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. For just $199 per month, membership unlocks unlimited lawyer consultations, faster turnaround times, free legal templates and members-only discounts.

Learn more about LVConnect

Jacqueline Gibson
Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.
Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2019 NewLaw Firm of the Year - Australian Law Awards 2019 NewLaw Firm of the Year - Australian Law Awards
  • 2020 Fastest Growing Law Firm - Financial Times APAC 500 2020 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review 2020 AFR Fast 100 List - Australian Financial Review
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer
Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at

View Privacy Policy