Skip to content

Key Privacy Obligations as an Accredited Data Recipient

The Consumer Data Right (CDR) regime allows fintech businesses to use data to offer various innovative services and products. However, as the activities in the CDR regime involve handling personal information and other related data, any fintech business wanting to engage in the regime must comply with various privacy-related obligations. This article discusses the privacy obligations that any fintech business wanting to operate as an accredited data recipient (ADR) should know. 

What is CDR? 

CDR is a legal regime in Australia that requires businesses in specific industries holding consumer data (called data holders) to share those data with accredited third parties (ADRs). The relevant consumer must consent before data holders can share information about their consumers. 

A data holder would typically share data so that the ADR can provide a particular service or a product. For example, analysing the data to recommend a more suitable product or service to the consumer than the one they are currently using. The CDR regime currently applies to the banking sector and will later extend to the energy and telecommunications sectors. 

The Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) regulate participants in the CDR regime. The regime aims to give consumers more control over their data and enhance their ability to compare and change services and products. This, in turn, aims to facilitate more market competition and increase the availability of better, cheaper, and innovative products and services in the Australian market. 

Privacy Obligations of ADRs

Accredited third parties that receive data to provide services to consumers have several privacy obligations, or ‘Privacy Safeguards’. These obligations are largely similar to the Australian Privacy Principles, but FinTech businesses need to consider them carefully to avoid being in breach. 

We discuss some of the privacy obligations applying to ADRs below.

Please note the following is not an exhaustive list.

Collection of Data

ADRs can only collect consumer data with that consumer’s consent, which a person can withdraw at any time. The ADR must provide enough information to the consumer to enable them to make an informed and voluntary consent. The ADR must also only use the data for a purpose that the consumer has agreed to and should not collect any more data than required to fulfil that purpose. 

Openness and Transparency

ADRs must adopt an open and transparent approach to privacy. To this end, ADRs must have a CDR policy that details how the ADR will use, collect and manage data. For example, the policy must include:

  • the classes of data that the ADR will hold; 
  • the purposes for which the ADR will collect, hold and use data; 
  • how consumers can access or correct data that the ADR holds; and 
  • how consumers can lodge a complaint with the ADR. 

ADRs should make their CDR policy available free of charge to consumers. The ADR may also choose to have a CDR management plan. A CDR management plan is a separate document that sets out specific goals, targets, and procedures that will assist the ADR in meeting its ongoing CDR obligations, including privacy obligations. 

Anonymity and Pseudonymity

ADRs must allow consumers to use the ADR’s services anonymously or use pseudonyms to de-identify their data. However, this does not apply where it is either impracticable to deal with the consumer without identifying them or where the ADR is legally required or otherwise authorised to identify the customer.

Unsolicited Data

If an ADR receives unsolicited consumer data, it must destroy that data. The same applies to any data the ADR is not obligated to retain under the law. ‘Unsolicited’ means any data the ADR did not request from a data holder after obtaining consent from the relevant consumer. 

Direct Marketing 

ADRs must not use consumer data for direct marketing without the relevant consumer’s consent unless otherwise permitted by law. 

Misuse of Data

ADRs must take reasonable steps to ensure that consumer data collected are not misused, disclosed, subjected to unauthorised access, or lost. To mitigate the risk of data misuse, ADRs must have the appropriate information security technology and procedures to ensure that the data are protected. 

Consequences of Breach

OAIC and ACCC may commence an investigation and take enforcement action following a breach of any CDR obligations, including privacy obligations. The OAIC is the primary regulator that monitors that ADRs comply with their privacy obligations. These regulators have several enforcement powers, including:

  • issuing infringement notices; 
  • requiring the ADRs to provide a court-enforceable undertaking; 
  • seeking court orders;
  • suspending or revoking the ADR’s accreditation; and 
  • initiating court proceedings. 
Front page of publication
2023 Key Data and Privacy Developments

This fact sheet outlines the changes to data and privacy protection in 2023.

Download Now
Continue reading this article below the form
Loading form

Key Takeaways

The Consumer Data Right (CDR) is a legal regime under Australian law requiring businesses that hold consumer data to share those data with accredited third parties where a consumer has consented to the sharing. The accredited third parties who accept consumer data have a number of obligations, including privacy-related obligations. OAIC and ACCC may take enforcement action against an accredited data recipient if they breach their privacy obligations.  

For more information about your privacy obligations as an accredited data recipient, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Register for our free webinars

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now

Franchisor Compliance Update: Code Obligations from November 2025

Online
Stay compliant with the new franchising updates from November 2025. Register for our free webinar.
Register Now
See more webinars >
Stebin Sam

Stebin Sam

Read all articles by Stebin

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards