If you hold consumer data and operate in the banking, energy, and telecommunications sectors, you are likely a data holder under the Consumer Data Regime (CDR). This article outlines some of the privacy obligations you should know as a data holder.
What is CDR?
CDR is a legal regime in Australia that requires businesses in specific industries holding consumer data (data holders) to share those data with accredited third parties (ADRs). The relevant consumer must consent before a company can share the data.
Sharing data is usually so that the ADR can provide a particular service or product. For example, they might analyse data to recommend a more suitable product or service to consumers than those they are currently using. The CDR regime applies to the banking, energy and telecommunications sectors.
The Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) regulate participants in the CDR regime. The regime aims to give consumers more control over their data and enhance their ability to compare and change services and products. This, in turn, intends to facilitate more market competition and increase the availability of better, cheaper, and innovative products and services in the Australian market.
Privacy Safeguards, Australian Privacy Principles and Privacy Act
The Privacy Act 1988 (Cth), Australian Privacy Principles (APP) and the Privacy Safeguards apply to data holders depending on the circumstances.
Under Australian law, the Privacy Act and the APP apply if you are a federal government agency or a private company that is not a small business (has an annual turnover of less than $3 million). The exception for small businesses does not apply where, among other exceptions, the small business collects and discloses personal information as part of its business.
A data holder must observe the APPs where the CDR data collected and shared by the data holder is also personal information. However, APPs 10 (quality of personal information) and 13 (correction of personal information) are replaced with Privacy Safeguards 11 and 13, which relate to the quality of CDR data and correction of CDR data, respectively. Furthermore, data holders must comply with Privacy Safeguards 1 (openness and transparency) and 10 (notifying of the disclosure of CDR data) in addition to all other privacy obligations.
Continue reading this article below the formPrivacy Obligations of Data Holders
Data holders have several privacy obligations. We discuss key obligations below, though this is not an exhaustive list.
Openness and Transparency
Data holders must adopt an open and transparent approach to privacy. To this end, data holders must have a CDR policy detailing how the data holder will manage data. The policy must also describe how consumers can access and correct the data the data holder holds on them and how consumers can raise a complaint, including:
- how, where and when a complaint can be lodged;
- how the consumer will receive an acknowledgement of lodging a complaint; and
- the information that the complainant must provide when lodging a complaint.
The data holder may also choose to have a CDR management plan. A CDR management plan is a separate document that sets out specific goals, targets, and procedures that will assist the data holder in meeting its ongoing CDR obligations, including privacy obligations.
Notification of Disclosure of Data
Data holders must notify the relevant consumer where it has disclosed data to an accredited data recipient. You must make this notification on the consumer dashboard. The consumer dashboard is an online service the data holder provides, which the consumer can access. The accredited data holders also use the dashboard to request data holders to release the data on consumers.
Obligation to Correct Data
Data holders must take reasonable steps to ensure that the data they hold on consumers is accurate, up-to-date and complete. If not, they should inform the consumer, take reasonable steps to correct data and provide the correct data to accredited data recipients who were previously given the incorrect data.
Direct Marketing
Data holders must not engage in direct marketing using consumer data unless the consumers affected have provided consent.
Consequences of Breach
The Office of the Australian Information Commissioner (OAIC) and ACCC are responsible for monitoring data holders to ensure they comply with their privacy obligations. OAIC and ACCC may commence an investigation on their initiative or following a complaint from a consumer. These regulators have several enforcement powers, including:
- issuing infringement notices;
- accepting court-enforceable undertakings;
- seeking court orders; and
- initiating court proceedings.

The LegalVision Startup Manual provides guidance on a number of common challenges faced by startup founders including structuring, raising capital, building a team, dealing with customers and suppliers, and protecting intellectual property.
The guide includes 10 case studies featuring Australia’s top VC fund partners and leading Australian startups.
Key Takeaways
CDR is a new legal regime in Australia requiring organisations that hold data on consumers to disclose the data to accredited third parties if the consumer has consented to the disclosure. The organisations that hold the data (called data holders) must comply with several obligations, including privacy obligations. Where an entity breaches these obligations, the OAIC and the ACCC may take enforcement action against the data holder.
For more information about your privacy obligations as a data holder, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.