Consumer Data Right

The Federal Government's proposed Consumer Data Right regime is the biggest shake-up in data regulation that we've seen in Australia.

The Federal Government looks set to reintroduce legislation to Parliament that, if passed, will establish an 'economy-wide consumer-directed data transfer system'. This is the biggest shake-up of data regulation that we've seen in Australia – and it's hurtling towards us at breakneck speed. We've worked through this complex new proposal to answer the key questions and extract the need-to-knows. What is the new consumer data right? How will it be enforced? And most importantly, what does it mean for your business?

The new CDR framework

  • What is it? At its heart, the Consumer Data Right (CDR) will allow consumers to access certain information held about, or related to, them by designated organisations, and direct that information to be transferred to accredited third parties. 
  • How will it be implemented? The proposed legislation, which involves the insertion of a new part in the Competition and Consumer Act 2010 (Cth) (CCA), creates a regulatory framework for the implementation of a CDR that will largely be administered by the Australian Competition and Consumer Commission (ACCC) – along with a complex web of other agencies (both old and new).
  • Who will regulate it? Roles and responsibilities for administering the regime will cascade down from the Treasurer (who will designate sectors to which the CDR applies), the ACCC (that will develop consumer data rules) and the Office of the Australian Information Commissioner (OAIC) (that will handle privacy complaints and enforce breaches of the privacy safeguards), to a new Data Standards Body (that will create transfer and security standards) and a Data Recipient Accreditor (that will accredit recipients of CDR data).
  • Where is the detail? Most of the detail for entities' participation in the regime as data holders and accredited recipients has been a matter for the ACCC to determine as part of the CDR Rules, which will govern the disclosure, use, accuracy, storage, security and deletion of CDR data, the accreditation of recipients, and reporting and record-keeping requirements. The ACCC released draft Rules for the banking sector on 29 March 2019.
  • What's the timing for rollout? As the Treasury Laws Amendment (Consumer Data Right) Bill 2019 lapsed following dissolution of Parliament for the general election, it is expected that the Government will reintroduce CDR legislation once Parliament resumes. Notwithstanding that no law has been passed, the open banking regime remains scheduled to commence from 1 July 2019 with a pilot program with the Big 4 Banks to share the first tranche of product data, and then the first tranche of consumer data from 1 February 2020. For this reason, it is anticipated that the Government will prioritise the quick passage of CDR legislation.
  • Which sectors will be designated? Open banking is scheduled to commence this year, with major banks being required to make product data relating to credit and debit cards, deposit and transaction accounts available by July 2019. Other ADIs are granted a one year leeway, and will be phased in to the data sharing requirements from July 2020. Beyond open banking, the CDR regime will be rolled out to the energy and telecommunications sectors (with consultations on the energy sector having already commenced). Treasury has not yet confirmed which other sectors will follow – but based on the high quantity of regulated information and friction involved in transferring providers, other sectors could include superannuation, insurance, digital platforms or health. 
  • What does it mean for you? Long-term, the CDR is going to affect all businesses and industries – both in designating data holders required to share consumer data, and permitting entities to become accredited data recipients who can receive designated consumer data in response to a valid consumer request. While its implementation will certainly require new compliance regimes, the CDR also offers significant opportunities for businesses to leverage the ability to share and receive data to develop new use cases, create more tailored products and tap into unprecedented revenue streams.
  • What should you do to prepare? There are practical steps you can take in each of the periods before the CDR applies to your business, after your sector has been designated, and then once the regime kicks in – including considering how to best leverage CDR data, reviewing operations and developing new systems to enable compliance, and implementing capability to respond to consumer directions.