Consumer Data Right


The Consumer Data Right is the name of a legislative, regulatory, and standards framework for consumer data portability in Australia. This framework has been created and introduced by the Australian Government, which is implementing the framework on a sector-by-sector basis.

Background

In May 2017, the Productivity Commission released a report 'Data Availability and Use' that recommended, among other things, a new 'Comprehensive Right' for consumers. This proposed new right would allow consumers to access and correct data about themselves held by product or service providers. It would also allow a consumer to have a machine-readable copy of their consumer data provided either to them or directly to a nominated third party, such as a new service provider.
In November 2017, the Australian Government announced plans to legislate a national 'Consumer Data Right', which would allow customers open access to their banking, energy, phone and internet transactions data.

Legislation

In 2019, the Australian Parliament passed the 'Treasury Laws Amendment Bill 2019' to create the Consumer Data Right ; the bill inserted a new part into the Competition and Consumer Act 2010, and amended the Australian Information Commissioner Act 2010 and Privacy Act 1988.
The CDR legislation
  • provides individuals and businesses with a right to efficiently and conveniently access specified data in relation to them held by businesses.
  • authorises secure access to this data by trusted and accredited third parties.
  • requires businesses to provide public access to information on specified products they have on offer.
The CDR legislation establishes a framework to enable the CDR to be applied to various sectors of the economy over time.

Action-initiation reform (2024)

In August 2024, the Parliament of Australia passed the 'Treasury Laws Amendment Act 2024', introducing a major reform to the Consumer Data Right regime. The reform aimed to expand the CDR beyond its original “read-only” data sharing model by enabling consumers to securely instruct accredited third parties to initiate actions—referred to as "action initiation" or "write access"—such as making payments, switching providers, opening or closing accounts, or updating personal details.
The legislation created two new accreditation categories: the Accredited Action Initiator, authorised to submit consumers’ instructions, and the Action Service Provider, authorised to execute those instructions as part of their usual business activities. This marked a shift in the CDR’s scope from data portability to enabling consumer-directed transactions. For instance, FinTech Australia — representing hundreds of fintech businesses — submitted that action initiation could support payments, updating contact details, and product switching to improve consumer outcomes. Likewise, accredited fintech providers such as WeMoney have discussed the potential for action initiation to support streamlined product switching and automated financial management services within the CDR framework. The specific action types to be supported, and their technical implementation, will be determined through ministerial declarations, updates to the CDR Rules, and Data Standards. Where applicable, commencement dates for each action type will be set through subsequent legislative instruments and staged rollouts.

Designation

The CDR legislation gives the Minister powers to designate a sector for which the CDR will apply. The Minister designates a sector through a legislative instrument. In the instrument, the Minister designates a sector by specifying:
  • classes of information ''
  • businesses who hold one or more of those classes of information
The Minister, in the instrument, may also designate a ‘gateway’, or multiple ‘gateways’ to facilitate the transfer of data between a data holder and accredited data recipient or the consumer; a gateway typically would be an Australian Government entity, or a body within the effective control of the Australian Government or an Australian state or territory government.
The table below summarizes designations made so far:
SectorInstrumentDate
Banking4 September 2019
Energy26 June 2020
Telecommunications24 January 2022     
Non-bank lenders21 November 2022

The designation instrument itself does not impose data sharing obligations. The requirement to disclose particular data emanates from the CDR rules, which provide the framework for how the CDR operates in a particular sector.

CDR rules

The CDR rules are a legislative instrument made under section 56BA of the Competition and Consumer Act 2010. The rules cover all aspects of the CDR framework including:
  • Product data requests
  • Consumer data requests made by eligible CDR consumers
  • Consumer data requests made by accredited persons
  • Accreditation
  • Dispute resolution
  • Privacy safeguards
  • Data standards
The rules are applied universally across all sectors of the economy to the extent possible. The rules are being progressively updated as the CDR evolves and expands. The current version of the rules are available from .

Consumer Data Standards

How CDR participants comply with the requirements of the CDR rules are set out in a set of technical specifications called 'Consumer Data Standards'.
The Consumer Data Standards are specifications for how information technology solutions must be implemented to ensure safe, efficient, convenient and interoperable systems to share data. The data standards are binding if required by CDR rules; however, the standards are not a legislative instrument, in themselves.
The data standards are made by a Data Standards Chair. The Data Standards Chair, who is a person appointed by the Minister, makes the data standards in accordance with the sectoral designations and the CDR rules.
The data standards must be published on the internet and be freely available; the current data standards are available from . To adapt to changing demands for functionality and available technology solutions, the data standards are living documents subject to continual change.

Governance

The governance of the CDR framework is shared across:
The Minister, as well as having the power to designate sectors, has the power to make CDR rules; up until February 2021, the ACCC was the agency responsible for making CDR rules.
The Australian Treasury, in addition to providing the Minister with policy advice regarding the CDR and its future directions, is also responsible for consulting for, and advising the Minister on sector designations, and developing the CDR rules; up until February 2021, these responsibilities were performed by the ACCC.
The ACCC is responsible for regulation of the CDR framework, including compliance and enforcement of the rules and standards. It is also responsible for accreditation of CDR participants ; the ACCC, among other things, maintains a register of accredited CDR participants called the . The ACCC can also grant exemptions from provisions of the CDR rules ; it maintains a separate public for granted exemptions.
The role of the Data Standards Body is currently undertaken by the Australian Treasury; until February 2021, Data61 performed the role of the Data Standards Body.
The OAIC oversees matters relating to the protection of consumer privacy and confidentiality, and compliance with the CDR Privacy Safeguards. The OAIC can also investigate a consumer complaint about how a CDR participant has handled the consumer's data; the OAIC may refer complaints to relevant external dispute resolution bodies or the ACCC.

Implementation

The Australian government has been implementing the CDR on a sector-by-sector basis. The CDR was first implemented in the banking sector, following that sector's designation in September 2019; though, prior to the sector's designation, work on the CDR rules and Consumer Data Standards for banking had already begun, and major banks in Australia had already made selected data for their products publicly available.
The foundational CDR rules commenced in February 2020, and the CDR was formally launched in July 2020, when selected consumer data sharing obligations for four major Australian banks became mandatory. Other banks and bank data have been progressively included in a phased manner over the years since the CDR launch. The majority of Australian banking consumers are now able to share their data through the CDR framework; in the banking industry, this data sharing often goes under the moniker 'Open Banking'.
In November 2021, the Minister amended the CDR rules to expand the CDR to the energy sector. In October 2022, product-data sharing in the energy sector commenced under the CDR framework; in this context, products include electricity, gas and dual fuel plans. In November 2022, consumer-data sharing commenced for customer data held by the Australian Energy Market Operator, and selected energy retailers; consumer data relate to the sale or supply of electricity, including where electricity is bundled with gas.
In January 2022, the Minister designated the telecommunications sector as the third CDR sector, following banking and energy. In September 2022, Australian Treasury published draft changes to CDR rules to expand the CDR to the telecommunication sector.
In December 2022, the Minister designated the non-bank lending sector; Australian Treasury also released a design paper on CDR rules and data standards for non-bank lending sector.

2022 statutory review

In September 2022, the Australian Government released an independent statutory review into the CDR framework, and its implementation over the past few years.
The Review found the CDR framework has been 'broadly effective' in the rollout of the CDR to date. However, the Review heard 'that participants in the CDR are still waiting for the scheme to deliver broad and tangible benefits to consumers, as well as to system participants – including data holders and data recipients'.  And the Review noted 'innovative product offerings are only starting to become available, meaning significant consumer benefits are yet to be realised'.
The Review heard that the success of the CDR to date has been difficult to gauge due to the lack of visibility of public success measures for the CDR as a whole. The Review noted the offers some performance metrics and noted that 'significant effort' is underway within CDR agencies to expand these measures, but it argued that these metrics 'could be improved with additional data relevant to the growth of the ecosystem',
The Review heard that many businesses 'have continued to use screen scraping despite the possibility of receiving data through the CDR'. Review submissions cited the 'ease and lower cost' of screen scraping and inconsistent CDR data quality as reasons for the continued use of screen scraping. The Review argued that data quality must improve to provide a viable alternative to screen scraping and recommended that screen scraping be banned in the near future in sectors where the CDR data provides a viable alternative.
The Review noted that whilst direct‐to‐consumer data sharing is a key part of the CDR, the CDR rules do not currently oblige the sharing of data directly to consumers. The Review heard that direct‐to‐consumer data sharing could increase risks, without significant benefits to consumers. While the Review recognises 'the potential self‐interest inherent in the cohort of data holders and recipients advocating for restricting direct‐to‐consumer data access', it agreed that the framework may require further consideration if direct‐to‐consumer data sharing is to be enabled.
The Review, which was released after the 2022 Optus cyber hacks, stated that it generally did not hear many concerns from stakeholders about the cyber security settings of the CDR. Nonetheless, the Review recommended that the Government should consider undertaking a whole of ecosystem cyber security assessment.

Extensions

The Australian Government is proposing to extend the CDR legislation to enable a consumer to initiate an action with a business. The types of 'actions' could include:
  • making a payment;
  • opening and closing an account;
  • switching providers; and
  • updating personal details
In December 2022, the Australian Government introduced into parliament legislation that would extend the functionality of the Consumer Data Right to "enable Australian consumers and small business to safely and conveniently instruct accredited third parties to initiate CDR‑powered actions with their consent and on their behalf."