Consumer Data Right

Consumer Data Right
Parliament of Australia
Long title Treasury Laws Amendment (Consumer Data Right) Bill 2019
Citation	No. 63 of 2019
Territorial extent	Australia
Enacted by	House of Representatives
Enacted	30 Jul 2019
Passed by	Senate
Passed	1 Aug 2019
Assented to	12 Aug 2019
Legislative history
First chamber: House of Representatives
Bill title	Treasury Laws Amendment (Consumer Data Right) Bill 2019
Introduced by	Josh Frydenberg
First reading	24 July 2019
Second reading	24 Jul 2019
Third reading	30 July 2019
Second chamber: Senate
First reading	31 July 2019
Second reading	31 July 2019
Third reading	1 August 2019
Summary
Amends the Competition and Consumer Act 2010, Australian Information Commissioner Act 2010 and Privacy Act 1988 to create the Consumer Data Right to provide individuals and businesses with a right to access specified data in relation to them held by businesses.
Keywords
consumer data
Status: In force

The Consumer Data Right is the name of a legislative, regulatory, and standards framework for consumer data portability in Australia. This framework has been created and introduced by the Australian Government, which is implementing the framework on a sector-by-sector basis.^[1]

Background

In May 2017, the Productivity Commission released a report 'Data Availability and Use'^[2] that recommended, among other things, a new 'Comprehensive Right' for consumers.^[3][4] This proposed new right would allow consumers to access and correct data about themselves held by product or service providers.^[3] It would also allow a consumer to have a machine-readable copy of their consumer data provided either to them or directly to a nominated third party, such as a new service provider.^[4]

In November 2017, the Australian Government announced plans to legislate a national 'Consumer Data Right', which would allow customers open access to their banking, energy, phone and internet transactions data.^{[5][6] [7]}

Legislation

In 2019, the Australian Parliament passed the 'Treasury Laws Amendment (Consumer Data Right) Bill 2019' to create the Consumer Data Right (CDR);^[8] the bill inserted a new part (Part IVD - Consumer Data Right) into the Competition and Consumer Act 2010,^[9] and amended the Australian Information Commissioner Act 2010 and Privacy Act 1988.^[10]

The CDR legislation^[11]

• provides individuals and businesses (consumers) with a right to efficiently and conveniently access specified data in relation to them held by businesses (data holders).
• authorises secure access to this data by trusted and accredited third parties (accredited data recipients).
• requires businesses (data holders) to provide public access to information on specified products they have on offer.

The CDR legislation establishes a framework to enable the CDR to be applied to various sectors of the economy over time.^[12]

Designation

The CDR legislation gives the Minister (responsible for the CDR) powers to designate a sector for which the CDR will apply. ^[13] The Minister designates a sector through a legislative instrument.^[13] In the instrument, the Minister designates a sector by specifying:^[14]

• classes of information (designated data)
• businesses (data holders) who hold one or more of those classes of information

The Minister, in the instrument, may also designate a ‘gateway’, or multiple ‘gateways’ to facilitate the transfer of data between a data holder and accredited data recipient or the consumer;^[15] a gateway typically would be an Australian Government entity, or a body within the effective control of the Australian Government or an Australian state or territory government.^[16]

The table below summarizes designations made so far:

Sector	Instrument	Date
Banking	F2019L01153	4 September 2019
Energy	F2020L00833	26 June 2020
Telecommunications	F2022L00068	24 January 2022
Non-bank lenders	F2022L01522	21 November 2022

The designation instrument itself does not impose data sharing obligations.^[17] The requirement to disclose particular data emanates from the CDR rules, which provide the framework for how the CDR operates in a particular sector. ^[17]

CDR rules

The CDR rules are a legislative instrument made (by the Minister) under section 56BA of the Competition and Consumer Act 2010.^[18] The rules cover all aspects of the CDR framework including:^[18]

• Product data requests
• Consumer data requests made by eligible CDR consumers
• Consumer data requests made by accredited persons
• Accreditation
• Dispute resolution
• Privacy safeguards
• Data standards

The rules are applied universally across all sectors of the economy to the extent possible.^[17] The rules are being progressively updated as the CDR evolves and expands.^[17] The current version of the rules are available from here.

Consumer Data Standards

How CDR participants (data holders, accredited data recipients and gateways) comply with the requirements of the CDR rules are set out in a set of technical specifications called 'Consumer Data Standards'.

The Consumer Data Standards are specifications for how information technology solutions must be implemented to ensure safe, efficient, convenient and interoperable systems to share data. ^[19] The data standards are binding if required by CDR rules;^[20] however, the standards are not a legislative instrument, in themselves.^[21]

The data standards are made by a Data Standards Chair (on the advice of a Data Standard Body). The Data Standards Chair, who is a person appointed by the Minister, makes the data standards in accordance with the sectoral designations and the CDR rules.^[21]

The data standards must be published on the internet and be freely available;^[20] the current data standards are available from here. To adapt to changing demands for functionality and available technology solutions, the data standards are living documents subject to continual change.^[21]

Governance

The governance of the CDR framework is shared across:

• Minister (responsible for the CDR)
• Australian Treasury
• Australian Competition and Consumer Commission (ACCC)
• Data Standards Chair and Body
• Office of the Australian Information Commissioner (OAIC)

The Minister, as well as having the power to designate sectors (for which the CDR will apply), has the power to make CDR rules; up until February 2021, the ACCC was the agency responsible for making CDR rules.^[22]

The Australian Treasury, in addition to providing the Minister with policy advice regarding the CDR and its future directions, is also responsible for consulting for, and advising the Minister on sector designations, and developing the CDR rules; up until February 2021, these responsibilities were performed by the ACCC.^[22]

The ACCC is responsible for regulation of the CDR framework, including compliance and enforcement of the rules and standards. It is also responsible for accreditation of CDR participants (holders, recipients, etc);^[23] the ACCC, among other things, maintains a register of accredited CDR participants called the Consumer Data Right Register.^[24] The ACCC can also grant exemptions from provisions of the CDR rules (as part of its enforcement responsibilities); it maintains a separate public register for granted exemptions. ^[25]

The role of the Data Standards Body is currently undertaken by the Australian Treasury; until February 2021, Data61 (CSIRO) performed the role of the Data Standards Body.^[22]

The OAIC oversees matters relating to the protection of consumer privacy and confidentiality, and compliance with the CDR Privacy Safeguards. ^[19] The OAIC can also investigate a consumer complaint about how a CDR participant has handled the consumer's data; the OAIC may refer complaints to relevant external dispute resolution bodies or the ACCC.^[26]

Implementation

The Australian government has been implementing ('rolling out') the CDR on a sector-by-sector basis. The CDR was first implemented in the banking sector, following that sector's designation in September 2019; though, prior to the sector's designation, work on the CDR rules^[27] and Consumer Data Standards for banking had already begun,^[28] and major banks in Australia had already made selected data for their products publicly available.^[29]

The foundational CDR rules commenced in February 2020,^[30] and the CDR was formally launched in July 2020,^[31][32] when selected consumer data sharing obligations for four major Australian banks became mandatory. Other banks and bank data have been progressively included in a phased manner over the years since the CDR launch.^[33] The majority of Australian banking consumers are now able to share their data through the CDR framework;^[34] in the banking industry, this data sharing often goes under the moniker 'Open Banking'. ^[35]

In November 2021, the Minister amended the CDR rules to expand the CDR to the energy sector.^[36] In October 2022, product-data sharing in the energy sector commenced under the CDR framework; in this context, products include electricity, gas and dual fuel plans. ^[37] In November 2022,^[38] consumer-data sharing commenced for customer data held by the Australian Energy Market Operator (gateway), and selected energy retailers; consumer data relate to the sale or supply of electricity, including where electricity is bundled with gas.^[37]

In January 2022, the Minister (responsible for the CDR) designated the telecommunications sector as the third CDR sector, following banking and energy.^[39] In September 2022, Australian Treasury published draft changes to CDR rules to expand the CDR to the telecommunication sector.^[40]

In December 2022, the Minister designated the non-bank lending sector;^[41] Australian Treasury also released a design paper on CDR rules and data standards for non-bank lending sector.^[42]

2022 statutory review

In September 2022, the Australian Government released^[43] an independent statutory review^[44] into the CDR framework, and its implementation over the past few years.^[45]

The Review found^[46] the CDR framework has been 'broadly effective' in the rollout of the CDR to date.^[47] However, the Review heard^[48] 'that participants in the CDR are still waiting for the scheme to deliver broad and tangible benefits to consumers, as well as to system participants – including data holders and data recipients'.  And the Review noted^[48] 'innovative product offerings are only starting to become available, meaning significant consumer benefits are yet to be realised'.

The Review heard^[49] that the success of the CDR to date has been difficult to gauge due to the lack of visibility of public success measures for the CDR as a whole. The Review noted the CDR website (at the time of the review) offers some performance metrics and noted^[50] that 'significant effort' is underway within CDR agencies to expand these measures, but it argued^[50] that these metrics 'could be improved with additional data relevant to the growth of the ecosystem',

The Review heard^[51] that many businesses 'have continued to use screen scraping despite the possibility of receiving data through the CDR'. Review submissions cited^[51] the 'ease and lower cost' of screen scraping and inconsistent CDR data quality^[52] as reasons for the continued use of screen scraping. The Review argued^[53] that data quality must improve to provide a viable alternative to screen scraping and recommended^[54] that screen scraping be banned in the near future in sectors where the CDR data provides a viable alternative.^[55]

The Review noted^[56] that whilst direct‐to‐consumer data sharing is a key part of the CDR, the CDR rules do not currently oblige the sharing of data directly to consumers. The Review heard^[57] that direct‐to‐consumer data sharing could increase risks (of fraud and to privacy), without significant benefits to consumers. While the Review recognises^[58] 'the potential self‐interest inherent in the cohort of data holders and recipients advocating for restricting direct‐to‐consumer data access', it agreed^[58] that the framework may require further consideration if direct‐to‐consumer data sharing is to be enabled.

The Review, which was released after the 2022 Opus cyber hacks, stated^[59] that it generally did not hear many concerns from stakeholders about the cyber security settings of the CDR.^[45] Nonetheless, the Review recommended^[60] that the Government should consider undertaking a whole of ecosystem cyber security assessment.^[61]

Extensions

The Australian Government is proposing to extend the CDR legislation to enable a consumer (through an accredited third party) to initiate an action with a (designated) business.^[62] The types of 'actions' could include:^[63]

• making a payment;
• opening and closing an account;
• switching providers; and

• updating personal details (such as an address)

In December 2022, the Australian Government introduced into parliament legislation that would extend the functionality of the Consumer Data Right (CDR) to "enable Australian consumers and small business to safely and conveniently instruct accredited third parties to initiate CDR‑powered actions with their consent and on their behalf."^[64]

External links

• Australian Government's Consumer Data Right website
• Competition and Consumer (Consumer Data Right) Rules 2020
• Consumer Data Standards website
• Australian Treasury page on the CDR
• Australian Consumer and Competition Commission page on the CDR
• Australian Consumer and Competition Commission's public register of CDR exemptions
• Office of the Australian Information Commissioner page on the CDR

References

1. "Consumer Data Right". Consumer Data Right.
2. Productivity Commission 2017, Data Availability and Use, Report No. 82, Canberra
3. Lake, Jessica. "Data availability report presents compromised rights for consumers". The Conversation. Retrieved 12 December 2022.
4. Buckley, Ross. "More than banking done right, consumer data rights are set to transform our lives". The Conversation. Retrieved 12 December 2022.
5. "Australians will own their banking and internet data under new legislation". ZDNET. Retrieved 13 December 2022.
6. Easton, Stephen (27 November 2017). "Feds promise 'sector-by-sector' data rights, more data reforms in a few weeks". The Mandarin. Retrieved 13 December 2022.
7. Philipson, Graeme (27 November 2017). "Consumers to own their own data, with new bill". Government News. Retrieved 13 December 2022.
8. "Treasury Laws Amendment (Consumer Data Right) Bill 2019". Australian Parliament House.
9. Sullivan, C. (2022). The new Australian Consumer Data Right: An exemplary model for Open Banking. WIREs Forensic Science, 4( 5), e1458. https://doi.org/10.1002/wfs2.1458, page 3
10. Julie McKay and Jamie Leach(2022), The Australian Consumer Data Right: The Promise of Open Data, Chapter 10, Jeng, Linda (ed.), Open Banking (New York, 2022; online edn, Oxford Academic, 24 Mar. 2022), https://doi.org/10.1093/oso/9780197582879.001.0001, page 201
11. The Parliament of the Commonwealth of Australia (2019), Treasury Law Amendment (Consumer Data Right) Bill 2019, EXPLANATORY MEMORANDUM, page 5.
12. The Parliament of the Commonwealth of Australia (2019), Treasury Law Amendment (Consumer Data Right) Bill 2019, EXPLANATORY MEMORANDUM, page 17.
13. The Parliament of the Commonwealth of Australia (2019), Treasury Law Amendment (Consumer Data Right) Bill 2019, EXPLANATORY MEMORANDUM, page 11.
14. The Parliament of the Commonwealth of Australia (2019), Treasury Law Amendment (Consumer Data Right) Bill 2019, EXPLANATORY MEMORANDUM, page 12.
15. The Parliament of the Commonwealth of Australia (2019), Treasury Law Amendment (Consumer Data Right) Bill 2019, EXPLANATORY MEMORANDUM, page 20
16. The Parliament of the Commonwealth of Australia (2019), Treasury Law Amendment (Consumer Data Right) Bill 2019, EXPLANATORY MEMORANDUM, page 20-21
17. Elizabeth Kelly (2022), Statutory Review of the Consumer Data Right, The Australian Government (the Treasury), page 15.
18. Parliament of Commonwealth of Australia, Competition and Consumer (Consumer Data Right) Rules 2020, Compilation No. 7
19. The Parliament of the Commonwealth of Australia (2019), Treasury Law Amendment (Consumer Data Right) Bill 2019, EXPLANATORY MEMORANDUM, page 7.
20. The Parliament of the Commonwealth of Australia (2019), Treasury Law Amendment (Consumer Data Right) Bill 2019, EXPLANATORY MEMORANDUM, page 48.
21. the Parliament of the Commonwealth of Australia (2019), Treasury Law Amendment (Consumer Data Right) Bill 2019, EXPLANATORY MEMORANDUM, page 47.
22. Elizabeth Kelly (2022), Statutory Review of the Consumer Data Right, The Australian Government (the Treasury), page 87
23. The Parliament of the Commonwealth of Australia (2019), Treasury Law Amendment (Consumer Data Right) Bill 2019, EXPLANATORY MEMORANDUM, page 11.
24. Commission, Australian Competition and Consumer (2 October 2018). "The Consumer Data Right". Australian Competition and Consumer Commission. Retrieved 22 November 2022.
25. Commission, Australian Competition and Consumer (27 March 2020). "Consumer data right exemptions register". Australian Competition and Consumer Commission. Retrieved 22 November 2022.
26. "CDR regulation". Home. Retrieved 22 November 2022.
27. Commission, Australian Competition and Consumer (27 March 2019). "CDR draft rules (banking)". Australian Competition and Consumer Commission. Retrieved 7 December 2022.
28. CSIRO. "Data61 appointed to Data Standards Body role". www.csiro.au. Retrieved 7 December 2022.
29. CSIRO. "Data Standards Body welcomes initial live use of banking Product Reference Data standards". www.csiro.au. Retrieved 7 December 2022.
30. Commission, Australian Competition and Consumer (3 March 2020). "Commencement of CDR Rules". Australian Competition and Consumer Commission. Retrieved 7 December 2022.
31. Commission, Australian Competition and Consumer (1 July 2020). "Consumer Data Right goes live for data sharing". Australian Competition and Consumer Commission. Retrieved 7 December 2022.
32. "Consumer Data Right for banking goes live". iTnews. Retrieved 11 December 2022.
33. Australian Government, CDR website,
34. Elizabeth Kelly (2022), Statutory Review of the Consumer Data Right, The Australian Government (the Treasury), page 15.
35. Podder, S. (2021). Australian open banking: the regulatory dilemma of balancing different policy objectives. Australian Journal of Competition and Consumer Law, 29(1), 15-28.
36. "Consumer Data Right rolled out to the energy sector | Treasury Ministers". ministers.treasury.gov.au. Retrieved 7 December 2022.
37. "CDR in the energy sector". CDR.
38. "Consumer Data Right goes live for energy sector | Treasury Ministers". ministers.treasury.gov.au. Retrieved 7 December 2022.
39. "More power to compare and switch telco providers and share finance data | Treasury Ministers". ministers.treasury.gov.au. Retrieved 7 December 2022.
40. "Consumer Data Right rules - expansion to the telecommunications sector and other operational enhancements | Treasury.gov.au". treasury.gov.au. Retrieved 7 December 2022.
41. "Expanding Consumer Data Right to non-bank lenders | Treasury Ministers". ministers.treasury.gov.au. Retrieved 7 December 2022.
42. "Consumer Data Right rules and data standards design paper for non-bank lending sector | Treasury.gov.au". treasury.gov.au. Retrieved 7 December 2022.
43. "Statutory Review of the Consumer Data Right - Report | Treasury.gov.au". treasury.gov.au. Retrieved 19 December 2022.
44. Kelly, Elizabeth (29 September 2022). "Statutory review of the Consumer Data Right: report". {{cite journal}}: Cite journal requires |journal= (help)
45. "Review cybersecurity for consumer data right: report". Australian Financial Review. 3 October 2022. Retrieved 16 December 2022.
46. Elizabeth Kelly (2022), Statutory Review of the Consumer Data Right, The Australian Government (the Treasury), page 6
47. "Data quality issues holding back CDR scheme: report". InnovationAus.com. 4 October 2022. Retrieved 14 December 2022.
48. Elizabeth Kelly (2022), Statutory Review of the Consumer Data Right, The Australian Government (the Treasury), page 3
49. Elizabeth Kelly (2022), Statutory Review of the Consumer Data Right, The Australian Government (the Treasury), page 28
50. Elizabeth Kelly (2022), Statutory Review of the Consumer Data Right, The Australian Government (the Treasury), page 29
51. Elizabeth Kelly (2022), Statutory Review of the Consumer Data Right, The Australian Government (the Treasury), page 31
52. Bajkowski, Julian (1 October 2022). "Consumer Data Right review wants 'screen scrapers' banned fast". The Mandarin. Retrieved 23 December 2022.
53. Elizabeth Kelly (2022), Statutory Review of the Consumer Data Right, The Australian Government (the Treasury), page 1
54. Elizabeth Kelly (2022), Statutory Review of the Consumer Data Right, The Australian Government (the Treasury), page 32
55. Bajkowski, Julian (1 October 2022). "Consumer Data Right review wants 'screen scrapers' banned fast". The Mandarin. Retrieved 23 December 2022.
56. Elizabeth Kelly (2022), Statutory Review of the Consumer Data Right, The Australian Government (the Treasury), page 25.
57. Elizabeth Kelly (2022), Statutory Review of the Consumer Data Right, The Australian Government (the Treasury), page 25
58. Elizabeth Kelly (2022), Statutory Review of the Consumer Data Right, The Australian Government (the Treasury), page 27.
59. "Review cybersecurity for consumer data right: report". Australian Financial Review. 3 October 2022. Retrieved 19 December 2022.
60. "Review cybersecurity for consumer data right: report". Australian Financial Review. 3 October 2022. Retrieved 19 December 2022.
61. "Review cybersecurity for consumer data right: report". Australian Financial Review. 3 October 2022. Retrieved 23 December 2022.
62. "Consumer Data Right - Exposure draft legislation to enable action initiation | Treasury.gov.au". treasury.gov.au. Retrieved 5 December 2022.
63. Australian Treasury, Exposure draft legislation to enable action initiation in the Consumer Data Right, Summary of proposed changes, September 2022, page 1.
64. "Expanded CDR legislation to make online tasks safer and easier | Treasury Ministers". ministers.treasury.gov.au. Retrieved 8 December 2022.