Consumer Data Right

The Consumer Data Right is the name of a legislative, regulatory, and standards framework for consumer data portability in Australia. This framework has been created and introduced by the Australian Government, which is implementing the framework on a sector-by-sector basis.

Background
In May 2017, the Productivity Commission released a report 'Data Availability and Use' that recommended, among other things, a new 'Comprehensive Right' for consumers. This proposed new right would allow consumers to access and correct data about themselves held by product or service providers. It would also allow a consumer to have a machine-readable copy of their consumer data provided either to them or directly to a nominated third party, such as a new service provider.

In November 2017, the Australian Government announced plans to legislate a national 'Consumer Data Right', which would allow customers open access to their banking, energy, phone and internet transactions data.

Legislation
In 2019, the Australian Parliament passed the 'Treasury Laws Amendment (Consumer Data Right) Bill 2019' to create the Consumer Data Right (CDR); the bill inserted a new part (Part IVD - Consumer Data Right) into the Competition and Consumer Act 2010, and amended the Australian Information Commissioner Act 2010 and Privacy Act 1988.

The CDR legislation
 * provides individuals and businesses (consumers) with a right to efficiently and conveniently access specified data in relation to them held by businesses (data holders).
 * authorises secure access to this data by trusted and accredited third parties (accredited data recipients).
 * requires businesses (data holders) to provide public access to information on specified products they have on offer.

The CDR legislation establishes a framework to enable the CDR to be applied to various sectors of the economy over time.

Designation
The CDR legislation gives the Minister (responsible for the CDR) powers to designate a sector for which the CDR will apply. The Minister designates a sector through a legislative instrument. In the instrument, the Minister designates a sector by specifying:


 * classes of information (designated data)
 * businesses (data holders) who hold one or more of those classes of information

The Minister, in the instrument, may also designate a ‘gateway’, or multiple ‘gateways’ to facilitate the transfer of data between a data holder and accredited data recipient or the consumer;  a gateway typically would be an Australian Government entity, or a body within the effective control of the Australian Government or an Australian state or territory government.

The table below summarizes designations made so far: The designation instrument itself does not impose data sharing obligations. The requirement to disclose particular data emanates from the CDR rules, which provide the framework for how the CDR operates in a particular sector.

CDR rules
The CDR rules are a legislative instrument made (by the Minister) under section 56BA of the Competition and Consumer Act 2010. The rules cover all aspects of the CDR framework including:
 * Product data requests
 * Consumer data requests made by eligible CDR consumers
 * Consumer data requests made by accredited persons
 * Accreditation
 * Dispute resolution
 * Privacy safeguards
 * Data standards

The rules are applied universally across all sectors of the economy to the extent possible. The rules are being progressively updated as the CDR evolves and expands. The current version of the rules are available from here.

Consumer Data Standards
How CDR participants (data holders, accredited data recipients and gateways) comply with the requirements of the CDR rules are set out in a set of technical specifications called 'Consumer Data Standards'.

The Consumer Data Standards are specifications for how information technology solutions must be implemented to ensure safe, efficient, convenient and interoperable systems to share data. The data standards are binding if required by CDR rules; however, the standards are not a legislative instrument, in themselves.

The data standards are made by a Data Standards Chair (on the advice of a Data Standard Body). The Data Standards Chair, who is a person appointed by the Minister, makes the data standards in accordance with the sectoral designations and the CDR rules.

The data standards must be published on the internet and be freely available; the current data standards are available from here. To adapt to changing demands for functionality and available technology solutions, the data standards are living documents subject to continual change.

Governance
The governance of the CDR framework is shared across:


 * Minister (responsible for the CDR)
 * Australian Treasury
 * Australian Competition and Consumer Commission (ACCC)
 * Data Standards Chair and Body
 * Office of the Australian Information Commissioner (OAIC)

The Minister, as well as having the power to designate sectors (for which the CDR will apply), has the power to make CDR rules; up until February 2021, the ACCC was the agency responsible for making CDR rules.

The Australian Treasury, in addition to providing the Minister with policy advice regarding the CDR and its future directions, is also responsible for consulting for, and advising the Minister on sector designations, and developing the CDR rules; up until February 2021, these responsibilities were performed by the ACCC.

The ACCC is responsible for regulation of the CDR framework, including compliance and enforcement of the rules and standards. It is also responsible for accreditation of CDR participants (holders, recipients, etc); the ACCC, among other things, maintains a register of accredited CDR participants called the Consumer Data Right Register. The ACCC can also grant exemptions from provisions of the CDR rules (as part of its enforcement responsibilities); it maintains a separate public register for granted exemptions.

The role of the Data Standards Body is currently undertaken by the Australian Treasury; until February 2021, Data61 (CSIRO) performed the role of the Data Standards Body.

The OAIC oversees matters relating to the protection of consumer privacy and confidentiality, and compliance with the CDR Privacy Safeguards. The OAIC can also investigate a consumer complaint about how a CDR participant has handled the consumer's data; the OAIC may refer complaints to relevant external dispute resolution bodies or the ACCC.

Implementation
The Australian government has been implementing ('rolling out') the CDR on a sector-by-sector basis. The CDR was first implemented in the banking sector, following that sector's designation in September 2019; though, prior to the sector's designation, work on the CDR rules and Consumer Data Standards for banking had already begun, and major banks in Australia had already made selected data for their products publicly available.

The foundational CDR rules commenced in February 2020, and the CDR was formally launched in July 2020, when selected consumer data sharing obligations for four major Australian banks became mandatory. Other banks and bank data have been progressively included in a phased manner over the years since the CDR launch. The majority of Australian banking consumers are now able to share their data through the CDR framework; in the banking industry, this data sharing often goes under the moniker 'Open Banking'.

In November 2021, the Minister amended the CDR rules to expand the CDR to the energy sector. In October 2022, product-data sharing in the energy sector commenced under the CDR framework; in this context, products include electricity, gas and dual fuel plans. In November 2022, consumer-data sharing commenced for customer data held by the Australian Energy Market Operator (gateway), and selected energy retailers; consumer data relate to the sale or supply of electricity, including where electricity is bundled with gas.

In January 2022, the Minister (responsible for the CDR) designated the telecommunications sector as the third CDR sector, following banking and energy. In September 2022, Australian Treasury published draft changes to CDR rules to expand the CDR to the telecommunication sector.

In December 2022, the Minister designated the non-bank lending sector; Australian Treasury also released a design paper on CDR rules and data standards for non-bank lending sector.

2022 statutory review
In September 2022, the Australian Government released an independent statutory review into the CDR framework, and its implementation over the past few years.

The Review found the CDR framework has been 'broadly effective' in the rollout of the CDR to date. However, the Review heard 'that participants in the CDR are still waiting for the scheme to deliver broad and tangible benefits to consumers, as well as to system participants – including data holders and data recipients'. And the Review noted 'innovative product offerings are only starting to become available, meaning significant consumer benefits are yet to be realised'.

The Review heard that the success of the CDR to date has been difficult to gauge due to the lack of visibility of public success measures for the CDR as a whole. The Review noted the CDR website (at the time of the review) offers some performance metrics and noted that 'significant effort' is underway within CDR agencies to expand these measures, but it argued that these metrics 'could be improved with additional data relevant to the growth of the ecosystem',

The Review heard that many businesses 'have continued to use screen scraping despite the possibility of receiving data through the CDR'. Review submissions cited the 'ease and lower cost' of screen scraping and inconsistent CDR data quality as reasons for the continued use of screen scraping. The Review argued that data quality must improve to provide a viable alternative to screen scraping and recommended that screen scraping be banned in the near future in sectors where the CDR data provides a viable alternative.

The Review noted that whilst direct‐to‐consumer data sharing is a key part of the CDR, the CDR rules do not currently oblige the sharing of data directly to consumers. The Review heard that direct‐to‐consumer data sharing could increase risks (of fraud and to privacy), without significant benefits to consumers. While the Review recognises 'the potential self‐interest inherent in the cohort of data holders and recipients advocating for restricting direct‐to‐consumer data access', it agreed that the framework may require further consideration if direct‐to‐consumer data sharing is to be enabled.

The Review, which was released after the 2022 Opus cyber hacks, stated that it generally did not hear many concerns from stakeholders about the cyber security settings of the CDR. Nonetheless, the Review recommended that the Government should consider undertaking a whole of ecosystem cyber security assessment.

Extensions
The Australian Government is proposing to extend the CDR legislation to enable a consumer (through an accredited third party) to initiate an action with a (designated) business. The types of 'actions' could include:


 * making a payment;
 * opening and closing an account;
 * switching providers; and

In December 2022, the Australian Government introduced into parliament legislation that would extend the functionality of the Consumer Data Right (CDR) to "enable Australian consumers and small business to safely and conveniently instruct accredited third parties to initiate CDR‑powered actions with their consent and on their behalf."
 * updating personal details (such as an address)