What is the Consumer Data Right?
The Consumer Data Right (CDR) is an economy wide initiative (both in Australia and New Zealand) that will give individuals greater choice and control over their data.
CDR in Australia
The CDR was first rolled out to the banking sector - known as Open Banking. The energy and telecommunications sectors have also been designated.
In 2022, 'Open Finance' was identified as the next priority area to grow the CDR. Open Finance will bring in targeted datasets from:
- General insurance
- Merchant acquiring
- Non-bank lending service providers
The announcement about Open Finance also included the intention to expand the CDR to government datasets including government agencies becoming data holders and accredited data recipients.
CDR in New Zealand
The New Zealand Government announced in July 2021 that they will be implementing a new legislative framework to establish their own
CDR. In 2022, the Government will be making further decisions about implementation.
Quick explainer of the terms used in CDR
Data holders: providers who currently hold consumer data e.g. banks and energy companies. When directed by a consumer, they are required to share that consumer's data with a nominated accredited data recipient.
Accredited data recipients (ADRs): receive a consumer's data from a data holder after the consumer has given their consent. ADRs then use the data for the purpose that the consumer requested.
There are two levels of accreditation available to ADRs: unrestricted and sponsored.
Unrestricted accreditation: the highest level of accreditation available to participate in the CDR. Once accredited, they may:
- Collect CDR data from data holders to provide goods or services to the consumer.
- Collect CDR data directly or through using the services of an outsourced service provider.
- Sponsor another accredited participant in a sponsorship arrangement and/or enter into a CDR representative arrangement.
Sponsored accreditation: for participants who enter into a sponsorship arrangement with an unrestricted ADR who is willing to act as their sponsor. Participants accredited at this level, and in a sponsorship arrangement, are known as an affiliate of their sponsor.
Once accredited, affiliates:
- Cannot collect data from a data holder but can request for their sponsor to collect it on their behalf
- Can collect data from another accredited person who is not their sponsor.
- Can use their sponsor's outsourced service provider to collect data but they cannot enter into their own outsourcing arrangement, however, they may disclose data to an outsourced service provider under an outsourcing arrangement.
CDR representative model: allows unaccredited participants (known as CDR representatives) to partner with an unrestricted ADR (known as the principal) to provide goods and services using CDR data. CDR representatives can only have on principal.
Outsourced service provider: these providers may:
- Collect CDR data on behalf of an accredited participant.
- Use CDR data to provide goods and services to an accredited participant.
Derived data: the definition of CDR data includes data that has been 'wholly or partly derived' from data sets listed in the designation instrument as well as data derived from any previously derived data.
Data insights: consumers can consent to an ADR disclosing 'CDR insights' about their data in specific circumstances
e.g. verifying their identity.
Who are the regulators?
In Australia CDR regulation comes from four separate bodies each with their own distinct role:
- Australian Competition and Consumer Commission (ACCC): manage the accreditation process and accreditation register.
- Office of the Australian Information Commissioner (OAIC): regulate privacy and confidentiality; handle complaints and breaches.
Treasury: lead policy, develop rules and advise government on future CDR sectors.
- Data Standards Body: sits within Treasury and develops standards on how data is shared.
In New Zealand the CDR legislation is expected to be introduced to Parliament in 2022. Currently the Ministry of
Business, Innovation and Employment (MBIE) hosts information about the CDR on their website and previously consulted on establishing a
consumer data right in 2020.
Why should I know about CDR?
If you use bank feeds, originate or initiate payments, access banking accounts or hold payroll or superannuation information in your software, you may want to learn more about the potential impacts CDR may pose to you and your business model.
For example if you consume a bank feed that is made available through the CDR, you may be required to become an Accredited Data Recipient and comply with your legal obligations and IT requirements. Further, if you consume this data and it is shared through to any third party that your software connects with, you may be required to place additional requirements on these parties as this can be considered as derived data.
While the Operational Security Framework (OSF) has been recognised as an alternative accreditation method for DSPs, they will still
need to meet additional requirements. Becoming accredited is also known to be a costly process.
What is DSPANZ doing?
We continue to respond to CDR-related consultations and engage with the relevant regulators across Australia and New Zealand to represent our member's views and experiences.
As an association, we want to see a CDR landscape that allows both DSPs and their end users to easily participate and benefit from data sharing.
While we will keep you updated on happenings in the CDR space, we do recommend gaining a better understanding of how CDR may impact
This article features content from the below sources. We recommend navigating through each of these websites for more information on the CDR.
CDR in Australia:
- Consumer Data Right website
- Australian Competition and Consumer Commission (ACCC)
- Office of the Australian Information Commissioner (OAIC)
CDR in New Zealand: