Consumer Data Right (CDR) in Australia: open banking, open energy and what's coming

What the CDR is

The Consumer Data Right was established by the Treasury Laws Amendment (Consumer Data Right) Act 2019, inserting Part IVD into the Competition and Consumer Act 2010. This legislation provides consumers with the ability to instruct a data holder to share their data with an accredited data recipient. This sharing occurs only with the consumer’s consent.

The implementation of the Consumer Data Right is occurring in a phased approach, sector by sector. Open banking was the initial focus, with its rollout commencing in 2020. Following this, the framework expanded to include the energy sector, with implementation beginning in 2022.

Further sectors are being considered for inclusion in the Consumer Data Right. These include areas such as non-bank lending and telecommunications, with a progressive approach to their integration.

The participants

The Consumer Data Right (CDR) framework involves several key participant types. Data holders are regulated entities mandated to share consumer data upon receiving a consumer's direction. Examples of data holders include Authorised Deposit-taking Institutions (ADIs) within the banking sector and retailers and distributors operating in the energy market.

Accredited data recipients are organisations that have successfully completed the Australian Competition and Consumer Commission (ACCC) accreditation process. This accreditation enables them to receive data shared under the CDR.

To assist accredited data recipients, outsourced service providers may be engaged. These third parties handle CDR data, but their operations are subject to the CDR rules.

Privacy Safeguards

The Consumer Data Right (CDR) framework incorporates specific privacy protections designed to govern the handling of consumer data. Part IVD of the Consumer Credit Act (CCA) establishes 13 Privacy Safeguards. These Safeguards are separate from the Australian Privacy Principles, although some principles are recognised within them.

These Safeguards address key aspects of data management, including ensuring open and transparent handling practices, protecting anonymity and pseudonymity, obtaining consumer consent for data use, and managing data security, retention, and deletion. Consumers also have rights regarding access to and correction of their data, and a process for lodging complaints. Privacy Act 2026 readiness

Enforcement of these Privacy Safeguards rests with the Office of the Australian Information Commissioner (OAIC). The Australian Competition and Consumer Commission (ACCC) is responsible for enforcing other aspects of the CDR rules. Both bodies have the power to apply civil penalties under the CCA for non-compliance.

Practical implications for participants

Participants in the Consumer Data Right (CDR) ecosystem face specific operational requirements. Data holders are obligated to develop and maintain application programming interfaces (APIs) that adhere to the technical standards established by the Data Standards Body. These standards ensure interoperability and data security.

Accredited data recipients must continually meet accreditation requirements. They are also responsible for implementing a consent flow that complies with CDR principles and ensuring that data is used solely for the purpose explicitly consented to by the consumer.

Sponsorship and representative arrangements provide a pathway for entities that are not accredited to engage with CDR. These arrangements allow non-accredited parties to operate through an accredited principal, subject to defined rules and oversight.