The federal government’s recent update to Australia’s Consumer Data Right (CDR) builds on recent changes to the regime and further demonstrates its view of the CDR as a critical part of the country’s digital infrastructure.
The CDR - an economy-wide reform inserted as Part IVD of the Consumer and Competition Act 2020 (CCA) – was, when introduced, described by the then Commonwealth minister for superannuation, financial services and the digital economy Jane Hume as “one of the most transformative technological advances Australia as ever made”. It was designed to give consumers greater control over their data in a digital data driven economy.
Following a recent amendment to the CDR framework - which extended it from ‘data sharing’ (read only) to ‘action initiation’ (write access) – and a review of the regime as a whole, the federal government recently announced a reset of the CDR. While the recent amendments will bring new compliance requirements for businesses, it will also mean new opportunities for businesses prepared to take advantage of the benefits presented by the shift to action initiation.
Overview of the current Consumer Data Right regime:
The CDR is a consent-based system supported by the CDR Rules and CDR Privacy Safeguards which are regulated by the Australian Competition & Consumer Commission and the Office of the Australian Information Commissioner respectively. It is also supported by the Consumer Data Standards set by the Data Standards Body.
The CDR enables eligible consumers - individuals and businesses - to request ‘data holders’ in a designated sector to share their data in machine readable form with accredited and trusted third parties, known as ‘accredited data recipients’ so they can be accessed to tailor products and services and compare products.
As of February 2022, accredited data recipients were able to ‘on share’ consumer data with certain ‘trusted advisors’, including financial advisors, accountants and lawyers.
Data holders also have obligations under the CDR, including requirements to have a direct product and consumer request service and publish data about their products.
Action initiation:
In August, the Treasury Laws Amendment (Consumer Data Right) Act 2024 (AA Act) came into effect. The AA Act amended the CDR framework in the CCA and extended the CDR framework from ‘data sharing’ to ‘action initiation’.
Action initiation permits service providers to initiate actions with data holders on consumers’ behalf. This includes making a payment, opening or closing an account, switching providers and updating personal details across providers.
CDR action initiation brings two new types of participants into the CDR regime:
- accredited action initiators (AAI) who receive action requests from consumers; and
- action service providers (ASP) who will perform the action request from an AAI as if it came from the consumer directly.
ASPs can only initiate actions on behalf of consumers that they would undertake in their usual course of business and cannot treat valid instructions from an AAI any differently to how they would treat direct instructions from consumers.
Importantly, the framework that the AA Act established is only concerned with the ‘instruction layer’ of an action, where consumers provide actions to AAIs to take an action with their data, and not the ‘action layer’, where the ASP carries out the action in accordance with the consumers request. The action layer will continue to be governed by existing laws and practices and not the CDR.
Like the current designation process for CDR data sharing, the AA Act sets out the framework for action initiation, not the specific actions that will be introduced. These will need to be declared by the Minister following a consultation process, after which the Minister will be able to make new CDR Rules for that specific action type. This includes who can be an AAI and the relevant accreditation process, the application of the Consumer Data Standards and the Privacy Safeguards to the actions.
Proposed measures to reset the CDR:
Following the release of a compliance cost review of the CDR – which concluded that the regulatory costs of implementing the CDR had “massively exceeded original estimates” - the Assistant Treasurer Stephen Jones announced a ‘reset’ of the CDR regime.
The announcement included a mix of short-term and long-term measures to address key concerns with the current CDR from relevant industries. This includes the high regulatory burden and compliance costs, lack of incentive for businesses to use CDR data, restrictions on using and holding CDR data and low CDR uptake by consumers, with the cost review finding that only 0.31% of banking customers were using the CDR.
The proposed measures include:
- streamlining the consumer consent rules by allowing multiple consents to be issued (‘bundled’) into a single action for the collection, use and disclosure of consumer data. This is instead of the data recipient being required to request consumer approval for each instance of a CDR transaction;
- expanding the CDR to non-bank lending and ‘buy now, pay later’ products by early 2025, to be operational by mid-2026. This follows the completion of a privacy impact assessment in July 2023. While the telecommunications sector was designated as a CDR sector in January 2022, the government has announced that it is pausing the implementation of CDR in the telecommunications sector to allow CDR to mature across the banking and energy sectors, and to focus on the roll out to the non-bank lending sector;
- a move away from ‘screen scraping’ where the CDR is a viable option. Screen scraping is a common alternative to CDR data sharing and involves the extraction of a consumer’s data displayed on screen and sharing this data with another service provider. Accordingly, the Assistant Treasurer has requested advice from the Treasurer over the next 12 months on a way forward for a “full and formal ban” on screen scraping;
- expanding the ‘trial products’ exception to the energy sector, which would see ‘pilot’ or ‘trial’ products offered by data holders in the energy sector that satisfy certain requirements - including the trial lasting no more than 12 months and being supplied to no more than 1,000 customers - being excluded from the CDR data sharing requirements while they are trial products. This exception will provide energy retailers with greater flexibility to innovate and test new products before a larger rollout, without having to share the associated product or consumer data; and
- a focus on high-priority use cases such as consumer finance and borrowing, energy switching and accounting services to small businesses. The Data Standards Body has also finalised a new standards assessment framework to complement the government’s direction in prioritising these high-priority use cases.
The government appears to have already started its reset, through its consultation and exposure draft of the proposed amendments to the CDR Rules. The consultation ended in September, and it is expected that the next step will be a review of the proposed CDR Rules by the Treasurer in light of the feedback received during the consultation process.
There have been no further public developments since the end of this consultation process.
Implications for businesses:
The recent developments related to the CDR demonstrate the government’s commitment to the CDR as a critical part of Australia’s digital infrastructure, with a real push for money and data to be able to be moved around the economy in the same way. However, it also signals that more work needs to be done to reset and stabilise the CDR regime to encourage more active engagement under the expanded regime after the initial and significant investment by CDR participants.
While the passing of the AA Act and the government’s reset provides some clarity for the direction of the CDR amongst sceptical and frustrated industries, a firm timeline from government indicating its agenda for different parts of the CDR would help consolidate this momentum. The release of the recent consultation paper may not be enough to satisfy the critics, particularly as it took almost three years to pass action initiation into law.
The renewed focus and commitment to CDR emphasises the need for businesses to keep up to date with the CDR rollout to ensure that they are:
- meeting, or actively preparing to meet, their compliance requirements as a CDR participant; and
- in a position to take advantage of the opportunities presented by action initiation, both as a consumer and accredited participant - for example, by becoming accredited as an AAI.