Out-Law Analysis 6 min. read
04 Nov 2024, 9:09 am
The federal government’s recent update to Australia’s Consumer Data Right (CDR) builds on recent changes to the regime and further demonstrates its view of the CDR as a critical part of the country’s digital infrastructure.
The CDR - an economy-wide reform inserted as Part IVD of the Consumer and Competition Act 2020 (CCA) – was, when introduced, described by the then Commonwealth minister for superannuation, financial services and the digital economy Jane Hume as “one of the most transformative technological advances Australia as ever made”. It was designed to give consumers greater control over their data in a digital data driven economy.
Following a recent amendment to the CDR framework - which extended it from ‘data sharing’ (read only) to ‘action initiation’ (write access) – and a review of the regime as a whole, the federal government recently announced a reset of the CDR. While the recent amendments will bring new compliance requirements for businesses, it will also mean new opportunities for businesses prepared to take advantage of the benefits presented by the shift to action initiation.
The CDR is a consent-based system supported by the CDR Rules and CDR Privacy Safeguards which are regulated by the Australian Competition & Consumer Commission and the Office of the Australian Information Commissioner respectively. It is also supported by the Consumer Data Standards set by the Data Standards Body.
The CDR enables eligible consumers - individuals and businesses - to request ‘data holders’ in a designated sector to share their data in machine readable form with accredited and trusted third parties, known as ‘accredited data recipients’ so they can be accessed to tailor products and services and compare products.
As of February 2022, accredited data recipients were able to ‘on share’ consumer data with certain ‘trusted advisors’, including financial advisors, accountants and lawyers.
Data holders also have obligations under the CDR, including requirements to have a direct product and consumer request service and publish data about their products.
In August, the Treasury Laws Amendment (Consumer Data Right) Act 2024 (AA Act) came into effect. The AA Act amended the CDR framework in the CCA and extended the CDR framework from ‘data sharing’ to ‘action initiation’.
Action initiation permits service providers to initiate actions with data holders on consumers’ behalf. This includes making a payment, opening or closing an account, switching providers and updating personal details across providers.
CDR action initiation brings two new types of participants into the CDR regime:
ASPs can only initiate actions on behalf of consumers that they would undertake in their usual course of business and cannot treat valid instructions from an AAI any differently to how they would treat direct instructions from consumers.
Importantly, the framework that the AA Act established is only concerned with the ‘instruction layer’ of an action, where consumers provide actions to AAIs to take an action with their data, and not the ‘action layer’, where the ASP carries out the action in accordance with the consumers request. The action layer will continue to be governed by existing laws and practices and not the CDR.
Like the current designation process for CDR data sharing, the AA Act sets out the framework for action initiation, not the specific actions that will be introduced. These will need to be declared by the Minister following a consultation process, after which the Minister will be able to make new CDR Rules for that specific action type. This includes who can be an AAI and the relevant accreditation process, the application of the Consumer Data Standards and the Privacy Safeguards to the actions.
Following the release of a compliance cost review of the CDR – which concluded that the regulatory costs of implementing the CDR had “massively exceeded original estimates” - the Assistant Treasurer Stephen Jones announced a ‘reset’ of the CDR regime.
The announcement included a mix of short-term and long-term measures to address key concerns with the current CDR from relevant industries. This includes the high regulatory burden and compliance costs, lack of incentive for businesses to use CDR data, restrictions on using and holding CDR data and low CDR uptake by consumers, with the cost review finding that only 0.31% of banking customers were using the CDR.
The proposed measures include:
The government appears to have already started its reset, through its consultation and exposure draft of the proposed amendments to the CDR Rules. The consultation ended in September, and it is expected that the next step will be a review of the proposed CDR Rules by the Treasurer in light of the feedback received during the consultation process.
There have been no further public developments since the end of this consultation process.
The recent developments related to the CDR demonstrate the government’s commitment to the CDR as a critical part of Australia’s digital infrastructure, with a real push for money and data to be able to be moved around the economy in the same way. However, it also signals that more work needs to be done to reset and stabilise the CDR regime to encourage more active engagement under the expanded regime after the initial and significant investment by CDR participants.
While the passing of the AA Act and the government’s reset provides some clarity for the direction of the CDR amongst sceptical and frustrated industries, a firm timeline from government indicating its agenda for different parts of the CDR would help consolidate this momentum. The release of the recent consultation paper may not be enough to satisfy the critics, particularly as it took almost three years to pass action initiation into law.
The renewed focus and commitment to CDR emphasises the need for businesses to keep up to date with the CDR rollout to ensure that they are:
Co-written by Serpil Eastaugh of Pinsent Masons.