Consumer Data Right: What Is It And How Do I Become An Accredited Recipient?

Author: Megan Adams & Zeinab Farhat, Progressive Legal

The Consumer Data Right (CDR) aims to give consumers increased control over their consumer data and to increase transparency over how their data is used. The CDR regime provides consumers with a right to safely share their data with accredited service providers, in order to easily access different service and product offerings. To this end, the CDR regime is also intended to facilitate competition in various industries (i.e. banking).

On this page you’ll gain insights into what precisely a consumer data right entails, who is eligible to offer services under the CDR framework, an understanding of CDR data itself, the methods employed for sharing CDR data, and the process for becoming an accredited recipient.

What is the Consumer Data Right? 

The CDR was introduced in 2017 in response to various sector specific inquiries which had been commissioned from 2014-2017. One example is the Productivity Commission’s report pertaining to data availability, which also highlighted the need for reformation regarding the use of consumer data.  

Consequently, the CDR was introduced into Part IVD of the Competition and Consumer Act 2010 (Cth) (“the Act”) through the Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth). Section 56AA of the Act outlines the primary objectives of Part IVD:

(a) To empower consumers in specific sectors of the Australian economy to securely, efficiently, and conveniently access their personal information within these sectors, either for personal use or to share with accredited entities while ensuring privacy safeguards are upheld.

(b) To facilitate efficient and convenient access for anyone to information within these sectors, pertaining to goods and services, which does not contain identifiable or reasonably identifiable consumer data.

(c) Through the accomplishment of (a) and (b), to foster increased choice, competition, and the promotion of the public interest.

In essence, the CDR’s fundamental purpose is to enhance consumer control over their data across various organisations. Section 56AA underscores the CDR’s role in bolstering privacy safeguards for consumers and fostering greater choice and competition within the digital landscape.

Who can provide services under the CDR? 

What is CDR data?

CDR data will include personal information about a customer, such as their name and contact details. CDR data will also include further information such as the customers use of a certain product or service. For example, accredited businesses may also be able to access CDR data pertaining to accounts and transactions.

How is CDR data shared?

Generally, the process is as follows: 

1. the consumer provides consent to an accredited person to obtain the consumer’s data in order to provide a certain good or service;   
2. the accredited person contacts the data holder and seeks access to the consumers data; 
3. the data holder asks the consumer to provide authorisation for the disclosure of his/ her data to the accredited person; 
4. the consumer consents to the disclosure of their data by the data holder; 
5. the data holder shares the consumer’s data with the accredited person, and the accredited person becomes an accredited data recipient for the consumers CDR data; and 
6. the accredited data recipient uses the consumer’s CDR data in order to provide the goods and services to the consumer.

How to become an accredited recipient?

The Office of the Australian Information Commissioner (“OAIC”) provides a guide for data holders, designated gateways and accredited persons to prepare for their accreditation under the CDR.  

When is an accreditation granted?

An accreditation is granted if the person meets the criteria for accreditation as specified in the consumer data rules (s 56CA(1), the Act). Consumer data rules are rules made by the Minister for designated sectors (s 56BA, the Act). 

What is the process for obtaining accreditation?

In summary, to become an accredited data recipient, the process is: 

1. Review the CDR accreditation checklist by the Australian Government; 

2. Review the legal obligations and IT obligations for accredited specialists. One of these requirements is that you have a Consumer Data Policy. A CDR Policy will provide information to customers about what the CDR is, how CDR data is shared and complaint mechanisms. Certain content must be included in a CDR Policy, and OAIC provides a guide on this;  

3. The applicant should apply for an account to access the Consumer Data Right Participant Portal which is done by an office holder in the organisation; 

4. The ACCC will send an activation code to the applicant; 

5. The applicant logs into the portal and starts the application; 

6. The application is submitted, if the application is not completed the ACCC returns it to the applicant; 

7. The ACCC will assess the application pursuant to the accreditation criteria; 

8. The ACCC will provide an outcome to the application which is passed onto the applicant; and 

9. The applicant will need to pass onboarding requirements.  

Key takeaways

The CDR is a complex and evolving area of privacy law that will only grow in prominence as privacy becomes an increasingly debated topic due to the growing frequency of hacks taking place online. 

If you wish to become an accredited data specialist, you should obtain legal advice from a privacy lawyer who can assist you in drafting your CDR policy as part of the accreditation process.

Need Privacy Help?

Please get in touch with us today via phone or the contact form on this page.

1800 820 083