Consumer Data Right: Key items for consultation

2 minute read  30.08.2024 Bruno Solia and Sarah Summers

Treasury has initiated a public consultation on proposed amendments to consent and operation provisions of the Consumer Data Right Rules.


Key takeouts


  • Further to the Government's announcement about 'resetting' the CDR regime, Treasury has put forward the Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024.
  • The proposed amendments mainly target, and seek to simplify, provisions relating to consumer consents and operational matters – with one of the goals being to improve the adoption of the CDR regime by business consumers.
  • Businesses should consider how the proposed amendments may impact their current organisational processes and whether they wish to submit comments on the proposed amendments. Consultation closes on 9 September 2024.

Background on the Consumer Data Right (CDR)

The CDR is a government reform that is designed as an 'opt-in' service to give Australian consumers greater choice and control over how and with whom their data is shared. The CDR currently applies to the banking and energy sectors, and is intended to be rolled out on a sector by sector basis, with non-bank lenders and buy-now-pay-later providers next in line.

The CDR is established under part IVD of the Competition and Consumer Act 2010 (Cth), and operates under the Competition and Consumer (Consumer Data Right) Rules 2020 (Rules). The Data Standards Body also makes 'data standards' that apply to the format and transfer of CDR data.

Among other purposes, the CDR aims to benefit consumers by providing a framework through which they can:

  • easily compare products and services;
  • control whether their data is shared, with whom it is shared, and what it can be used for; and
  • access improved services through increased competition.

Proposed amendments to the CDR

The exposure draft rules highlight proposed changes to specific provisions of the Rules relating to consumer consents and operational matters.

Consent amendments

Through an update to the consumer consent provisions of the Rules, the proposed amendments seek to improve the process for obtaining consumer consent by simplifying how consent is obtained, while upholding existing consumer protections.

One key proposed amendment contemplates allowing multiple CDR consents for a single data recipient to be bundled into a single action by the consumer. Where a data recipient 'reasonably needs' collection, use and/or disclosure consents for the provisions of a single good or service, Treasury proposes that these separate consents may now be bundled into a single consent collection. The bundling of consents in this manner will only be allowed in circumstances where the data recipient cannot provide the good or service to the consumer without obtaining all of the relevant consents. It is contemplated that this proposed change to the Rules will be linked to the existing 'data minimisation principle' in Rule 1.8, which (among other things) provides that accredited persons must not collect more data than is reasonably needed to provide the goods or services that the CDR consumer has requested. Under the exposure draft, the data minimisation principle is also proposed to be extended to apply to consents for the disclosure of CDR data – to provide additional privacy protection for consumers.

Feedback from various CDR stakeholders is that one major complexity with the Rules on consumer consents is that they require the consideration of multiple complex variables, such as what data the consent is relevant to, who will receive the data, the duration of the consent, and the use of the data. For example, the Rules currently provide that a consumer must be able to withhold consent to individual elements of a consent, even where this withholding would mean the data recipient would be unable to provide the good or service (for instance, where data usage consent is not granted). To reduce this 'cognitive load' on consumers, the proposed amendments would allow data recipients to pre-select the elements of the consent that are reasonably needed in order to provide the requested goods or services. Importantly though, it is also proposed that:

  • the consumer will need to be informed about why each pre-selected element is needed when requesting consents; and
  • pre-selecting direct-marketing and de-identification consents will remain prohibited.

Other proposed changes to consent provisions include:

  • simplifying the information required to be provided at the time of consent;
  • the consolidation of idle consent notifications;
  • simplifying CDR receipt obligations;
  • aligning information requirements about supporting parties accessing consumer's data;
  • requiring that redundant CDR data be deleted, unless a de-identification consent has been received; and
  • where consumers give consent to direct marketing, requiring data recipients to advise what marketing activities will be undertaken.

Operational enhancements

Treasury has acknowledged the concerns of various CDR participants regarding the burdensome paper-based processes adopted by some data holders for business consumers appointing nominated representatives, as well as support for changes to appoint existing online account administrators as nominated representatives under the CDR framework. In response to these concerns, and acknowledging opposing concerns by data holders in relation to data security and identity checks of nominated representatives, Treasury is proposing changes to the Rules that would require data holders to:

  • provide a simple and straightforward processes for business consumers to appoint nominated representatives; and
  • offer online processes to allow online administrators to be appointed as nominated representatives.

At this stage, it is proposed these changes would come into effect 12 months after commencement of the amendments, so that data holders have time to make changes to their systems and processes.

Other proposed changes in the exposure draft rules

The exposure draft rules also contain proposed amendments in relation to CDR representative principals and their CDR representatives' complying with the Consumer Data Standards. In line with those amendments, where data standards are specified as 'consumer experience standards', CDR principals would be required to ensure compliance with those standards by their representatives as if they were an accredited data recipient themselves. A breach of a standard by a CDR representative would be classified as a breach by the CDR representative principal – noting that, under the existing Rules, principals are already broadly responsible for their representatives' conduct anyway.

Other proposed changes contemplated by the exposure draft rules include:

  • simplifying the requirements on data holders in respect of secondary users;
  • broadening the circumstances that permit accredited authorised deposit-taking institutions to hold CDR data as a data holder; and
  • changes which are specific to the energy sector, such as exempting energy pilot/trial products from the CDR and expanding the definition of 'complex request'.

Impacts to organisational processes

If you believe the proposed amendments could impact your business or you are interested in the outcome of the draft exposure rules, we encourage you to submit a response to comment on the consultation by email. Submissions close at midnight AEST on 9 September 2024. Please consider Treasury's submission guidelines for more information on making a public contribution to this consultation.

We recommend interested parties keep an eye on the outcome of this consultation and how it will ultimately be reflected in the amendments to the Rules. We will continue to monitor developments to these proposals.


Please reach out for more information on the CDR or to discuss how these proposed amendments could impact your business. We are also available for assistance in understanding and implementing your obligations under the CDR regime. We provide full service legal and consultancy services and we have experience in CDR contracts, including CDR representative arrangements.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiJmNWU2OWYyZC0yMDIwLTRhNjgtYmJhZi1lOGVhZWNhZGI3Y2YiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTcyNjY0NTQ3NywiZXhwIjoxNzI2NjQ2Njc3LCJpYXQiOjE3MjY2NDU0NzcsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2NvbnN1bWVyLWRhdGEtcmlnaHQta2V5LWl0ZW1zLWZvci1jb25zdWx0YXRpb24iLCJhdWQiOiJodHRwczovL3d3dy5taW50ZXJlbGxpc29uLmNvbS9hcnRpY2xlcy9jb25zdW1lci1kYXRhLXJpZ2h0LWtleS1pdGVtcy1mb3ItY29uc3VsdGF0aW9uIn0.x5jardxJFGq7cOJMN64PJ5qtVF0-aOwiwgoui7jtEDA
https://www.minterellison.com/articles/consumer-data-right-key-items-for-consultation