A new right for a new era

In May 2018, the Federal Government announced that it will introduce amendments to the Competition and Consumer Act 2010 to create a consumer data right (CDR) for application in banking, energy and telecommunications industry sectors, emphasising the consumer choice and competitive benefits.

The ACCC Chair, Mr Rod Sims, has recently referred to the soon to be implemented national CDR as essentially being a ‘data portability right’ which is fundamental to competition and consumer law reform.1

A CDR refers to a right which is conferred on customers to direct an entity (a service provider) which holds their data to share it with another entity which has been designated as a trusted recipient of that information (another service provider).

The creation of such a right has been proposed by various public bodies tasked with conducting a variety of inquiries and reviews in recent years.

The data availability and use investigation

In 2016 the Productivity Commission undertook an investigation into the costs and benefits of increasing access to and improving the use of, private and public sector data.

The Productivity Commission conducted this investigation in light of the 2014 Murray Inquiry and 2015 Harper Review final reports which, among other matters, concluded that technological advancements should be pursued to make it easier for consumers to make informed decisions about complex products and services, including financial products.

On 8 May 2017 the Productivity Commission’s Data Availability and Use Report was publically released, recommending, in addition to other matters, the creation of a CDR which would be a comprehensive right of consumers to access their data from both government and private data holders.2

The review into open banking

In Europe, including the UK, banking regulatory regimes3 have recently been instituted to facilitate third parties developing new applications to share customers banking data, as part of an industry wide move towards what is commonly called ‘open banking’.

Open banking has the potential to create services which enable bank customers to compare financial products more easily than is currently the case and encourage the growth in platform providers for services such as payments, investment, and lending. For lenders, it provides a more efficient means for assessing bad debt risk and tailoring product offerings.

In July 2017, the Commonwealth Government commissioned a Review into Open Banking to make recommendations about the best model for implementing open banking in Australia by facilitating the sharing of bank held data. The final report was released on 9 February 2018 (Report).

The Report contains a recommendation that an open banking regime should include a CDR which empowers customers to direct data holders to share with relevant parties their customer-provided,  transaction and product data (banking data), through a phased implementation process.4 In May, the Federal Government indicated its intention to implement the Report’s recommendations.5

Privacy and data security measures

The Report recognised that open banking gives rise to privacy protection and data security concerns and has made a number of recommendations6 to address them, including:

  • the ACCC accrediting recipients and holders of banking data, following a tiered model to reflect the risk associated with receiving and holding particular sets of banking data;
  • the ACCC, in consultation with the Office of the Australian Information Commissioner (OAIC), and other relevant regulators, being responsible for determining rules for open banking and the CDR
  • the establishment of a Data Standards Body to work with open banking regulators to determine a set of transfer, data and security standards with which recipients and holders of banking data are required to comply
  • amending the Privacy Act (including the Australian Privacy Principles), so that all recipients of banking data are subject to it, and so that express consent must be obtained from customers prior to the collection of their banking data and disclosure of their banking data overseas and
  • the ACCC should be primarily responsible for competition and consumer issues and standards-setting, and the OAIC should have responsibility for handling privacy complaints about the open banking regime.


The amendments to the Competition and Consumer Act 2010 are expected to be phased in starting from 1 July 2019 with priority given to the creation of a CDR in the banking sector to facilitate the sharing of customers’ credit and debit card, deposit, and transaction account, data.

1Productivity Commission Inquiry Report, Data Availability and Use, Report No 82 (2017), Recommendation 8.1.
2Consumer Policy Research Centre’s Consumer Data Conference, in Melbourne, on 16 July 2018.
3Directive 2015/2366/EU of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market [2015] OJ L 337
4Australian Government, The Treasury, Open Banking customers’ choice convenience confidence, Scott Farrell, December 2017, Recommendation 6.3
5The Hon Scott Morrison MP, Treasurer of the Commonwealth of Australia, Government Response to Review into Open Banking, (9 May 2018), www.treasury.gov.au, https://treasury.gov.au/consumer-data-right/
6ibid Recommendations 2.2, 2.5 – 2.8, 4.1, 4.2 and 4.8


Ben Hamilton

Ben Hamilton

Partner & Technology and Digital Economy Co-Lead

Ben specialises in technology law, intellectual property and commercial contracts, trade marks and commercialisation.

Related practices

You might be also interested in...

Privacy | 23 Oct 2018

Data breaches and the GDPR – the new frontier of privacy regulation in Australia

In Australia, as well as internationally, this year has brought significant developments in the area of privacy regulation that may affect your business.

Privacy | 17 Jan 2018

The new year brings new privacy requirements: Are you ready for the notifiable data breach regime?

Entities required to comply with the Privacy Act 1988 (Privacy Act) need to ready themselves for the new notifiable data breach regime which kicks off on 22 February 2018.