Resetting Australia's Consumer Data Right
12 August 2024
At an address to an event hosted by Ashurst and the Committee for Economic Development of Australia (CEDA), on 9 August 2024, Assistant Treasurer and Minister for Financial Services, the Hon. Stephen Jones MP described the CDR as a “good idea, badly executed” in need of a reset.
The Government’s proposals focus on reducing costs, streamlining processes, and targeting practical, high value use cases. The Assistant Treasurer identified key concerns with the current CDR:
Over its lifetime, the CDR has borne heavy criticism for poor cost/benefit outcomes, most recently from the Australian Banking Association in a report commissioned from Accenture.
These concerns were examined in a separate compliance costs review report, commissioned by Treasury and based on interviews with industry participants and Government in late 2023. Key drivers of cost identified in that report include the CDR's broad scope, constant changes to data standards, inadequate consideration of implementation issues and lack of alignment with international standards.
The report suggested initiatives to reduce costs, some of which have already been actioned (discussed below).
The Assistant Treasurer has also asked Treasury to assess changes that could be made in 2025 to reduce costs and support high value use cases, which will no doubt be informed by the report.
The reset of the CDR is part of a whole-of-government approach to drive greater competition and ensure consumers realise the benefits of a digital economy while underscoring the importance of maintaining safety, security, and trust in Government and business – building on the Government’s approaches to digital identity and privacy reform.
The CDR will expand to include non-bank lending data early in 2024, with the aim of being operational by the middle of 2026 (providing a transition period). Treasury is finalising industry consultation.
At last year's CEDA address, the Assistant Treasurer announced that no further expansion would happen until after a strategic review to be conducted at the end of 2024. This paused the previously anticipated rollouts to telecommunications and insurance sectors (CDR had already rolled out to the banking sector in 2020, and the energy sector in 2022).
In October 2023, Treasury consulted on draft rules covering non-bank lending (NBL), including "buy now, pay later" (BNPL) products. You can read more about the rules in our earlier publication.
Over the next 12 months, Treasury will also advise the Assistant Treasurer on a way forward for a full and formal ban of screen scraping. The Assistant Treasurer’s announcement is clear about the intention, mentioning that “it is fundamentally unsafe”.
This follows a consultation in October 2023 on policy and regulatory implications of screen scraping, which sought views on the recommendation of the 2022 Statutory Review of the CDR to ban screen scraping where the CDR is a viable alternative.
Screen scraping (also referred to as data aggregation) is a commonly used alternative to CDR data sharing. The practice involves prompting a consumer to log into their account via a third-party service, with the service extracting the data displayed "on screen", and sharing that with another provider or service. Critics highlight that it involves unsafe data practices that increase fraud and cyber security risks.
A bill to bring action initiation to the CDR was passed unamended on Thursday 15 August 2024, with bipartisan support. You can read more about action initiation in our earlier publication.
Action initiation (also known as "write access") allows accredited third parties to take actions on the consumer's behalf – such as opening accounts, authorising payments or switching. One example is account switching in the energy sector, which the Government has highlighted as a priority.
However, the bill sets out the framework for action initiation – not the specific actions that will be introduced. Treasury will consult on which actions are introduced when, and for what sectors.
Given the significant complexity of introducing new actions, we can expect that the Government will focus on simplifying existing obligations, bringing down existing compliance costs, and targeting high value use cases within the existing framework before expanding action initiation.
The Assistant Treasurer has already set the reset into action with a letter to the Data Standards Chair, identifying as high priority use cases:
In a nod to cost of living pressures, uses that help consumers manage their budgets should also continue to be supported. The Government also supports continued use of experiments, primarily focused on these high value-use cases – drawing attention to existing work on energy switching and real estate applications, which test future directions for both action initiation and integration with Digital ID.
The current CDR framework is "read only" – allowing the sharing of data, but not the taking of actions. Taking actions like switching accounts will require new "write-access" action initiation functionality. While legislation to support action initiation has now been passed, delivering these use cases will take more work – including consulting on which actions should apply for what sectors, designing supporting rules, developing standards, and driving technical implementation, operationalisation, and adoption.
The Data Standards Body is already conducting experiments, establishing a GitHub repository of experimental standards to test concepts and facilitate consultation – which include action initiation and Digital ID use cases.
The Assistant Treasurer's letter to the Data Standards Chair sets out the Government's expectation that future changes to data standards focus on:
Other standards changes will be considered by the CDR Steering Committee to ensure they align with the overall Government direction and other CDR agencies. This may mean "nice to have" or non-strategic changes are minimised.
Consistent with suggestions from the compliance costs review report, the Government expects standards changes to be prioritised, consulted on and scheduled in a more transparent and orderly manner, and to take into account costs and benefits. This approach is supported by a new Standards Assessment Framework finalised by the Data Standards Chair on 8 August.
Private sector Digital ID solutions are already available in the market and in use by banks in particular, allowing users safer and simpler access to digital services.
Integrating private sector Digital ID solutions with the CDR should reduce some of the current user friction. Australia's new Digital ID laws are expected to commence in December 2024. The Government has indicated that there should be common elements and consistency between Digital ID and CDR, suggesting that standards should be aligned and interoperable.
The compliance costs review report suggested initiatives that could reduce costs – acknowledging that some of these initiatives may slow the growth, or pace of change, in the CDR.
Some of the initiatives include:
These new initiatives will start to be implemented across the CDR regulatory ecosystem, although the Government has not expressly committed to follow all of them.
The compliance costs review report noted feedback from industry participants that CDR decision-making frameworks could be changed to better align policy with technical industry implementation.
Two models explored (without limiting the potential options) were a streamlined regulator-led model with an emphasis on regulatory impact assessment and a smaller number of targeted change proposals per year, and an industry-led model with a regulatory “backstop” and decision making on key issues.
As part of his address, the Assistant Treasurer announced a Treasury consultation on new draft consent and operational enhancement amendments – submissions can be made until 9 September 2024. This follows an earlier August 2023 design paper consultation, which captured an earlier iteration of a number of these changes.
In general, proposed changes reduce compliance burdens and simplify consent processes – such as:
The draft rules changes will also tighten the responsibility (and liability) of principals for non-compliance by their CDR representatives with consumer experience data standards and required terms of representative arrangements. In May, the Australian Competition and Consumer Commission emphasised that oversight of third parties, and representative compliance in particular, was a compliance and enforcement priority area.
Treasury will not proceed with a principles-based prohibition on “dark patterns” proposed in its August 2023 design paper consultation. Instead, the Data Standards Board is considering progression of standards and guidelines, which will no doubt be informed by and consistent with Privacy Act reforms to minimise duplication (as recommended in June 2024’s Privacy Impact Assessment).
“Dark patterns” are user interfaces designed or intended to confuse users, making it difficult for consumers to express their preferences, or manipulating consumers into taking certain actions, such as nagging, obstruction, interface interference, sneaking, forced action and scarcity cues that undermine user autonomy in decision making.
The Assistant Treasurer did not comment on the enforcement of CDR and its effectiveness to date. This suggests that the Government is unlikely to propose any substantive changes to the current enforcement framework for non-compliance with the CDR rules and that the Australian Competition and Consumer Commission (ACCC) will remain the regulator overseeing the CDR regime.
These changes have been proposed in the midst of a very ambitious and busy digital, technology and cyber agenda for the Government, not long before the end of its term.
The Assistant Treasurer described the CDR as part of a “whole-of-government effort to ensure that consumers get the benefits that come from the digital economy – while ensuring that the rails of modern commerce are safe and secure.”
This ambitious agenda includes a range of coming reforms.
Other authors: Kendrick Deng, Senior Associate; Anne Mo, Lawyer and Thomas Suters, Graduate.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.
Sign-up to select your areas of interest
Sign-up