Share with your friends

As the major banks approach their next milestone in consumer data sharing on 1 November 2020, Scott Farrell’s Inquiry1 into the future directions for the Consumer Data Right (CDR) continues and the CDR rules for the energy sector are being prepared2, the Australian Competition and Consumer Commission (ACCC) is taking further steps to expand coverage of and participation in the CDR3.

These steps include:

  • making further amendments to the CDR rules to permit the processing of consumer data to be outsourced to accredited intermediaries
  • considering tiered accreditation to open up the CDR to more businesses;considering allowing consumers to consent for their data to be shared with third parties
  • investigating increased functionality to improve the consumer experience
  • considering permitting CDR data sharing by non-individuals, business partnerships and secondary users of accounts.

These developments build further on and expand the foundational CDR rules. They are good news for consumers, accredited persons and the future of the CDR as we explain further below.

Outsourced data processing permitted

Amendments to the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) will, from 2 October 2020, permit ‘accredited intermediaries’. These changes are part of the ACCC’s objective to make the CDR more accessible to businesses. They build on the current rules for outsourced service providers and will enable accredited data recipients (ADR) to direct third party organisations who have been accredited by the ACCC as accredited intermediaries, to process data that can then be used by the ADR to improve the goods or services offered or provided to consumers. The CDR register will be updated to accommodate the CDR rule amendments.

This expansion of the CDR rules presents an opportunity for ADRs to leverage the capabilities of established data processing organisations who can collect data and process it according to the ADR’s specifications in an effective and compliant manner. ADRs will no longer have to be concerned about their data processing capabilities. They can outsource this function to intermediaries who have met the ACCC’s accreditation requirements and still maintain robust information security standards. This will lower a key barrier to entry for ADRs who have been discouraged from participating in the CDR ecosystem due to the strict technology and security standards required by the CDR accreditation framework to collect and process CDR data.

ADRs will still handle CDR data and will need to comply with the technology standards and security requirements set by the regulatory bodies, including CSIRO’s Data61. However, their obligations will not be as onerous. The ADRs will not need to engage directly with a data holder through APIs and so will not have to build and invest in IT infrastructure and software that would otherwise be required to do so in order to securely collect data from data holders.

By reducing the barriers to join the CDR ecosystem, these amendments have the potential to increase innovation, enhance efforts to maximise the use of the CDR and CDR data, and lead to innovative ways of processing data. For example, ADRs can engage with data processors who offer services other than data collection. ADRs might request the outsourced data processor to cleanse, analyse and report on the data it has received from the data holder in accordance with its specifications. This will enable the ADR to receive reports tailored to its requirements and which will help provide more targeted goods or services to their customers.

In the future, these amendments will help facilitate the interoperability between the designated sectors and encourage CDR data from multiple sources to be analysed to help deliver even better insights into a consumer’s engagement, demand and appetite for goods and services.

Accreditation tiers*

In a consultation paper published on 30 September 2020, the ACCC wants to encourage greater participation in the CDR ecosystem. It is proposing changes to the accreditation process to include new restricted tiers of accreditation as well as adjusting the accreditation requirements so that they take a risk-based approach in relation to data security, depending on the level of access required to CDR data. These changes mean new pathways for participation and opportunities for commercial arrangements with ADRs where businesses cannot meet all the requirements for unrestricted access to CDR data.

Consent to third party access to consumer data*

The ACCC’s consultation paper is also consulting on rules to allow consumers to consent to ADRs disclosing their CDR data to other trusted third parties such as their professional advisors (classes such as accountants, tax advisers and lawyers) who are subject to regulatory oversight and scrutiny. The objective of this proposed change is to provide consumers with greater choice about who they can share their CDR data with as they go about making decisions. The consultation is also considering disclosure of ‘insights’ only data (i.e. not raw CDR data but derived CDR data) to any third party.

Improved consumer experience*

The ACCC’s consultation paper also looks at increased functionality to improve the consumer experience. Some of the measures being considered for consultation include:

  • protecting vulnerable consumers who hold joint accounts and want to share CDR data without the other party’s consent due to fear of physical or finance harm or abuse
  • the ability for consumers to amend their consents to the collection of CDR data by ADRs in the dashboard, the option for ADRs to invite consumers to amend consents if this would help the consumer given the type of CDR data collected, and streamlining the authorisation process with data holders
  • separating the consents for collection and use of CDR data so that consumers stay in greater control of the permissions granted to an ADR.

Submissions on these additional steps3 (marked with an *) are due by 29 October 2020 with the proposed rules expected to be issued in December 2020 at the earliest.

Treasury’s consultation on legislative amendments

The Commonwealth Treasury also sought stakeholder views on exposure draft amendments4 to Part IVD of the Competition and Consumer Act 2010 (Cth) in connection with the CDR. In particular, it is proposed that the Commonwealth Treasurer may make CDR rules in emergency situations after consulting with the Australian Information Commissioner, but need not conduct consultation beyond this. Currently, this power vests with the ACCC without the Commonwealth Treasurer’s consent. The emergency situation may arise where it is necessary to avoid a risk of serious harm to the efficiency, integrity and stability of any aspect of the Australian economy or interests of consumers. This may be triggered if a significant data breach were to occur that requires the CDR ecosystem to adapt its processes to avoid similar impacts in the future.

About us

At KPMG Law, and with the support of our KPMG colleagues, we continue to support clients as they navigate through the CDR ecosystem. We understand the journey an ADR or intermediary needs to take to receive accreditation from the ACCC to participate, and to engage in the CDR environment in a compliant manner. Our colleagues can also support with data integration, consumer engagement strategies and other aspects of operations to fully appreciate the benefits the CDR ecosystem offers to participants.


  1. Australian Government – Treasury, Inquiry into Future Directions for the Consumer Data Right
  2. ACCC, CDR in the energy sector, 8 July 2020
  3. ACCC. Consumer data right (CDR), 30 September 2020
  4. Australian Government – Treasury, Consumer Data Right – Legislative Amendments


Meet the team

Related content