Consumer data right - what are your thoughts?

It reads like the consumer has been given something. It feels like something is not quite right …


Why can’t they write in plain clear language?

Is it saying we have the right to share our own data?


Sounds like it’s an automatic right granted to businesses I don’t use to have access to my data in another business I do use so the first business can ring me up twice a day with a better deal.

And The ACCC will make it possible for them to do so!
And it can happen with out me giving up my valuable time to say so.

It can’t be that simple. Wow! I must have read it wrong.

It might also be my fault this is happening, for refusing to give that person who rings me every other day from Alinta Energy details of my useage etc with AGL. So Alinta can do a deal! Sorry all.


It says if the consumer chooses they can share their data. That sounds ok but is it really? I have a suspicion that what will occur is that you will be sneakily made to sign this right of choice away so anyone will be able to share your data (just think of whom a comparison site would share it with and it could include every transaction you ever made)., or in light of seeking, say a new loan product, you will be required to allow complete access to what you have now with whom, you already need to disclose this with the finance provider but they will be able to trawl through every transaction (not currently needed or required).

Does the ACCC promise of being strict on this give me any confidence? No it doesn’t and in fact it is the complete opposite, it fills me with dread given their past hit and miss approach on a number of cases. And it by it’s own statement “The ACCC will enforce serious or systemic breaches of the consumer data right in line with its Compliance and Enforcement policy” ie only the serious or systemic breaches. By whose definition? If it is their’s I think we are stuffed and mounted on the wall already.

The Banks and others have been rorting us for years, in some cases they have been dis-honest, unethical, terrorist supporting, money laundering, and still they continue with none to very little punishment to fit the crime and the ACCC say trust us…I can’t keep the derision out of my thoughts. Trust their ability? no way!!!


Here is the details of what the CDR is:

See the link to the booklet on this website (top left of the page).

It indicates that:

"The Consumer Data Right will give consumers the right to safely access certain data about them held
by businesses. They will also be able to direct that this information be transferred to accredited,
trusted third parties of their choice.

The right will allow the consumer to access data about themselves in a readily usable form and a
convenient and timely manner. It will also allow consumers better access to information on the
products available to them.

Both individual and business customers will be entitled to the Consumer Data Right.
The right will only apply in relation to specified data sets and specified classes of data holders."

Reading this and some other information, it appears a consumer can ask for their data to be shared with other service providers when shopping around. For example, if one is looking around for a better energy deal, a consumer can request that their existing service provider share this data with other (competitor) service providers so that they can analysis ones use and provide a quote tailored for similar services/consumption patterns.

The same would also be applied to financial services, where information on incomings/outgoings could be shared so such information could be considered when assessing the risk of a particular customer and there the quotation for a service provided.

In an ideal world, such should increase competition between service providers and also ensure that quotes for service are tailor made directly to individual customers…rather than risk/usage being more or less normalised across the whole customer based.

The main downside I can see is if one finds it difficult to manage a budget (where outgoings are often higher than incomings), one may be considered a higher risk and therefore pay more for any requested services. BUT, this may in the end may provide a better outcome for such customers are the financial institution may be better placed to identify affordable services and there tailor these services to their customers.


I think you are describing what is termed the subprime market. It is big in the US and flourishes because of the credit reporting system there (that we are blindly following, eyes wide open).

The usual outcome in the US experience has reliably been …

if they can get those or any ‘services’ at all.

The capitalist is loath to put his money at risk without suitable reward, so he either does not, or charges a premium to those least able to pay. Give him information he can use to put a dollar in his pocket and that is what he will do far more often than ‘help you manage’.


CHOICE made a submission to treasury on the Consumer Data Right (PDF). We’d love to hear thoughts from any interested parties in our @Defender-Black on the submission itself and also how we can best enage the public on the matter.


Having glanced through the submission, I turned to the consultation materials.

  1. How can this possibly be enforced, when the major data holders are overseas?
  2. Should Australia seek instead to adopt the European GDPR requirements?
  3. I see that the Rules may prescribe ‘data holders’. This means that it can be changed almost at will (the rules being set by the Treasurer). The default should be that any business that holds and collects data of, on or about Australians is in, with the Rules used to exempt in certain circumstances.
  4. The Rules also set out what ‘security standards’ are reasonable. That really needs to be more open for debate, and minima should be set out in the bill.
  5. Any bill/law that requires a ‘ready reckoner’ is too darn complicated!
  6. The ACCC needs both funding and decent clout to enforce this new legislation. (i.e. the ability to apply reasonable/meaningful penalties, as enshrined in the GDPR.)
  7. Most Commonwealth legislation nowadays contains a requirement for review in three years (as recommended by Choice in relation to review of data sets).
  8. I would think the data sets should be reviewed annually, given the pace in this space.
  9. The Minister (Treasurer) has the power to appoint the Data Standards Chair and body, with no apparent reference to professional skills or abilities. This is just too easy to abuse - as we have seen with other bodies including the ABC and NBN Co.
  10. Is there any protection here against targeted advertising?

I’m sure others will have more to say; feel free to correct any misconceptions revealed in this comment.


  1. There needs to be some protection from the automated/contractual “you have to accept this to use our services” clause that is everywhere one goes online.

Looks pretty good and scary Treasury missed so much.
I’d like to add a few points though:

  • As companies use consumer data for commerce, the CDR regime should be opt in.

  • Information on data collection should be separate from normal terms and conditions and should clearly state the use and that the consumer can have their data removed if requested.

  • Any company that holds CDR data must destroy or anonymise CDR data if they sell, merge, are bought out or liquidated. The consumer MUST be able to choose who has their data.

  • CDR data must not be shared with any body outside of Australia unless the consumer is aware of their data being used in such a way and have approved this. ie. a company whose parent is in the US should not automatically have CDR access.

  • CDR data should have a lifespan. People change over time but stored data doesn’t.


Hi everyone, great questions and comments here!

I am in charge of writing CHOICE’s submissions on the Consumer Data Right, and I can certainly understand how a lot of this can be truly confusing. Brendan has shared one of my submissions above.

This is a response to just one of the many consultation phases that are crucial to shaping the CDR. There are still a lot of questions left unanswered.

What I’d suggest is taking a look at our article on Open Banking - this should give you a better sense of what’s going on in this space!


I really do like the GDPR and it’s scope. In all situations there remains a need to balance what data is retained by some organisations and a human right to live unfettered by data that is collected and follows us in all we do.

I would go further in that if a company/business holds data on a person that person, once all dealings are final and finished and past any date of possible litigation, should be able to request deletion of any data not absolutely needed to ensure compliance with laws such as taxation. If the"business" holds data on a person and have no actual relationship with the person then they must either obtain the consent of the person to continue using/holding that data and failing that they must expunge it from their records. If the data is used for any purpose to gain marketing etc knowledge then see my point further down about mining data.

While the data is stored, pending that time elapsing, it should be kept encrypted to a good standard (updated to any new standard as needed) with as limited access as is needed to ensure the safe storage. Some places store data in a text readable format, this is not acceptable in this day and age. If stored in a written format it must be kept secured in secure storage.

For any data mined for profit/development, the business/Deparment/organisation/group mining it or using it must share that profit/ownership with those whose data was mined. This could be a simple payment or recognition in the outcome. If mined without consent penalties should apply to those who mined it.

Penalties for misuse and loss of control must be very severe with as little room for wriggle as possible. An apology or public naming/shaming is not enough by a long stretch. No system is perfect in protecting data and where proven and reasonable steps have been taken to minimise the possibility, this is where the little room should be given.


A suggestion:
There should be an explicit right of redress in the legislation placing the onus and all costs of remedy or personal loss due to error, misuse or theft of items covered by the CDR on the holder. It is not likely to be adequate to rely on a third party authority or civil law to respond.

An Alternate Vision ?
The principle here seems to be that parties other than the individual have a right to collect and maintain data pertaining to any individual. Or more correctly Individuals have no right to prevent this.

Trying to define in a changing environment how the data is to be kept, used, not used, accessed etc may prove difficult. Users and business keep creatively developing new ways of interacting with our data.

Would it be too much to ask for one more principle or control?

I’d like to have direct control and explicit knowledge of all the data sets that are created around my personal identity and needs. In many ways it is personal IP or at least what is contained in the data has an element of me in it that I have caused the creation of.

I’d like all my data to be encrypted using a shared token which changes on each and every access. I or a system I have control of provides one half. The data holder provides the other token half. Each time the data is accessed there is a requirement that there is an authorised holder, creating a record of the access, by whom and for what purpose. Perhaps a block chain event.

There may be other solutions. Knowing who has accessed your personal data, added to it, changed it and through a log file should be something I can review at will. Being able to lock that information securely is another fundamental protection against misuse or loss.

In return for me sharing my personal data the holder should at the very least allow me to be able to know by whom and when it is accessed and for me to withhold access if inappropriate.

Such an approach would not necessarily preclude deidentified and anonymised data sets being created for other purposes. And nothing would preclude my half token being provided to certain providers automatically based on what rules I might choose to set.

And if I leave a service, the issue of data deletion would be less of an issue. By turning off issue of a token to that entity would seal the data set.

Businesses may find or create ways to work outside the logged system. In doing so the activities would be a direct breech. And any data acquired should be excluded from any subsequent use or purpose.


Absolutely! I understand that in the US, if a company is being liquidated then the data it holds is put up for sale as part of the assets. This is totally inappropriate.

I would suggest extending this, by stating that personal data is the property of the individual. Over the last 20 years we have become the product, and that is contrary to any notions of shared humanity or human rights.


My reply below covers a lot of it.

Other points:

There should be standard data sets for basic personal information which is provided to consumers in a standard format they can become familiar with.

There should be a requirement on businesses to obtain a defined minimum amount of information to confirm someone’s identity. Name and birth date is not enough because it is possible to have coincidences with identical names and birth dates. Unique identifiers won’t work, because there isn’t one. Not everyone has a tax file number, or a driver’s licence, or a passport, or phone number, etc. Therefore businesses must take care to ensure they have their data against the correct person.

When requesting disclosure to third parties, the information presented to consumers must easy to read and digest. Preferably standard information is given to consumers in a standard format they can become familiar with. Tick boxes with dot point would work well. There should be a maximum amount of data so there aren’t reams of fine print to read which could hide all sorts of nasties. (An example of this volume of information is the conditions of use for software.)

Finally, any review body should be external not internal as I outlined in my response to the human-rights-and-technology-submission-to-the-hrc.


A further thought on risks of loss and redress for when your data is misused, breeched or lost:

The CDR gives us some access and some knowledge or permissions in respect of our personal data.

There is no personal legal requirement for remedy, redress or compensation from the consequences of loss for any individuals affected.

Any system holding sensitive personal information (government or privately managed) create a world of misery and pain for individuals when there are breeches or losses. The demands (time, cost, pain and suffering) on the individuals affected in putting everything back as best as is possible can be significant.

I’ve noted in the privacy statement of a recent document relating to personal information the holder is excluding any liability arising from loss or breech while simultaneously committing to meet all legislated Australian data and Information privacy requirements.

Given the content of the information and now it might be misused by legitimate organisations or any unauthorised use:

  1. Should legislation be changed such that an holder of data cannot contract out of liability?

  2. Should the liability of the data holder include meeting all costs and a payment for time of individuals affected through any loss or breech?

  3. Should this be an insurance risk that must be provided for by all data holders? IE it would be unlawful to request or hold any personal data without this level of extended insurance being provide.

  4. Is it ever likely that individuals could obtain equivalent insurance cover? I suspect not as we as users have limited knowledge of the online or data management practices of those we share data with.

1 Like

Consumer Data Right
The Consumer Data Right (CDR) provides individuals and businesses with a right to efficiently and conveniently access specified data in relation to them held by businesses. The CDR authorises secure access to this data by trusted and accredited third parties. The CDR requires businesses to provide public access to information on specified products they have on offer. CDR is designed to give customers more control over their information leading, for example, to more choice in where they take their business, or more convenience in managing their money and services.

What could possibly go wrong?

this is Newspeak for “open banking legislation”. The spin doctors think if the prism is “consumer rights”, well, that’s ok then.

The explanatory memorandum (all over 85 pages of it) says this is for banking, energy and telecommunications, but will be rolled out across the economy eventually.

Good or bad? And does the consumer REALLY have choice about this or is it a Trojan horse to bait and switch just like opt-in became opt-out for My Health Record?


… I see what you did there :slight_smile: I suspect you are right …


There is also an existing Choice topic on the consumer data right.


I’ve merged the two topics and edited the title. We welcome further discussion on this issue :+1:


In part …

The ACCC today published the draft rules for the Consumer Data Right (CDR) and is seeking feedback from consumers, businesses and community organisations.

The CDR will allow consumers to easily obtain access to their banking data and have it transferred to service providers who they trust.

This might, for example, be comparator or switching services, or providers of financial or budgeting advice. While commencing in the banking sector, it will eventually apply across a range of sectors.

Link to the rules document >>>HERE<<<