NEW
Report & API Now Live! Data insights report and open data API endpoints live as of September 23, 2025

CDR - Consumer Data Right

type
Regulation
Jurisdiction
Full Name
CDR - Consumer Data Right (Treasury Laws Amendment (Consumer Data Right) Act 2019)
Official Name
Treasury Laws Amendment (Consumer Data Right) Act 2019

Description

Description
Source

Consumer Data Right (CDR) Overview

The Consumer Data Right (CDR) is an Australian regulatory framework that empowers consumers with greater control over their personal data. Introduced through the Treasury Laws Amendment (Consumer Data Right) Act 2019, this legislation represents a significant shift in data portability and consumer rights in the digital age.

The CDR establishes a standardized system where consumers can direct the transfer of their data between service providers, initially focusing on the banking and energy sectors. This framework promotes competition, innovation, and consumer choice while ensuring robust data privacy and security measures.

Objectives and Scope

  • Empower consumers with control over their data
  • Enable secure data portability between service providers
  • Promote competition and innovation in the Australian market
  • Create standardized data sharing frameworks

Key Requirements and Obligations

  1. Data Holders must:

    • Provide consumer data in CDR-compliant format
    • Implement secure data transfer mechanisms
    • Comply with consent management requirements
  2. Accredited Data Recipients must:

    • Meet strict accreditation standards
    • Maintain robust security measures
    • Handle data according to CDR Rules

Technical and Operational Requirements

  • Compliance with Data Standards set by the Data Standards Body
  • Implementation of standardized API frameworks
  • Adherence to Consumer Data Standards
  • Secure consent management systems

Compliance Mechanisms

The Competition and Consumer (Consumer Data Right) Rules 2020 provide the framework for CDR operation

Key components include:

  • Accreditation framework
  • Privacy safeguards
  • Consent requirements
  • Data standards compliance

Sectoral Implementation

Currently designated sectors:

  • Banking sector (Authorised Deposit-Taking Institutions)
  • Energy sector

Territorial Scope

  • Applies within Australian jurisdiction
  • Regulated by the Office of the Australian Information Commissioner
  • Overseen by the Australian Competition and Consumer Commission

Privacy and Security Implications

  1. Enhanced data protection through:

    • Strict accreditation requirements
    • Standardized security protocols
    • Consent-driven data sharing
    • Privacy-by-design principles
  2. Security measures include:

    • Encrypted data transfer
    • Authentication protocols
    • Audit trails
    • Incident response requirements

The CDR represents a significant advancement in consumer data rights and sets a precedent for similar frameworks globally. Its phased implementation approach allows for sector-specific adaptations while maintaining consistent privacy and security standards across industries.

Projects Following this Regulation

Project
Website
Source

If you are featured in the Web of Trust Map and wish to exercise your GDPR rights, including the right to be forgotten, visit the privacy policy page