Privacy & Data Protection

Australia: Consumer Data Right Privacy Act Reform

Latest developments

The Consumer Data Right (CDR) allows consumers greater control over whether they share their data, with whom, and for how long. The focus of the CDR is data portability. It was brought in to provide consumers a right to directly access specified data held by certain businesses about themselves, and to empower them to direct certain providers of products or services to safely share such data with accredited third parties. Businesses that share data upon request by a customer are known as ‘designated data holders’.

The CDR now applies to the Australian Energy Market Operator, AGL Energy Group, Origin Energy Group and Energy Australia Group.

In January 2022, the federal government formally expanded the CDR regime to the telecommunications and open finance sectors. The treasury, with the support of the new Albanese Government, proposed further expansions to CDR provisions contained in consumer laws as set out in the exposure draft of the Treasury Laws Amendment Consumer Data Right - Bill 2022 (CDR Bill).


Businesses subject to the CDR must also comply with the 13 privacy safeguards, which are designed to protect the personal information of consumers.

The CDR Bill proposes to introduce two new CDR accreditations:

  • Accredited Action Initiator (AAI) – an accredited entity that is able to instruct Action Service Providers on a consumer's behalf; and
  • Action Service Provider (ASP) – an entity that carries out instructions received from an AAI.

These new accreditations will expand the ability of third parties to initiate CDR actions on behalf of a consumer beyond their current consent based data sharing processes.

The CDR Bill passed through the House of Representatives and was referred to the Senate Economics Legislative Committee in March 2023.

The new CDR Bill would enable the Government to progress plans to implement an economy wide roll out of the CDR.

How could it be relevant for you?

Businesses in the banking, energy, telecommunications, and open finance sectors should be aware of the CDR obligations set to be imposed on them at a later date and will need to assess, ahead of the CDR’s rollout to their sectors, whether any changes should be made to their data arrangements and business systems in order to be able comply with such obligations in future.

Next steps

In March 2022, the Treasury released design papers on the application of the CDR in the telecommunications and open finance sectors, but has since announced that CDR expansion into telecommunications, superannuation and insurance are on pause to allow time for the CDR regime to mature. The Treasury plans to conduct a strategic assessment in late 2024 to inform future expansions and the implementation of action initiation for the CDR regime.

*Information is accurate up to 27 November 2023

Privacy & Data Protection - Explore further sections

Explore other chapters in the guide

Data as a key digital asset

Crypto assets

AI as a digital asset

Privacy & Data Protection


Digital Identity and Trust Services