Greater Choice and Control for Consumer Data

Judith Miller, Commercial Practice Leader at Wrays, provides an overview on the impacts of the recent introduction of the Consumer Data Right regime (CDR regime), into the Competition and Consumer Act 2010 (CCA), following the Office of Australian Information Commissioner’s (OAIC) publication of the draft Privacy Safeguard Guidelines in October 2019.

The draft guidelines set out the OAIC’s understanding and interpretation of the privacy safeguards and the relevant Consumer Data Rules.



The CDR Regime is aimed at providing greater choice and control to consumers over how their data is used and disclosed by businesses that provide goods and/or services to them. The CDR Regime enables consumers to

  • require information relating to themselves to be disclosed safely, efficiently and conveniently to either themselves or accredited persons; and
  • efficiently and conveniently access information about the goods or services.

The CDR Regime will firstly apply to the banking sector, followed by the energy sector, and eventually across the economy.


Privacy Safeguard Guidelines

The draft guidelines set out 13 privacy safeguards which are aimed at protecting the privacy or confidentiality of CDR data (i.e. information within a class specified in the designation instrument for each sector including derivatives from such information) of the relevant consumers. These guidelines cover:

  • open and transparent management of CDR data;
  • anonymity and pseudonymity;
  • soliciting CDR data from CDR participants;
  • dealing with unsolicited CDR data from CDR participants;
  • notifying of the collection of CDR data;
  • use or disclosure of CDR data by accredited data recipients or designated gateways;
  • use or disclosure of CDR data for direct marketing by accredited data recipient or designated gateways;
  • overseas disclosure of CDR data by accredited data recipients;
  • adoption or disclosure of government related identifiers by accredited data recipients;
  • notifying of the disclosure of CDR data;
  • quality of CDR data;
  • security of CDR data, and destruction or de-identification of redundant CDR data; and
  • correction of CDR data.

The Privacy Safeguard Guidelines clarify the intention of each privacy safeguard and provide guidance on how to avoid acts or practices that may breach the privacy safeguards. Although the majority of the privacy safeguards borrow similar principles from the Australian Privacy Principles (APPs) under the Privacy Act 1988, the Privacy Safeguard Guidelines expressly state that the APPs do not apply to the CDR entity in relation to CDR data. Instead, the CDR Regime will apply.


What’s next?

Currently, the OAIC is seeking feedback on the draft Privacy Safeguard Guidelines from the interested stakeholders and members of the community. The closing date for feedback is Wednesday 20 November 2019.

A copy of the draft Privacy Safeguard Guidelines are available for download here.

The Privacy Safeguard Guidelines should be read together with Division 5 of Part IVD of the CCA and the Consumer Data Rules, which set out the rules required to implement the CDR Regime in the relevant sectors. Currently, a proposed set of CDR rules for the banking sector are available here, together with the Explanatory Statement.

Judith Miller specialises in commercial and intellectual property law. She has more than 25 years’ experience in advising on all aspects of the management and commercialisation of IP and is the firm’s Commercial National Practice Leader. Judith has worked with a range of clients across a variety of industries (with a particular focus on the research and development sector), predominantly for IP and content owners, frequently advising those clients on the management, exploitation and protection of their rights in old and new media. She advises clients on the full range of commercial transactions. These include joint ventures, strategic alliances, collaboration and partnering arrangements, supply chain and logistics agreements, reward schemes and acquisition and supply terms. She also advises local and international businesses on the establishment of regional and national franchise systems, and provides strategic advice to established operations. Judith has also worked on a broad range of technology and sourcing matters, including procurement, development agreements, hosting and outsourcing arrangements, software maintenance and hardware supply and support agreements. Connect with Judith via email.