More businesses will be given access to the data-sharing provisions of the Consumer Data Right (CDR) from 1 November 2021, after the Australian Competition and Consumer Commission (ACCC) tweaked CDR rules to improve consumers’ control over the management and reuse of their personal data.

The “significant” changes, outlined in the Federal Register of Legislation and introduced as Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, were designed to “encourage participation in the CDR by expanding its benefits to more businesses”, ACCC Commissioner Sarah Court said in introducing the reforms.

Introduced last February, the CDR Rules define the technical standards and policies for exchanging information under CDR – an enabler for the open banking regime in which bank customers, or their nominated accredited data recipients (ADRs), can access personal data to switch service providers more easily.

Reflecting over 50 submissions from banks, credit-card providers, fintechs, industry bodies including ASIC and APRA, and consumer and privacy advocates, the changes “expand and build the functionality of the CDR regime”, the legislation’s explanatory statement says, including allowing companies and partnerships to utilise CDR capabilities.

“The new rules lay the foundation for the continued expansion of the CDR in 2021,” Court said, flagging a “successful start” to the CDR regime that took effect last July.

Yet CDR hasn’t been successful for everyone: fintech Moneytree Financial Technology, for one, last month closed down its Australian operations as chief technology officer Ross Sharrott argued that CDR’s “significant financial and human resource investments” had posed “an enormous, if not an impossible, barrier to entry” for many fintechs.

“Combined with the financial blow of COVID-19,” he said, “the much-delayed availability of a workable open banking framework has made the Australian market commercially non-viable for us at present.”

Easier sharing of CDR data

The new CDR policies add flexibility by, among other things, providing multiple consents allowing consumers to control the collection, use, disclosure, direct marketing and use of their data for research.

Consent can be granted or withdrawn independently, and can be amended through an online account management interface that ADRs will have to provide by 1 November – giving consumers a higher degree of control over their personal information and what can be done with it under the CDR.

The new rules “mean consent to collect and consent to use do not have to align and the two consents may relate to different data types or time periods”, the statement explains – while noting that redundant data can be kept by an ADR until the explicit consent expires.

ADRs can also exchange data with other ADRs that have a consumer’s consent, through a process that will be governed by as-yet ‘consumer experience data standards’ to be created by 1 July.

These and other changes, Court said, improve consumer experience and “provide greater flexibility…. While also ensuring that strong consumer protections continue to apply.”

The ACCC has not yet finalised mooted changes relating to accreditation tiers, the sharing of data with trusted advisors, and the “disclosure of ‘insights’ derived from CDR data to any non-accredited person” – all of which, the ACCC said, will be given “further consideration”.

This last point remains a significant concern given the increasingly intrusive data-collection practices of social-media giants like Facebook and Google, which some fear will abuse the CDR’s third-party permissions hierarchy as a lever to collect even more information about their users.

Under current rules, the Office of the Australian Commissioner (OAIC) warned last month in a submission to the Select Committee on Financial Technology and Regulatory Technology, large technology companies could participate in the CDR by gaining users’ consent through indirect mechanisms.