Privacy and consumer data rights
10 September 2025
Privacy laws in Australia have governed the collection and use of personal information in the private sector for over 20 years. In that time, the concepts of privacy have become well understood, thanks in no small part to the recent high profile data breaches and legislative reforms.
In parallel with the increasing focus on protecting personal information though, there has been the recognition that the ability to share data between businesses has the ability to allow improved competition, by allowing consumers to compare products and switch between providers more easily.
That ability to share data became known as the Consumer Data Right (CDR). The Federal Government announced its intention to introduce a CDR regime in 2017, with the legislation introduced in 2019. Initially, the CDR was introduced into the banking sector, commonly referred to as Open Banking. After banking the Energy Sector was included in the CDR in 2021.
The reforms were hailed as world leading, recognising the need for striking a careful balance between the risks and the benefits.
In 2023, the Federal Government paused the roll out of the CDR to the telecommunications and insurance sectors to allow the system to ’mature’ They also engaged in a consultation process, which ended on 9 September 2024 proposing changes to simplify the consent process in order to reduce the barriers to participation in the CDR.
Overlap with Privacy and CDR Safeguards
To manage the risks associated with transferring large amounts of consumer data (much of which will also be personal information) the Federal Government, in conjunction with the OAIC, developed the Privacy Safeguards.
These safeguards are generally consistent with the APPs although are more restrictive and detailed than their equivalent APPs, with a broader application, to catch all data and bind data recipients in respect of the CDR data they receive. These stronger protections are needed to manage the risks associated to the more convenient and higher frequency of transfers under the CDR, ensuring consumer confidence.
OAIC’s recent decision
A recent decision was handed down by the Privacy Commissioner, marking the first CDR determination, and gives colour to the levels of care to be taken when handling CDR data, and by extension, personal information.
The Commissioner found that that Regional Australia Bank Limited (RAB) had breached Privacy Safeguard 11, which mandates data holders to take reasonable steps to ensure CDR data is accurate, up to date and complete in relation to the purpose for which it is held.
In this case, RAB subcontracted with Biza to assist in meeting some of its secure storage obligations - an approach common for outsourcing data handling of this kind.
RAB’s contract with Biza was aimed at ensuring compliance with its CDR data holder obligations. However, Biza had a software issue that resulted in data mingling, leading to incorrect data being supplied to a third parties.
The Privacy Commissioner found that:
- Biza ought to have taken steps to ensure that the software issue impacting the accuracy of CDR data was not introduced in the CDR environments of its other clients.
- Biza could have reasonably done so by ensuring that the patched software was implemented in all upgrades, including those in pre-production, thereby mitigating the risk of co-mingling further CDR data.
- Checks ought to have been undertaken prior and subsequent to future software upgrades.
- Such steps were reasonable in circumstances where:
- Biza had a relatively small client base, noting that the respondent was Biza’s oldest client[34]
- they were not impracticable or cost prohibitive
- the consequences of not taking such steps had the potential to cause significant harm for affected CDR consumers.
Furthermore, the Commissioner found that despite the standard contractual language stating (that Biza was not an agent of RAB, Biza was considered an agent for the purposes of the legislation. Consequently, RAB was held responsible for the failings of Biza, even though it had no knowledge of them.
While the question of agency is perhaps unique to the CDR regime and may not apply similarly to an APP entity that does not hold CDR data, this finding is important for understanding and analysing the failings of Biza, and the standards to which data holders under a contract will be held.
Productivity Commissioner weighs in
In an example of the complexities involved in collecting, using, and storing data, the Productivity Commissioner (PC) released an interim report on 5 August, following an enquiry into harnessing data and digital technology.
This interim report included several draft recommendations, particularly relevant to the CDR. One key recommendation is to support safe data access through new pathways that offer greater flexibility and lower costs in relation to implementation.
The PC has proposed draft recommendation 2.1, which aims to establish lower-cost and more flexible regulatory powers that would expand basic data access for individuals and businesses. Some considerations it provided included:
- industry-led data access codes that allow consumers to export non-sensitive data on a regular basis through snapshots.
- standardised data transfers that is assisted by government to achieve a formalise minimum technical standards to support use cases requiring high-frequency data transfers and interoperability.[1]
The PC is currently consulting on these new pathways to increase uptake of basic data access for consumers, while allowing for flexible and lower cost implementations for businesses.
Conclusion
The obligations on data holders have become increasingly complex, and the standard of care they must uphold is high. It is essential to give careful consideration to the precise contractual obligations and the need to understand the performance of them, beyond just contractual language.
