Jemima Moore

May 24, 2022

Consumer Rights under CDR 

As a consumer of Open Banking, it’s important you know your rights.


Customer Data Right legislation is a law provided by the Australian Government with the intention of giving consumers more control over their data. Starting in banking, CDR will be rolled out to various industries, including the energy and telecommunications sectors. Within the banking industry, CDR gives fintechs and banks the opportunity to securely analyse and transfer a consumer’s data, providing the consumer with a tailored banking experience. 



To be able to access a consumer’s data on open banking, a provider must be accredited. CDR places strict criteria around the accreditation of a provider and sets out how a provider must go about applying. All accreditation processes are managed by the Australian Competition & Consumer Commission. 


As CDR is an opt-in service driven by consumer consent, providers must make their consumer requirements clear. A provider must outline their who, what, when and how in their website: who will have access to a consumer’s data, what information the provider is sharing and how that information will be used, how long the provider will have access to a consumer’s data, and how a consumer can withdraw their consent. 


Thirteen privacy safeguards are outlined in the Competition and Consumer Act 2010 and set out a consumer’s privacy rights and the strict obligations accredited providers must follow. Among these safeguards are: open and transparent management of data; dealing with unsolicited data from participants, meaning any data a provider receives out of consent will be destroyed; and notification of collection, meaning a provider must notify a consumer when they are collecting data. For all thirteen safeguards and a more in-depth look into the privacy rights, check out the CDR website.  


CDR is built with the purpose of keeping data secure, consumers and small businesses have a right to complain if they feel this has been breached. When a business has mishandled their data, they can lodge a complaint and give them 30 days to form a response. If the business fails to respond, or the complainant is unsatisfied with the response, the next step is to lodge a complaint with the Office of the Australian Information Commissioner or relevant external dispute resolution scheme. For more information on CDR complaints, see the OAIC website.

Reporting misconduct 

CDR also provides a reporting form if anyone has information regarding business practices and behaviours that are of concern. You can find the form here. The ACCC and OAIC jointly enforce all regulations, and manage all reports and complaints. For more information on how the ACCC and OAIC act on these breached rules, see the Compliance and Enforcement policy

For more information regarding your rights as a consumer under the CDR, check out the Your Rights page on their website.


Latest articles