The Customer and Product Data Bill, officially introduced to Parliament on 16 May 2024, establishes a Consumer Data Right (CDR) allowing customers to request businesses to securely provide their data to accredited third parties.

In this article we discuss what the CDR covers, key changes introduced following consultation on the 2023 Exposure Draft, and potential implications for organisations that will need to comply with CDR requirements.

What is the CDR?

The purpose of the Bill is to establish an economy-wide framework to enable greater access to, and sharing of, customer and product data between businesses. The Bill is intended to:

• Give customers (both individuals and entities) in designated sectors greater control over how their data is accessed and used;
• Promote innovation and facilitate competition; and 
• Enable secure, standardised and efficient data services.

Businesses that hold designated customer data (data holders) must provide that data to the customer and - with the customer’s authorisation - to accredited third parties. Data holders will be required to undertake certain actions in response to electronic requests from customers and their authorised accredited third parties, such as: opening accounts, making payments, or changing customer plans. In addition, product data (data about a data holder’s goods and services) is to be made available electronically on request.

The Bill will be applied to one sector at a time via a designation process. Banking will be the first of the designed sectors, followed by the electricity sector.

The Bill closely resembles the Exposure Draft released in June 2023, but with several notable changes as a result of submissions made on that draft. Our insights on the initial Exposure Draft can be found here.

Key differences between the Bill and the Exposure Draft

Some of the key additions to the Exposure Draft are outlined below.

1. Commercial information and data requests: The Bill provides that data holders are not obligated to disclose non-public or commercially sensitive information. Data requests can also be declined in some cases, including during cyber-attacks, identity theft, or when the requestor has insufficient funds.
2. Declining requests: Data holders can decline data requests to prevent harm, and can refuse if the data holder believes the request is made under the threat of harm. 
3. Outsourced providers: The Exposure Draft provisions setting out obligations on an outsourced provider have been removed. As a result, there is no distinction for outsourced providers, any issues arising from outsourcing will be addressed by businesses and customers within the system. 
4. Secondary users: The Bill provides for requests or authorisations being made or given by secondary users in specific scenarios. Examples of a secondary user are a director acting as a secondary user for a customer that is a company, and a parent acting as a secondary user for a minor.   
5. Customer redress and dispute resolution: Any person can apply to the Court for compensation for any failure to comply with the Bill. The Bill provides for regulations to be adopted to set processes for resolving breaches. Data holders and accredited requestors can be mandated to join existing dispute resolution schemes such as the Financial Dispute Resolution Service and the Financial Services Complaints Limited. Customers and non-members are able to take their disputes to the Disputes Tribunal to resolve matters.
6. Offences and penalties: The Bill establishes a regime for offences and penalties, ranging from low-level infringement notices to fines of up to $5 million for serious breaches by body corporates.

Implications for affected organisations

Businesses required to comply with CDR requirements will need to set up mechanisms to share data, implement updated data security and consent handling measures, and train staff on the applicable requirements. Much of the detail regarding industry requirements will be set out in regulations, to be made under the Bill once it is passed, but it’s likely businesses will need to examine the current state of their technology to determine whether they can meet the requirements for exchanging data in the CDR ecosystem in the standardised formats. Affected businesses will also need to audit whether their current information security measures are fit for purpose for managing and storing customer data, and whether any changes are required for their existing processes and procedures to accommodate the customer authorisation requirements.

Next steps

The Bill is currently undergoing its first reading and from there, is largely expected to be referred to a select committee. A copy of the Bill can be accessed here. 

We will continue to monitor progress of the proposed new regime and will publish updates as developments occur. 

Get in touch

In the meantime, if you would like to talk to one of our experts about the potential implications of the Bill on your business, please get in touch with one of our contacts.

Special thanks to Bridget de Lautour for her assistance in writing this article.