This article was updated on 27 January 2026 to provide an implementation example for Scenario 1(b), and to clarify that an ADR may allow a consumer to set up either a one-off or ongoing disclosure to facilitate data sharing for a defined period of time.
Purpose
Accredited data recipients (ADRs) provide a range of services that benefit consumers by giving them greater access to and control over their personal data. This article provides information to assist ADRs considering use cases involving third-party data sharing under the CDR legislative framework. It has been developed by the ACCC with input from Treasury.
Third-party data sharing use cases
The ACCC is aware that some ADRs are considering use cases aimed at giving consumers more control over how they share their CDR data. This may include providing tools which allow a consumer to:
- export their data to familiar tools (such as spreadsheets and business intelligence tools) so they can deep dive into their own CDR data
- invite other people or businesses to access and analyse their CDR data, and
- further share their own CDR data with other people or businesses if they choose to.
Provided a consumer makes a clear and informed choice, use cases that enable a consumer to further share their own CDR data that an ADR has disclosed to them, or to consent to an ADR disclosing their data to an account they hold with a third party, are unlikely to raise compliance concerns for the ACCC.
Example disclosure scenarios that are unlikely to raise compliance concerns
Scenario 1(a), (b) and (c) – Consumer decides to directly share their data with a third party
In these scenarios, the ADR discloses the CDR data to a consumer as part of a good/service provided to the consumer (as is permitted by rules 7.5(1)(a) and (d) of the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules)).[1] This disclosure is made using the ADR’s app or web-based tool.
Following the disclosure of CDR data by the ADR to the consumer:
a) The ADR’s app/tool then allows the consumer to export their CDR data to an external tool (such as Microsoft Excel or Power BI). The consumer can then use that exported data however they choose, including further sharing it if they wish.
b) The consumer is able to configure the ADR’s app/tool to allow a third party to access the consumer’s CDR data on the ADR’s app/tool (for example, the consumer clicks on a button in the app that sends a link to a third party).
c) The consumer is able to configure the ADR’s app/tool to allow the CDR data to be securely sent to a third party or third-party app.
In scenarios 1(a) and (c) the CDR data is shared in a way in which it is taken outside of the ADR’s app/tool. The data may also remain on the ADR’s app/tool.
In scenario 1(b) the CDR data remains on the ADR’s app/tool.
Scenario 2 – With consumer’s consent, ADR discloses data to a consumer’s account held with a third party
An ADR allows the consumer to nominate an account they hold with a third party as the location for the ADR to disclose CDR data under rules 7.5(1)(a) and (d). The ADR sends the consumer’s CDR data to the consumer’s account with the third party in accordance with the consumer’s instruction.
In scenario 2, the CDR data is taken outside of the ADR’s app/tool.
Relevant considerations
Rule 7.5(1) prescribes the circumstances in which an ADR is permitted to disclose a consumer’s CDR data. However, the Competition and Consumer Act 2010 and CDR Rules do not prescribe how a consumer may handle their own CDR data, nor do they specify the manner in which an ADR is to disclose CDR data to a CDR consumer for the purposes of rule 7.5(1)(d).
Scenarios 1(a), (b) and (c) – Consumer directly shares their own data with a third party
CDR use cases that facilitate data sharing as described in scenarios 1(a), (b) and (c) are unlikely to raise compliance concerns for the ACCC if it is the consumer that shares their data with the third party. An intervention by the consumer, e.g. by exporting the CDR data or configuring the ADR’s app/tool, is critical for the consumer to be the party that chose to disclose the data.
If the ADR is disclosing the data, it would be limited to the permitted uses and disclosures set out in rule 7.5(1) such as those made under a current disclosure consent.
Where a consumer shares CDR data outside of the ADR’s app/tool, it is critical that this be a result of an informed consumer choice. It is important that consumers understand the implications of this, and freely and voluntarily elect to that data being shared. ADRs should clearly explain to consumers that shared CDR data that leaves the ADR’s app/tool will be handled in accordance with any applicable privacy legislation such as the Privacy Act 1988, and that consumers should check the third party’s data handling policies such as their Privacy Policy.
In addition, under the CDR Rules there are certain requirements for seeking consent. These may apply where an ADR is seeking a consent for the purposes of providing a good or service to the consumer that involves collecting a consumer’s CDR data from a data holder to disclose it to the consumer. These requirements include that a request by an ADR for consent must not include or refer to the accredited person’s CDR policy or other documents in a way that reduces understandability, and must not be combined with other requests except for a consent under these rules.[2] ADRs should consider these requirements when considering whether to make a consumer’s election to share data after it has been disclosed to them, part of the CDR consent flow.
Where CDR data remains on the ADR’s app/tool (even after the data has been on-shared by the consumer), the ADR will be required to comply with all relevant obligations in relation to that data, including the Privacy Safeguards.[3] This includes Privacy Safeguard 12 which concerns the security of CDR data and destruction/de-identification of redundant CDR data.[4]
Scenario 2 - ADR discloses data to a consumer’s account held with a third party
The disclosures in scenario 2 are unlikely to raise compliance concerns for the ACCC, provided the disclosure by the ADR is to the consumer’s account held by a third party, not the third party, in accordance with rule 7.5(1)(d).
In making this distinction, the consumer’s specific instruction to the ADR to disclose the CDR data directly to the account they hold with the third party will be a key consideration. It will be critical that the consumer has direct access to their account with the third party – i.e. the consumer can view CDR data disclosed to the account. In addition, if the third party needs the consumer’s permission to view the CDR data, it is more likely that this disclosure would be considered a disclosure to the consumer only (rather than a disclosure to both the consumer and a third party).
Similar to scenarios 1(a), (b) and (c), ADRs should consider the requirements for seeking consent in accordance with the CDR Rules. Where the method of disclosing CDR data to the consumer will take that data outside of the ADR’s app/tool, the ADR must ensure consumers understand the implications of this, and freely and voluntarily elect to that disclosure.
Where CDR data remains on the ADR’s app/tool, the ADR will be required to comply with all relevant obligations in relation to that data, including the Privacy Safeguards.
|
Ongoing disclosures For each of the above scenarios, an ADR may allow a consumer to set up either a one-off or ongoing disclosure to facilitate data sharing for a defined period of time. This is provided the ADR has the required collection and use consents to provide the requested good or service under rules 7.5(1)(a) and (d). Generally, ADRs can only seek a CDR consent for a duration up to 12 months or up to 7 years for some consents provided by a ‘CDR business consumer’ (see rule 4.12). |
Regulatory approach
The ACCC is focused on ensuring that the CDR reaches its potential as a competition and consumer reform, including through the development of innovative use cases.
When considering appropriate compliance or enforcement action in response to a potential breach under the CDR legislative framework, the ACCC acts in line with the joint ACCC/OAIC CDR Compliance and Enforcement Policy. We focus on investigating potential breaches that will, or have the potential to, cause harm to the CDR regime or result in widespread or significant consumer harm.
Important notice
The information contained in this article is intended as general guidance only and does not constitute legal or other professional advice.
Whether a specific use case is permissible under the CDR legislative framework will depend on the particular circumstances of each case. ADRs considering use cases should seek independent professional advice on their legal obligations and whether its particular implementation is compliant with the CDR legislative framework, including in relation to the Privacy Safeguards.
[1] The term ‘disclose’ is not defined in the Competition and Consumer Act 2010 (Cth) (CCA) or CDR Rules. In the present context, the ACCC considers that ‘disclose’ would take on its ordinary meaning.
[2] CDR Rules, rule 4.10.
[3] CCA, section 56AK. This is because the ADR would still be an ADR of the CDR data it still holds.
[4] CCA, section 56EO and Schedule 2 to the CDR Rules. See also Chapter 12 of the OAIC’s Privacy Safeguard Guidelines.
Comments
0 comments
Please sign in to leave a comment.