Consumer trust is crucial for the operation of the CDR framework. Photo: TUCHONG

---

The Consumer Data Right (abbreviated as “CDR”) is a legal framework in Australia that enables consumers to instruct their service provider (such as a bank) to safely and conveniently share their data with another provider so that the latter can offer them better service. The CDR recognises the high value of consumer data in the modern economy and seeks to unlock that value by giving consumers greater control of their data. In doing so, it disrupts the traditional “silos” of customer data held by incumbent institutions and thereby promotes competition. 

The CDR is a statutory, mandated framework in Australia which became operational in 2020. Its legal structure is complex and includes statutory provisions, CDR rules, CDR standards and sectoral designations (legal instruments that extend the application of the CDR regime to different sectors of the economy). 

Importantly, from the very beginning, the Consumer Data Right was intended to be cross-sectoral. Despite the fact that the CDR first launched in the banking sector, it was designed as a legal regime to facilitate data sharing across Australia’s economy. Indeed, since its launch, the CDR has been extended to the energy sector and non-bank lenders. Implementation in other sectors (such as telecommunications, insurance or superannuation (pensions) is currently on hold – as the CDR ecosystem needs time to mature and achieve all of its stated objectives in the key sectors. The decision to launch a cross-sectoral data sharing framework in Australia was groundbreaking at the time – and today the CDR remains the most advanced mandated legal framework for the sharing of customer data.

The CDR is a complex framework with many moving parts which is difficult to explain in a few words. Generally speaking, it focuses on the interaction between consumers and two other entities: (i) data holders and (ii) accredited data recipients. Data holders are the businesses that hold large amounts of customer data, such as banks. Accredited data recipients are entities that undergo an accreditation process that gives them the right to receive CDR data. 

Conceptually, the CDR can be viewed as a sanitation system consisting of many “pipes” (prescribed data transmission channels) through which the “water” (valuable consumer data) is pumped throughout the economy. These data transmission channels must be secure, and the data can travel through the CDR ecosystem only with the consumer’s consent (which acts as a “valve”).

The CDR pursues several objectives. The key objective is to promote competition in the economy by enabling more market participants (such as smaller Fin-techs) to benefit from access to the valuable consumer data that is held by incumbent institutions. It is hoped this will reduce information asymmetry and remove barriers for new market entrants. In addition, the CDR framework seeks to protect consumers, since the data that will be shared within this innovative ecosystem must remain safe at all times.

Lastly, the CDR also facilitates the sharing of certain data regarding products and services that does not relate to any particular consumer – but in my view, this is not where the key contribution of the new framework lies. The main contribution is the major overhaul in the sharing of consumer data. 

Consumer trust

Consumer trust is crucial for the operation of the CDR framework. The CDR seeks to promote competition by empowering consumers to make better use of their data because few consumers are able to extract value from their data on their own, without an enabling regulatory regime, and the traditional legal frameworks (like privacy laws) may not be up to the task.

Consumers are the core of the CDR framework. According to the Australian Treasury, the Consumer Data Right “should be for the consumer, be about the consumer, and be seen from the consumer’s perspective.” Within the CDR framework, the consumer is not just the weaker party that requires protection- the consumer is the source of the valuable data that fuels the system and generates value for service providers. 

The CDR can only operate if consumers choose voluntarily to interact with the other CDR participants by consenting to the disclosure of their data. It follows that consumer trust is a central element of the CDR framework. After all, without consumers willingly choosing to use the framework, no data will be transmitted through the CDR ecosystem. 

A key feature of consumer trust in the CDR framework is its institutional, impersonal nature. This means that consumers who entrust service providers to receive their data through the CDR framework are not expected to verify the quality of computer systems of the data recipient. Consumers are expected to trust the CDR ecosystem as a whole and CDR participants as representatives of that ecosystem.

Most legal frameworks cannot operate without trust from the relevant stakeholders – from unsophisticated consumers to large banks. The first thing to remember is that the concept of “trust” is a complex multifaceted phenomenon that has different meanings in different disciplines. Interdisciplinary scholarship suggests that two conditions must be satisfied for trust to exist. First, there needs to be some kind of risk or vulnerability that creates an opportunity for trust to emerge. Second, the interests of one person must be achievable by relying on someone else. In other words, trust effectively represents acceptance of vulnerability based on positive expectations of someone else’s behaviour.

Room for improvements

As a legal framework relying on consumer trust, the CDR needs to build that trust. Without it, no consumer data will circulate through the CDR ecosystem. From this perspective, consistency, legal certainty and balancing the interests of different stakeholders are crucial.

My analysis of the CDR framework has identified several gaps that should be addressed to help boost consumer confidence. One example is the recent reforms which enabled certain entities (like professional advisers) to access CDR data without accreditation. As a result, the same consumer data ended up being subject to different information security controls depending on the recipient of that data. My detailed analysis in two related articles on this topic suggests that the associated challenges can hardly be resolved by amendments to the CDR framework alone. The answer, I argue, lies in raising the protections of consumer data economy-wide.

The ambitious proposals in my article (such as a legal framework that prescribes acceptable channels for transferring all valuable consumer data) require substantial political will to be implemented. Absent such political will, however, a blacklisting regime might be a suitable alternative: consumer data sharing methods that facilitate breaches of security of consumer data by design should be prohibited. Screen-scraping is one such method.

Since the CDR framework seeks to increase the amount and frequency of sharing of consumer data across the economy, I argue that the introduction of an efficient compensation regime for consumers (e.g., in the event of cyber breaches of accredited data recipients) is a crucial enabler of consumer trust in the CDR. One strong argument for this is the “assume breach” logic of cyber security regulation. This acknowledges that every computer system will be breached at some point and that attempts to build impenetrable cyber fortresses are futile. Indeed, if a successful cyber breach is only a matter of time, then the loss of one’s CDR data at some point is also assured. Thus, ease of obtaining recourse becomes crucial.

Furthermore, I argue that certain provisions in the CDR framework that seek to protect service providers (like “safe harbours”) do so by offloading the residual risk onto consumers. In my publications, I argue that this outcome is unsatisfactory. While it is perfectly acceptable for safe harbours to protect service providers from regulatory penalties (if the regulators are happy with this policy decision), safe harbours should not prevent consumers from receiving compensation from the service provider.

My other proposals focus on different ways to boost consumer empowerment (e.g., by enabling consumers to receive CDR data directly – a functionality that is currently missing in Australia’s CDR) and increasing consumer awareness of the risks associated with the sharing of valuable data through the CDR ecosystem.

How does this help in legal drafting or analysis? If we focus on the two key preconditions of trust, we can conclude that trust-enhancing elements of a legal framework are those which enable stakeholders to achieve their goals by relying on a third party while minimising the underlying risks. Therefore, if we identify, separately, the associated risks and interdependencies that a legal instrument seeks to tackle, we can more easily determine the elements of a legal framework that promote or, conversely, inhibit, trust. 

Furthermore, trust should be viewed as a dynamic phenomenon that can exist in different phases. This suggests that research into the trust-enabling elements of a legal framework can be used to improve the level of trust in the future through legal reform.

 

Data sharing, privacy laws

Trust in a legal framework can be institutional. This has important implications. In the context of complex legal frameworks spanning multiple sectors of the economy, this means that negative events (such as high-profile cyber breaches) affecting one sector may affect how consumers perceive the entire framework. Several observations are important here.

First, lawmakers should approach cross-sectoral frameworks strategically. If necessary, the rollout should be paused to ensure all objectives are being met and consumer trust does not dissipate. The recent decision to put further expansion of the CDR regime on hold is a good illustration of such regulatory flexibility.

Second, as long as customer data sharing frameworks (such as “open banking” or “open finance”) remain sector-specific and do not cover the entire economy, the “boundary problem” previously will persist. This, in turn, will expose the “weakest link” issue: customer data will be most exposed where the information security controls are the weakest. From this perspective, I argue in my publications that the adequate response can only be found if policymakers look beyond the data sharing frameworks and raise the standard of protections for customer data economy-wide.

Third, the “assume breach” logic suggests that no information system is immune to cyber-attacks. This, in my view, strongly suggests that more emphasis in designing customer data sharing frameworks should be put on recovery and compensation for customers (i.e., ex post redress). The most vulnerable customers – individual consumers – require additional protections, since data breaches may expose them to long-term risks such as identity fraud. For these customers, ease of obtaining recourse is crucial, considering that litigation is likely to be uneconomical and that stolen data can be reused in subsequent criminal activities almost indefinitely.

Fourth, importantly, consumer trust can sometimes be misplaced – such as when the consumer is simply unaware of the relevant risks. This could, in theory, create perverse incentives for some policymakers and businesses to avoid promoting consumer awareness of those risks to maintain consumer trust. However, this approach would be ill-advised. If consumers become aware of the risks only when those risks materialise and cause detriment, the resulting fallout and drop in the level of consumer trust could be catastrophic. In other words, a delay in raising consumer awareness of the relevant issues could lead to a more significant reduction in the levels of consumer trust.

 

Anton Didenko is a senior lecturer from the Faculty of Law and Justice at the University of New South Wales.

Edited by WENG RONG