Consumer Rights

Overview

The centrepiece of consumer law in Australia is the Competition and Consumer Act 2010 (Cth), which provides for competition and fair trading among businesses and establishes a statutory regime of consumer protection. The Australian Consumer Law (a schedule to the Act) contains a series of general and specific consumer protections, a product safety regime, and regulatory enforcement mechanisms. A key component of this framework is the Consumer Data Right (CDR), designed to give consumers greater access to and control over their data.

Background

• The Consumer Data Right (CDR) is a government reform, established as an 'opt-in' service to give Australian consumers greater choice and control over their data. The purpose of the CDR regime is to improve consumers' ability to compare and switch between products and services, thereby encouraging competition and innovation. The CDR first applied to the banking sector, followed by the energy sector.
• However, the initial rollout faced challenges, including high compliance costs for businesses and limited consumer uptake. In response, the Australian Government announced a 'reset' of the CDR in August 2024, aiming to reduce costs, lower barriers to adoption, and focus on delivering high-value use cases. A key part of this new direction is expanding the CDR from a purely data-sharing scheme to one that allows consumers to act on information through "action initiation" or "write access". The regime is also being expanded to the non-bank lending sector, which is expected to be operational by mid-2026.
• The CDR is regulated by Treasury, the Australian Competition and Consumer Commission (ACCC), the Office of the Australian Information Commissioner and Data Standards Body.

Legal Framework

Australian Consumer Law

The Australian Consumer Law (ACL), Australia's principal consumer protection law, is contained in Schedule 2 of the Competition and Consumer Act 2010 (Cth). It is a single, national law that applies uniformly across Australia and is enforced by all Australian courts and tribunals.It provides for general consumer protections, specific rules against unfair practices, statutory consumer guarantees, a product safety regime, and enforcement powers. The ACL is structured into several key parts:

• Part 2-1 - Misleading or Deceptive Conduct: It is unlawful for a business to engage in conduct in trade or commerce that is misleading or deceptive, or is likely to mislead or deceive. This can include a failure to disclose relevant information, as well as promises and predictions.
• Part 2-2 - Unconscionable Conduct: Prohibits persons from engaging in unconscionable conduct towards consumers or businesses.
• Part 2-3 - Unfair Contract Terms: Renders unfair terms in standard form consumer contracts void. A consumer contract is for the supply of goods, services or land to an individual for personal, domestic or household use.
• Part 3-1 - Unfair Practices: Targets specific detrimental activities such as making false or misleading representations about goods or services, bait advertising, pyramid selling, and using harassment or coercion.
• Part 3-2 - Consumer Guarantees: Establishes statutory guarantees that apply to all goods and services purchased by consumers.
• Part 3-3 - Product Safety: Imposes a national product safety scheme for consumer goods and related services, allowing for safety standards, warning notices, product bans, and recalls.
• Part 3-4 - Information Standards: Requires suppliers to provide specific information to consumers for particular goods and services.
• Part 3-5 - Liability of Manufacturers: Holds manufacturers liable to compensate persons for loss or damage suffered from goods with safety defects.

The ACL is jointly enforced by the Australian Competition and Consumer Commission (ACCC) and state and territory consumer protection agencies.

Consumer and Data Breach Litigation

The high-profile data breaches affecting Optus in September 2022 and Medibank Private in October 2022 have led to a new era for data breach litigation in Australia. These events resulted in multiple class actions and intense regulatory scrutiny from bodies like the Office of the Australian Information Commissioner (OAIC) and the Australian Prudential Regulation Authority (APRA). See LitigationAndInvestigations page.

• Medibank Consumer Class Action: This consolidated action is brought on behalf of customers whose sensitive health information was released on the dark web after a ransomware attack. The claims are extensive, alleging:
  • Breach of contract, negligence, and breach of an equitable duty of confidence.
  • Breaches of multiple Australian Privacy Principles under the Privacy Act 1988 (Cth), as well as state-based health records legislation.
  • Specific failures to meet industry standards by lacking multi-factor authentication (MFA), proper network segmentation, and adequate systems for threat detection and data deletion.
  • The action seeks damages for distress and anxiety, as well as an injunction requiring Medibank to destroy customer data it no longer needs.
• Optus Consumer Class Action: This consolidated action follows the theft of customers' personal information and identity documents. It alleges:
  • Breach of contract, negligence, and breach of confidence.
  • Contraventions of the Privacy Act, the Telecommunications (Interception and Access) Act 1979 (Cth), and the Australian Consumer Law.
  • The class seeks damages for emotional distress and the costs associated with responding to the breach.
• Regulatory Action: In response to the breaches, the OAIC has commenced civil penalty proceedings against Medibank for alleged breaches of the Privacy Act. Separately, APRA increased Medibank's capital adequacy requirement due to weaknesses identified in its security environment.

Consumer Data Right

The Consumer Data Right (CDR) is a government reform established under Part IVD of the Competition and Consumer Act 2010 (Cth) designed to give consumers greater choice and control over their data. The regime is currently active in the banking and energy sectors.

• The 2024 CDR 'Reset': In August 2024, the Australian Government announced a 'reset' of the CDR regime. The reset aims to address shortcomings such as high compliance costs and low consumer uptake by reducing the cost of compliance, lowering barriers to adoption, and focusing on high-value use cases. A review found that implementation costs had significantly exceeded original estimates, with some data holders spending over $1 million and the largest banks spending over $100 million each.
• Action Initiation ("Write Access"): The most significant development is the introduction of "action initiation", also known as "write access". This was enabled by the Treasury Laws Amendment (Consumer Data Right) Act 2024 (Cth), which passed Parliament on 15 August 2024.
  • Action initiation allows consumers to direct an accredited service provider to initiate actions on their behalf, such as making payments, switching providers, or opening and closing accounts.
  • This expands the CDR from a data-sharing scheme to one that allows consumers to act on the information they receive.
  • The framework regulates the "instruction layer" (the standardised instruction process) while the "action layer" (the execution of the task) uses existing industry processes.
  • It introduces two new roles: the Accredited Action Initiator (AAI), who receives action requests, and the Action Service Provider (ASP), who performs the action.
  • The Government has indicated it will not "turn on" specific actions until the CDR ecosystem is on a more sustainable footing. Treasury will consult on which actions to introduce for each sector, with initial high-priority use cases identified as borrowing decisions, energy switching, and accounting services for small businesses.
• Changes to Consent Rules: Following consultation, amendments to the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) have been proposed to simplify the consumer consent process.
  • Data recipients will be allowed to "bundle" multiple consents (e.g., for collection, use, and disclosure) into a single consumer action where reasonably needed for a service. However, consents for direct marketing and de-identification must still be requested separately.
  • Data recipients will also be permitted to pre-select consent options that are reasonably needed for a service to function, reducing the "cognitive load" on consumers.
• The Government has announced the CDR will be expanded to the non-bank lending sector, with data sharing obligations expected to be operational by mid-2026. The expansion will also ensure Buy Now, Pay Later products are covered. To reduce costs and cybersecurity risks, the mandatory data retention period is being significantly reduced from 7 years to 2 years.
• The Government has signalled its intent to move towards a "full and formal ban" of screen scraping. Screen scraping is viewed as a "fundamentally unsafe" alternative to the CDR, with inherent privacy and security risks.
• Interaction with Digital ID: Australia's new Digital ID Act 2024 (Cth) has a close relationship with the CDR. The Australian Competition and Consumer Commission (ACCC) has been appointed as the initial regulator for both the Digital ID and CDR schemes. The government has noted that the integration of Digital ID with action initiation will be critical for ensuring consumer safety.

Regulatory & Policy Framework

• Competition and Consumer (Consumer Data Right) Rules 2020 (Cth); see also Competition and Consumer (Consumer Data Right) Amendment Rules (No 1) 2021 (Cth); Competition and Consumer (Consumer Data Right) Amendment Rules (No 2) 2021 (Cth).
• Data Standards Body, 'Data Standards – Consumer Data Right', Consumer Data Standards (Web Page).
• Office of the Australian Information Commissioner, CDR Privacy Safeguard Guidelines (Version 5.0, November 2023).
• Heidi Richards, Consumer Data Right Compliance Costs Review Report (Report for the Department of the Treasury, December 2023).
• Australian Competition and Consumer Commission and Office of the Australian Information Commissioner, Compliance and Enforcement Policy for the Consumer Data Right (Policy Document, 12 October 2023).

Relevant Organisations and Resources

• Australian Competition and Consumer Commission (ACCC):
  • The ACCC is a primary regulator for the Consumer Data Right (CDR), sharing responsibility for compliance and enforcement with the OAIC. Its role includes accrediting service providers and enforcing compliance. The ACCC has also been appointed as the initial regulator for Australia's new Digital ID scheme.
• Office of the Australian Information Commissioner (OAIC):
  • The OAIC's role focuses on the privacy aspects of the CDR. It is responsible for enforcing the legally binding privacy safeguards and preparing and publishing guidelines related to them. The OAIC also oversees privacy-related aspects of the Digital ID scheme.
• The Treasury:
  • Treasury leads the policy development for the CDR. It conducts public consultations on proposed amendments to the Consumer Data Right Rules and commissions key reports, such as the Consumer Data Right Compliance Costs Review Report.
• Data Standards Body:
  • Chaired by the Data Standards Chair, this body creates the binding technical and consumer experience (CX) data standards. These standards regulate the format for the secure transfer of CDR data.
• State and Territory Consumer Agencies:
  • These agencies, such as NSW Fair Trading and Consumer Affairs Victoria, jointly administer and enforce the Australian Consumer Law with the ACCC.

Inquiries & Consultations

• 2024 CDR 'Reset' and Rules Consultation: In August 2024, the government announced a 'reset' of the CDR regime, initiating a public consultation on proposed amendments to the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth). The consultation, which closed on 9 September 2024, sought feedback on simplifying consumer consent processes and other operational enhancements.
• Consumer Data Right Compliance Costs Review: An independent review of the compliance costs associated with the CDR was released in August 2024. The report, based on interviews with industry participants, found that implementation costs had significantly exceeded initial estimates and its findings helped inform the CDR 'reset'.
• Ongoing Advice on Screen Scraping: As part of the CDR reset, the Assistant Treasurer has requested advice from the Treasury on a path forward for a "full and formal ban" on the practice of screen scraping, which the government considers to be "fundamentally unsafe".
• Related Digital ID Consultations: Related to the broader consumer data ecosystem, public consultation on the draft Rules and Data Standards for the new Digital ID Act 2024 closed on 25 June 2024.

Industry Materials

• Geoff McGrath et al, 'Action Initiated? Action initiation under Australia's Consumer Data Right becomes law', Ashurst (Web Page, 5 September 2024).
• Lyndal Sivell, 'Data portability: revival of Australia's Consumer Data Right', Clayton Utz (Web Page, 26 March 2025).
• Bruno Solia and Sarah Summers, 'Consumer Data Right: Key items for consultation', MinterEllison (Web Page, 30 August 2024).
• Daryl Cox et al, 'Rebooting the system - the Government announces its plans for the Consumer Data Right', King & Wood Mallesons (26 August 2024).
• Australian Competition and Consumer Commission, Submission to Treasury, Screen Scraping – Policy and Regulatory Implications (October 2023).
• FinTech Australia, Submission to Treasury, Proposed Amendments to Consumer Data Right Rules (September 2024).

Related Topics

• Directors' Duties
• Privacy Law
• Online Content and Services
• Unsolicited Communications
• LitigationAndInvestigations
• Telecommunications
• Security of Critical Infrastructure