Consumer Data Right

Consumer Data Right

Learn how Australia will require consumer data APIs across industries

the obstacle

Data Gives Consumers the Upper Hand

Cheap storage in the cloud has enabled “Big Data” explosions in practically all industries globally. Many organisations consider it a competitive advantage to collect and leverage analytics on user behaviour, psychological profiling, tastes/preferences, transactions and activities. With all this data corporations are collecting about us, shouldn’t we have the rights to it? The Australian Competition and Consumer Commission (ACCC) thinks so. The ACCC’s Consumer Data Right (CDR) legislation intends to shift the ownership of customer data from corporations to the customer, granting the freedom and portability of their own data to share with other industry players as they wish.

the obstacle

CDR Demands Open Business APIs

CDR is taking an industry approach, piloting an Open Banking regime and then an Open Energy scheme, with Open Telco discussions and debates beginning to take place. There will likely be a common thread among the CDR rules for all sectors, but every sector will have associated rules and considerations that are industry-specific. All companies that own data will become Data Holders, while the companies able to accept and view that data will become Data Recipients, though most will likely play both roles by building and consuming open APIs across Australia. Industry-specific API standards will help pave the way for interoperability and rapid testing/adoption.

the opportunity

Australian Open Banking

With Open Banking, the Consumer Data Right requires all financial institutions that hold customer accounts to provide open APIs that allow account data (e.g., transactions, balances, etc.) to be shared securely with a third-party Data Recipient. An example of what this actually means is that consumers will be able to access their own account data through innovative fintech apps for personal finance offered by leading banks and nimble startups. This helps customers make better financial decisions such as how they spend their money, with whom they bank, where they buy insurance and how they manage investments.


A committee of industry stakeholders is crafting a robust, interoperable standard for Australian financial consumer data APIs—and Ping Identity is the only vendor on this Advisory Committee. Learn how identity and access management (IAM) is the key to Australian Open Banking.



the opportunity

Australian Open Energy

Ever the competition watchdog, the ACCC has determined that an Open Energy program will be implemented in the first half of 2020, to help consumers use their own energy data to find cheaper services, and promote transparency and innovation. The data will likely include connection point information, contact details, metering data, billing information, product information, average daily load and distributed energy resources register data. Since energy data on an individual consumer may be held by a number of organisations, the ACCC gathered stakeholder feedback on three different CDR models in March 2019:

  • Centralized

    Australian Energy Market Operator (AEMO) would be the sole data holder for data recipients to connect to. All other data holders would need to build APIs to provide data to AEMO. AEMO would handle authentication/authorisation with consumers and make the complete data available to Data Recipients via API.

  • Gateway

    The AEMO would source all the data it doesn’t hold and maintain a gateway to access the data. All Data Holders would still be responsible for getting consumer authorisation for their portion of a consumer’s data before it gets released to a Data Recipient.

  • Economy Wide

    All Data Holders would be responsible for open APIs that could be accessed by all Data Recipients (most similar to Australian Open Banking). The Data Holders would be responsible for consumer authentication/authorisation, and delivering an API for Data Recipients to use.

the opportunity

Australian Open Telco

Organisations within the telecommunications industry sector should be taking steps today to understand the data sets they hold that could be subject to the CDR, as well as the status of their data and API security posture in general. Due to speculations and concerns that have been expressed by stakeholders in the telecommunications industry, telecommunications companies may also wish to involve themselves in ongoing ACCC consultations and submissions. For example, the Communications Alliance Ltd. submitted a number of concerns, one of which is that the Bill was developed with a banking focus and “bears the very real risk that those later sectors will be forced to operate within a legislative and regulatory framework that has a distinct ‘banking flavour’ but lacks sufficient consideration of the particularities of other industry verticals.”


Regardless of how Australian Open Telco shapes up, the same opportunities and threats are facing the telecommunications industry as in Banking and Energy. Since identity and access management capabilities are critical for API security, many telecommunications companies are assessing their existing infrastructure to modernise legacy identity and access management systems that aren’t able to handle the security implications of working with Data Recipients.

the solution

Prepare for Consumer Data Right Compliance

How can corporations and enterprises prepare for the Consumer Data Right? There are more questions than answers at this point. But one thing is for certain: Compliance in every affected sector will no doubt include open APIs and a way to secure them. Ping Identity helps with the security part, striking that balance of protecting customer information while enhancing the customer experience. Regardless of how the legislation and standards play out, investing in customer identity and access management with unified profiles, end-user consent and a seamless login experience can lead to increased convenience and brand loyalty.

The Ping Intelligent Identity Platform is proven to handle the complex security implications of authorising delegated access to customer data to a Data Recipient, and uses self-learning, behavioural analytics to secure those sensitive customer data APIs against abuse and threats. Ping Identity is spearheading the global open business movement; in the UK and Europe, Ping is already the leader in PSD2 and Open Banking solutions—even the UK Open Banking Implementation Entity itself relies on our platform. With that level of expertise, Ping Identity can leverage the right industry partners and help you modernise your identity and access management architecture so that you’re ready for CDR in any industry.

get the white paper

We'd love to hear from you. Get in touch.

Take the Next Step

See how Ping can help you stay ahead of the curve in a rapidly evolving digital world.