Inside the CDR rollout: How data portability is rewiring Australia’s energy market

Australia’s Consumer Data Right (CDR) has, since its inception, promised to transform how consumers, retailers, and third-party innovators access and use data. Initially focused on banking, CDR expanded to energy in late 2022, opening a new frontier in the transition to smarter, more consumer-centric energy retailing. But implementation is proving complex, and the real impact is still emerging.

The architecture: governance, obligations, and scope

At the top of the governance stack sits Treasury, which is responsible for CDR policy, sector designation and rule-making. Underneath that, the Data Standards Body (DSB) crafts the technical standards - such as Application Programming Interfaces (APIs), data schemas, consent flows - that govern how data flows in practice.

On the regulatory side, the Australian Competition & Consumer Commission (ACCC) handles accreditation, monitoring, compliance, and enforcement of CDR rules, while the Office of the Australian Information Commissioner (OAIC) regulates privacy and data breach obligations.
In the energy sector, obligations are layered. Retailers are designated as ‘data holders’ and must respond to ‘consumer data requests’ under defined standards and rules. Meanwhile, AEMO (and in some jurisdictions, state-level agencies) act as ‘secondary data holders’ with responsibility for metering, DER, and standing data.

Retailers with more than 10,000 small customers must comply with consumer data requests (non-complex) from 15 November 2022; more complex requests commenced from 15 May 2023. 
Product data must also be published under CDR rules. 

Importantly, the DSB is actively refining standards. As of October 2025, recent consultations include a draft standard to accommodate “white label brand arrangements”. 

Treasury gave Energy Insights a behind-the-scenes update, confirming that the rollout of the CDR into the non-bank lending sector is underway, with data sharing obligations commencing in phases from July 2026 through to 2027.

Authorisation, integration, and data integrity

One of the most visible consumer touchpoints is the authorisation process - when a user consents to share their energy data. In its December 2024 targeted compliance review of energy data holders, the ACCC observed that while most legal obligations were met, many authorisation flows fell short of consumer experience guidelines: missing clarity about expiry periods and how to withdraw consent, or inconsistent application of standard data language.

An ACCC spokesperson told Energy Insights that it is prioritising conduct where data holders may discourage or complicate consumer opt-in: “The ACCC supports and monitors compliance through various sources of information and intelligence, including complaints from data recipients… We monitor consumer uptake of the CDR in the energy sector through analysing data that we receive from energy data holders and accredited data recipients.”

The first moments of consent - often via web or app - make or break trust.

The ACCC is focused on “priority conduct” that may harm consumers and the integrity of the CDR. 

“Across the energy sector, we are particularly focused on ensuring that the CDR data is of high quality and that data holders do not introduce processes or functionality that discourages consumers from participating in the CDR,” an ACCC spokesperson said. 

Many incumbent retailers operate on decades-old billing, metering, and IT architectures. Retrofitting them to support real-time API calls, consent token management, and schema translation is a complicated process. In contrast, newer entrants or software-native firms often approach from modern, cloud-native stacks, giving them a head start in CDR readiness.
Some are adopting third-party platforms to bridge their legacy systems to CDR-compliant endpoints. Meanwhile, smaller retailers can opt in voluntarily but afterwards cannot opt out. 

Effective analytics and plan comparisons rely on complete, accurate, and granular data. The ACCC flagged that gaps in historical usage, DER data, or misaligned timestamps threaten the utility of shared data. Voluntary exposure of richer product attributes must also carefully comply with the CDR Rules’ constraints: data holders can’t impose additional conditions on how recipients use the data.

Trust and awareness

Despite regulatory scaffolding, consumer awareness of CDR in energy remains low. For many households, the idea of authorising a third party to access their energy data feels abstract. Retailers are banking on pull rather than push - i.e. compelling use cases (savings, emissions tracking, switching offers) to entice customers.

However, CDR does have potential to help customers better understand and manage their energy use, compare products, and make informed decisions that support affordability and sustainability - providing options for greater control, transparency and choice over their energy data. 

An EnergyAustralia spokesperson said: “If implemented effectively, CDR can support innovation across the energy sector, enabling smarter energy services, more tailored solutions, and new technologies that work in customers’ best interests.” 

Privacy, analytics, and action initiation

In the next phase, two technical frontiers will define CDR’s ambition: privacy-preserving analytics and action initiation (or write access).

CSIRO’s Data61 is exploring these principles across multiple initiatives, including privacy mechanisms for short-term net load forecasting under consented data sharing, the Provenance of Battery Inverter Materials (PBIM) project, and the Predictive Interdependency and Vulnerability Assistant (CSIRO, not Data61 specific) project.

And privacy-by-design methods, including federated learning and split learning, allow model building across data silos without centralising raw data.

The research projects are building “a strong foundation for a safer, more reliable energy data system,” Dr Chamikara Mahawaga Arachchige told Energy Insights. 

“Embedding privacy-preserving analytics into energy data-sharing systems would enable new forms of consumer value, such as personalised energy management tools, dynamic pricing, and smarter demand-side programs, while reinforcing consumer trust and compliance with privacy regulations." 

CSIRO’s National Energy Analysis Centre is testing anonymised consumer insights to support an equitable energy transition. “We will have a Living Lab of energy use data, and we are investigating the use of CDR data to enhance insights,” Arachchige added.  

Meanwhile, Dr Marthie Grobler highlights the resilience dimension:

"CSIRO’s Critical Infrastructure Protection and Resilience work strengthens the energy ecosystem by identifying and mitigating cybersecurity risks across interconnected systems, ensuring continuity of essential services. By enhancing visibility into vulnerabilities and enabling proactive risk management, it supports a more secure, resilient, and trustworthy energy infrastructure." 

These research voices signify that CDR in energy isn’t just about free access to data - it’s about enabling it without compromising privacy or system integrity.

On the action initiation front, the Treasury Laws Amendment (Consumer Data Right) Act 2024 enabled “write access” - letting consumers issue instructions via accredited parties (e.g. switch plans, update profiles). But the standards, sequencing, and protocols for energy are still under development. Some industry insiders expect phased pilots before full rollout.

What to watch

Energy data holders are now reporting availability and performance metrics publicly. Meanwhile, compliance audits - especially around authorisation flows - show no systemic breakdowns so far.

Hindering CDR processes - including discouraging consumers from completing authorisations - is an enforcement priority under the ACCC and OAIC’s CDR Compliance and Enforcement Policy.

As the regime edges into non-bank lending in mid-2026, consistency in standards, consent semantics, and interoperability will matter more than ever. 

For energy players, those who can embed CDR may unlock competitive differentiation. 
Success in energy CDR will depend less on legislation than on proof: whether consumers, innovators, and retailers can turn permissioned data flows into meaningful outcomes.