Can My Bank Share My Data Without My Consent in Australia?
No — not under the Consumer Data Right.
In Australia, banks are not allowed to share your data without your explicit permission. Thanks to the Consumer Data Right (CDR), you’re firmly in control of who sees your financial information and when.
What is the Consumer Data Right?
CDR is Australia’s open data regime. It was designed to give consumers more power over their information — starting with banking (also known as Open Banking), and expanding into sectors like energy and telecommunications.
Under CDR, data sharing must be:
- Explicitly authorised by you
- Transparent and traceable
- Revocable at any time
Banks can only share your data with accredited third parties, and only after you’ve gone through a CDR-compliant consent flow.
What does “consent” actually mean?
Consent under the CDR is not buried in fine print. It’s an active, deliberate step that includes:
- A clear summary of the data being shared
- A list of the parties involved
- A specified duration of consent (e.g., 90 days)
- Your ability to revoke access anytime via your bank or the recipient’s dashboard
So if you haven’t been through this process, your data hasn’t been shared — full stop.
What about internal sharing within a bank?
Banks may use your data internally to provide core services, detect fraud, or comply with regulatory obligations — all within their privacy policy. But they cannot send your data to other banks, apps, or platforms without your authorisation under the CDR.
Why this matters
Open Banking is designed to increase competition and innovation — not to erode your privacy. By putting consumers in control, CDR flips the data-sharing model on its head: you decide who gets access, for how long, and for what purpose.
Bottom line:
Unless you’ve explicitly opted in through a CDR consent flow, your bank can’t share your data — and you’ll always know when you’ve given that permission.