Decision Proposal 350 - August 2024 Rules - Standards Impacts

[CDR-CX-Stream]

Friday 15 November: Binding Standards Made for Decision 350

The Assistant Treasurer made the Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024, which commenced on 12 November 2024 (see media release).

These rules give effect to the August 2024 draft rules for the consent review and operational enhancements and require new standards to be made.

The Chair has now made binding standards in relation to Decision 350 for:

• CDR Receipts
• 90-day notifications
• amending consents

These standards have a future dated obligation of 14 July 2025 and will be reflected in the 1.33.0 standards release.

The decision record is attached below: Decision 350 - August 2024 Rules - Standards Impacts.pdf

---

Friday 9 August: Decision Proposal Published

Overview The Treasury has published the exposure draft of the Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No.1) Rules 2024 (the ‘August 2024 draft rules’) for consultation until Monday 9 September 2024.

The draft rules outline proposed changes to support the consent review and operational enhancements. The rules consultation documents and privacy impact assessment (PIA) can be found on the Treasury's website here.

Decision Proposal 350 outlines impacts to the consumer experience (CX) and technical data standards to support the August 2024 draft rules. The issues outlined in this paper largely relate to data recipients, though one proposal relating to a withdrawal standard being retired also relates to data holders.

The specific topics identified in this paper include:

• Rules specific to the energy sector
• CDR Receipts
• 90-day notifications
• Amending consents
• Updates to clarify that CDR representatives must comply with the CX standards
• Updates to existing standards relating to de-identification of redundant data
• Secondary users
• Nominated representatives

Consultation Documents The decision proposal can be found below: DP350 - August 2024 Rules - Standards Impacts (PDF) DP350 - August 2024 Rules - Standards Impacts (DOCX)

The community should read this decision proposal paper in conjunction with the Treasury’s consultation documents (found here), which outline other details and changes relating to the consent review and operational enhancements.

The DSB has prepared visual examples to demonstrate how a range of the consent review changes may manifest in a consent flow, which can be found here. These artefacts should be considered in relation to this decision proposal consultation, but should not be taken as compliance references for the purposes of implementation.

Feedback Feedback on this decision proposal paper will inform the binding standards to be considered by the Data Standards Chair, which will follow the making of any relevant rules.

You can submit responses to this consultation up until 9 September 2024. Feedback may be provided on this GitHub page. Stakeholders are also encouraged to raise queries on this GitHub page, which may help inform the development of feedback.

Feedback posted on GitHub is public by nature at the time of submission. Content posted on GitHub should be made according to the community engagement rules published by the DSB.

Stakeholder forum The Treasury and DSB will also host an online stakeholder forum on Friday 23 August at 2pm via Microsoft Teams. This forum will supplement the written submissions process and to answer questions about the exposure draft rules, proposed data standards, and the consultation process. If you would like to participate in this forum, register your interest at CDRRules@treasury.gov.au.

---

Edit 15.11.24: Binding standards made Edit 27.9.24: Consultation closed on Monday 9 September Edit 9.8.24: Decision proposal published for consultation

[CDR-CX-Stream]

The Treasury has now published the exposure draft rules on the consent review and operational enhancements. The rules are open for consultation until Monday 9 September 2024.

Decision Proposal 350 has also been published to outline the expected impacts to the consumer experience (CX) and technical data standards to support the draft rules. The issues outlined in this paper largely relate to data recipients, though one proposal relating to a withdrawal standard being retired also relates to data holders.

Consultation documents and links can be found in the original post.

Feedback on this decision proposal paper will inform the binding standards to be considered by the Data Standards Chair, which will follow the making of any relevant rules.

The decision proposal consultation is open until 9 September 2024.

[da-banking]

Hi

We would like to query the following items:

Secondary Users proposed rule change We would like to see this reflected as a change in the standards and request that any Data Holders who have implemented this 'block' remove it. This assists in the maintenance of code and makes the user experience more manageable. Furthermore, could there be clarity regarding any potential 'blocks' already in place. Should these be removed?

Nominated Representatives Changes to the Nom Rep process have been mentioned. Now required to provide an online service. The change describes this being readily accessible for 'online account administrators' to be appointed as Nom Reps. In attempting to interpret this change is the following example accurate:

• Business has 2 signatories who have online access to the business' accounts These 2 signatories should be able to appoint themselves as Nom Reps for the business via an online service

• A 3rd signatory has no online access to the business' accounts This signatory cannot appoint themselves as Nom Rep directly, but could contact the Data Holder and have themselves set up as Nom Rep - does not need to be an online service

Please advise

Thanks DA Banking

[CDR-CX-Stream]

Thanks for this input @da-banking - we've passed your queries on to the Treasury given this consultation issue only relates to the data standards.

If you'd like to engage further on the rules, the Treasury has invited stakeholders to the CDR Consent Review and Operational Enhancement Amendments Stakeholder Forum, which will be held virtually on Friday, 23 August 2024, 2pm-4pm AEST.

At the forum, Treasury will provide an overview of the key design features of the draft rules and the DSB will provide an overview of the associated standards changes. Attendees will have the opportunity to ask questions about the rules and standards proposals and consultation processes before making written submissions.

Written submissions on the draft rules should be provided to Treasury by the 9 September 2024 deadline. Treasury is also open to any bilateral meetings as part of this consultation.

If you would like to register for the forum, provide a rules submission, or arrange a meeting or have a question related to the rules, please contact the CDR Framework Unit by emailing CDRRules@treasury.gov.au.

[DW-UDA]

The decision proposal states that "The issues outlined in this paper largely relate to data recipients, though one proposal relating to a withdrawal standard being retired also relates to data holders".

However, the "Nominated representatives" section includes a proposal for data holders to provide a new online service for appointing nominated representatives.

And the "Current recommendation" section doesn't mention this new requirement at all in relation to a future-dated obligation period. Can we please clarify if there is a recommended future-dated obligation period for this proposed change, and if so what it would be?

[CDR-CX-Stream]

Hi @DW-UDA - the rules and standards are being consulted on separately. The Treasury administer the rules consultation, while the Data Standards Body (DSB) develops the standards.

This decision proposal consultation only relates to the standards proposals that are being considered to support the draft rules. The rules out for consultation contain a range of other changes - they can be found here.

The statement on proposals being largely limited to data recipients is only referring to the standards proposals in this consultation document.

Apologies if that was not clear.

Part 50 - Transitional Provisions on page 20 of this rules document outlines compliance timing. Line 501 suggests that the nominated representative changes would apply 12 months after the rules are made, as follows:

Subparagraphs 1.13(1)(c)(iii) and (iv) and (1)(d)(iii) and (iv) and subrule 1.13(1A) of the principal rules, as inserted by the amending rules, apply on and after the day that is 12 months after the commencement of the amending rules.

However, as noted above, please refer to the draft rules for that detail and contact the CDR Framework Unit by emailing CDRRules@treasury.gov.au if you'd like to arrange a meeting or raise questions related to the rules.

[perlboy]

This DP suggests a 6-month FDO after Standards are binded, but since the Rules are still in draft and their finalisation is unclear, setting Standards now could lead to revisions. Can the DSB clarify their assumption for an FDO, possibly 2025-05-12 or 2025-07-14?

On Nominated Representatives, Biza.io has already implemented this functionality across all sectors. We offer an opt-in/opt-out feature (Default value is Client choice), inside the CDR Dashboard, based on user roles, providing binary enablement for all CDR functionality. Clarity though is needed on the definition of an "administrator". In corporate settings, banking roles can be complex. Has the DSB considered if access levels will need to be factored into the opt-in/opt-out process? This is critical as we move beyond read-only access, and early consideration could prevent costly rework.

[CDR-CX-Stream]

Hi @perlboy - thanks for these points.

As noted in the paper, binding standards will not be considered until the rules are finalised, and the appropriate timing for the FDOs will be informed by community feedback and the timing of the final rules. Assuming the rules are made in Q4 2024, as an example, we'd then expect FDOs to be followed by 6 months or a supported date in the obligation schedule (e.g. 2025-05-12).

We'll pass your query on the definition of administrator to the Treasury and encourage you to email them on CDRRules@treasury.gov.au. The @CDR-CX-Stream and @CDR-InfoSec-Stream will consider your point on access levels for nominated representatives with the Treasury.

[perlboy]

As noted in the paper, binding standards will not be considered until the rules are finalised, and the appropriate timing for the FDOs will be informed by community feedback and the timing of the final rules. Assuming the rules are made in Q4 2024, as an example, we'd then expect FDOs to be followed by 6 months or a supported date in the obligation schedule (e.g. 2025-05-12).

I don't know if that response was intentionally ambiguous but it is.... Q4 is 3 months so it's 6 months +/- 3 months OR a date aligned with the obligation schedule. It'd be helpful if the paper simply said "the next obligation schedule date after 6 months has passed".

We'll pass your query on the definition of administrator to the Treasury and encourage you to email them on CDRRules@treasury.gov.au. The @CDR-CX-Stream and @CDR-InfoSec-Stream will consider your point on access levels for nominated representatives with the Treasury.

We will respond in due course but this kind of goes to my initial question around defining a Standard with Rules in draft and further revisions possible (probable?). I know it's only been freshly published but there's a lot of learnings regarding cost of implementation that this first gambit of a DP and the DSB doesn't seem to have learnt (ambiguity, multiple releases of change, missing cost assessment etc).

[CDR-CX-Stream]

Apologies @perlboy, ambiguity was not the intention.

The intention in the DP was to provide options for the community to consider as follows:

• 6 months after the standards are made; or
• a date in the obligation dates schedule, which could be more or less than 6 months after the standards are made

Your comment suggests that, once any standards are made, the next obligation schedule date after 6 months has passed may be preferred, which is useful feedback.

[perlboy]

Apologies @perlboy, ambiguity was not the intention.

👍 All good, was trying to decipher!

Your comment suggests that, once any standards are made, the next obligation schedule date after 6 months has passed may be preferred, which is useful feedback.

Hmm... Focus here in particular is "next obligation schedule date". Introducing an FDO that isn't aligned to the agreed 2025 dates would be a diversion from where I think the DSB was headed but also would not align with a Richards recommendation: "Changes to CDR data standards would be more manageable for the industry if limited to a small, fixed number of scheduled standards releases per year, with implementation dates providing longer lead times. Changes to CDR rules may need to be aligned to these release dates."

[CDR-Engagement-Stream]

For those interested we have put together a short video summary of Decision Proposal 350.

[jill-adatree]

I agree with the proposal except one aspect: Nominated Representatives. There must be CX Standards for Nominated Representatives. CDR is all about a consistent CX, and right now, the processes to nominate a Rep are anything but consistent. A "simple and straightforward" process leaves too much interpretation and ultimately hiding this step.

We need CX standards to ensure what the process looks like, what active or implied selections or statements, any confirmation, etc. Also a clear action for any support/help required too.

Having more instruction on what "good" is will set us up for success, since business data use cases being enabled is in the top 3 priorities of the Minister.

[markskript]

Skript wholeheartedly agrees with Jill's feedback on the improvements required to the Nominated Representative process. The variations in implementations are actively blocking businesses trying to adopt the CDR.

[CDR-CX-Stream]

Thanks @perlboy - we were attempting to provide flexibility given the only proposed FDOs at this stage would be for ADRs, in case ADRs wanted to move sooner on these changes.

We can align to an obligation date schedule that is 6 or more months after the standards are made (e.g. 12 May 2025), or an obligation date in the schedule that is less than 6 months after the standards are made (e.g. 17 March 2025), if feedback supports it.

[CDR-CX-Stream]

Thanks @jill-adatree and @markskript for these comments.

The rules are proposing an obligation date for the nominated rep changes of 12 months after the rules are made. We also understand that some DHs may have online nomination processes already, which may differ to other DH processes, that would need to be considered in relation to your proposal.

It would be helpful to understand what any proposed standards might state in practice, and if the intention is to have, for example, a standard regarding the length of the process, and/or what selections and statements the standards would need to consider.

[CDR-CX-Stream]

The DSB has developed additional wireframes to demonstrate how the rules changes may look in practice, including:

• Simple collection and use consent
• Bundled collection, use and disclosure consent
• Collection and use consent where supporting parties and outsourced service providers are used
• Collection and use consent where a de-identification consent is sought
• Collection and use consent where a direct marketing consent is sought

These consent flows incorporate key rules changes proposed by Treasury (see the rules consultation on Treasury’s website), including proposals 1.1, 1.2, 1.3, 1.6, 1.7 and 1.8.

These have been produced in addition to the artefacts provided in DP350 and the original post.

N.B. these wireframes are only illustrative examples for consultative purposes. They should not be taken as definitive guidance of compliance with the rules and should not be considered as legal or compliance references for the purposes of implementation.

You can view these wireframes in Figma in this online link.

[perlboy]

Thanks @perlboy - we were attempting to provide flexibility given the only proposed FDOs at this stage would be for ADRs, in case ADRs wanted to move sooner on these changes. We can align to an obligation date schedule that is 6 or more months after the standards are made (e.g. 12 May 2025), or an obligation date in the schedule that is less than 6 months after the standards are made (e.g. 17 March 2025), if feedback supports it.

This is a very confusing explanation and I'm a bit baffled why the back and forth is necessary, why is this being made more complicated than it needs to be? The FDO dates aren't participant specific and don't stop a participant doing it early. For organisations like Biza who are both Holder and Recipient they are the understood as the dates the DSB has agreed they will align. Not doing this is literally ignoring various feedback and the Ministers explicit direction to the Chair.

Feedback: Align to the Obligation Date Schedule

Is that clear enough?

[da-banking]

Today's call with Treasury and Michael (DSB) was really useful.

We have the following additional comments following that call:

Nominated Reps We feel there needs to be some screen designs of the nominated reps UI, to help give guidance to data holders. The DSB indicated on the call that this may be possible

Can you explain the difference between a business consumer and a nominated rep?

Should the online service allow a business consumer to remove a nominated rep (i believe this was a yes)?

If so, what does that mean. i.e. should that remove them as a signatory from the account also? If it's a multi-to-sign account, could that increase the risk of fraud by letting a nominate rep change it to a 1-to-sign account?

[jill-adatree]

Today's call with Treasury and Michael (DSB) was really useful.

We have the following additional comments following that call:

Nominated Reps We feel there needs to be some screen designs of the nominated reps UI, to help give guidance to data holders. The DSB indicated on the call that this may be possible

Can you explain the difference between a business consumer and a nominated rep?

Should the online service allow a business consumer to remove a nominated rep (i believe this was a yes)?

If so, what does that mean. i.e. should that remove them as a signatory from the account also? If it's a multi-to-sign account, could that increase the risk of fraud by letting a nominate rep change it to a 1-to-sign account?

AFAIK, a business consumer is the entity. A nominated representative is a employee, director or individual to make the consent, on behalf of the business. Think of it as giving someone access to online banking - they're just an individual.

The nom rep should only be in scope of CDR permissions to consent to data sharing - changing the signing authority of the account in general is well out of scope for this.

[DW-UDA]

Nominated Representatives Changes to the Nom Rep process have been mentioned. Now required to provide an online service. The change describes this being readily accessible for 'online account administrators' to be appointed as Nom Reps. In attempting to interpret this change is the following example accurate:

• Business has 2 signatories who have online access to the business' accounts These 2 signatories should be able to appoint themselves as Nom Reps for the business via an online service
• A 3rd signatory has no online access to the business' accounts This signatory cannot appoint themselves as Nom Rep directly, but could contact the Data Holder and have themselves set up as Nom Rep - does not need to be an online service

Please advise

Thanks DA Banking

Has any guidance from Treasury been received on this query?

And as a follow-up question, in the scenario above would the 2 signatories with online access be permitted to appoint the other signatories as nominated representatives? Or are the rules intended to prevent a nominated representative from appointing another nominated representative?

I can't see anything in the current rules or proposed rule changes that defines any requirements for who can be a nominated representative (other than being an individual over 18), so does anything stop a nominated representative who is a signatory for a business's accounts from appointing a nominated representative who has no operational relationship to the business's accounts?

Apologies if I am missing something obvious here.

[CDR-CX-Stream]

Thanks all for your points relating to nominated representatives.

We are discussing these points with CDR agencies and, as they are rules and potentially policy queries, our discussions will consider how best to provide any associated guidance.

[perlboy]

Nominated Reps We feel there needs to be some screen designs of the nominated reps UI, to help give guidance to data holders. The DSB indicated on the call that this may be possible

Happy to participate in any discovery the DSB would want on this with a fully functional interface.

Business has 2 signatories who have online access to the business' accounts These 2 signatories should be able to appoint themselves as Nom Reps for the business via an online service

That's generally how it works in existing implementations although they can appoint themselves or others with pre-existing relationships (i.e. signatory), otherwise it is a paper based overlay to the same outcome.

A 3rd signatory has no online access to the business' accounts This signatory cannot appoint themselves as Nom Rep directly, but could contact the Data Holder and have themselves set up as Nom Rep - does not need to be an online service

They would still need to be able to authenticate. The most likely pathway to this is onboarding into online banking.

Can you explain the difference between a business consumer and a nominated rep?

⚠️ Consult Legal Advice:

Should the online service allow a business consumer to remove a nominated rep (i believe this was a yes)?

⚠️ Consult Legal Advice:

With a special callout to the the nominated rep acting in the business consumer capacity to remove a nominated rep (including themselves).

If so, what does that mean. i.e. should that remove them as a signatory from the account also? If it's a multi-to-sign account, could that increase the risk of fraud by letting a nominate rep change it to a 1-to-sign account?

In circumstances they are still able to read the contents of the account? If so, the authorisation would be for the data sharing component (ideally as an individual action). Other account functions aren't in scope right now.

AFAIK, a business consumer is the entity. A nominated representative is a employee, director or individual to make the consent, on behalf of the business. Think of it as giving someone access to online banking - they're just an individual.

👍

The nom rep should only be in scope of CDR permissions to consent to data sharing - changing the signing authority of the account in general is well out of scope for this.

Agreed with data sharing being the first of many CDR specific permissions.

Has any guidance from Treasury been received on this query?

Can the signatories ask for information about previous transactions?

And as a follow-up question, in the scenario above would the 2 signatories with online access be permitted to appoint the other signatories as nominated representatives? Or are the rules intended to prevent a nominated representative from appointing another nominated representative?

Can they both read it? Current implementations have all nominated representatives with equal privilege or via paper enablement. For the purposes of sharing if anything this now makes those reading the data accountable.

I can't see anything in the current rules or proposed rule changes that defines any requirements for who can be a nominated representative (other than being an individual over 18), so does anything stop a nominated representative who is a signatory for a business's accounts from appointing a nominated representative who has no operational relationship to the business's accounts?

They are a signatory, by definition they have an operational relationship as part of the Corporations Act. Either they (or the other nominated reps) would be ineligible because they have either actively disabled sharing permissions (or actively enabled them). I presume what the default is would be left to data holder discretion (both still meet the definition of "providing a service").

Apologies if I am missing something obvious here.

Every persona being talked about is assumed to already be able to read the data, the CDR sharing is explicit and informed rather than being implied by proxy of internet banking access. If memory serves, in existing implementations all Nominated Representatives are notified of sharing when establishment occurs. Realistically if another nominated representative was made aware of it they could contact the Recipient in the business consumers ("CDR consumer") capacity and request data deletion etc.

Edit: Apologies for lots of edits, collating into one response.

[CDR-CX-Stream]

Thanks to those that contributed to DP350. This consultation is now closed.

The DSB will work with the Treasury regarding the nominated representative proposals for standards and guidelines, which will be considered following a review of the submissions.

The DSB is also working with CDR agencies to develop responses to the outstanding queries in this thread.

[joshuanicholson]

Regarding nominated representatives, we would like to suggest a missing element is performance or SLA requirements for data holders. There is no benefit to the ecosystem to have any process without KPI/SLA expectations. Consumers have become accustomed to online banking and related digital services. They are attempting to share data with an ADR via an online and real-time service. Therefore, an online process must provide the same expectations and experiences.

We suggest 1) an administrator authorising themself or another administrator should have an SLA of sub 15 minutes. 2) an administrator nominating people other than administrators be less than two business days

The current experience of forms taking several weeks (or even months) to approve is not sustainable. It's causing significant friction and is hindering the adoption of CDR. We need to make these changes to ensure a smoother and more efficient process.

[CDR-CX-Stream]

Thanks to those who raised queries regarding the nominated representative process, which have now been discussed with CDR agencies. To avoid confusion, responses and guidance will be held off until any final rules relating to the nominated representative changes are made.

[DW-UDA]

The amended CDR rules have been published this week and it seems that all of the rule changes relating to the nominated representative process have been excluded. https://www.legislation.gov.au/F2024L01409/latest/text

Does anyone know if there is there any indication of whether the initially proposed changes have been scrapped or just postponed?

[da-banking]

Will we be issued with a final document of what has been approved - including obligation dates, similar to the Decision Proposal doc?

[CDR-CX-Stream]

Thanks @DW-UDA and @da-banking for your comments.

These standards are currently with Data Standards Advisory Committee members for input before a decision is put to the Chair. The decision record will be posted here, pending the Chair's decision.

Regarding the final rules and where proposals were not progressed, see this Treasury summary.

Two items that were not progressed in the rules, which impact the proposed and requested CX standards raised in this issue, include the nominated representative process changes and the deletion by default proposal.

The rationale provided by the Treasury for each is as follows:

Deletion by default Stakeholders were divided on the proposal to require data recipients to delete redundant data by default. Some indicated it would strengthen the protection of redundant consumer data. However, most stakeholders raised concerns that the deletion of redundant data by default would negatively affect business models, including data recipients’ ability to innovate and undertake product development. This acts as a disincentive to use CDR compared to other data sharing arrangements. Submissions also noted the change is out of step with global privacy laws, including the 2023 Privacy Act Review. In response to this feedback, this measure has not been included in the final rules package.

Nominated representatives While accredited data recipients emphasised the importance of improving the process for businesses to unlock the benefit of CDR, many suggested the proposed amendments would not materially improve outcomes for business consumers in their proposed form. Further, several data holders did not support this proposal based on the potential implementation costs, misalignment with existing business practices and the limited uptake to date of the CDR by their business customers. In response to this feedback, the Government has asked Treasury to explore potential alternative approaches that would support business consumer use of the CDR.

[CDR-CX-Stream]

The Chair has now made binding standards in relation to Decision 350 for:

• CDR Receipts
• 90-day notifications
• amending consents

These standards have a future dated obligation of 14 July 2025.

Further details are included in the decision record, which is attached to the original post.

[da-banking]

Thanks for the document regarding the 3 areas mentioned. Are we to expect another communication regarding the remaining areas - particularly interested in decisions made regarding Secondary Users. Thanks

[CDR-CX-Stream]

Hi @da-banking

In relation to secondary users, I understand you to be referring to the DH dashboard requirement to allow the account holder to stop sharing at any time 'in relation to a particular ADR', in response to requests made by a particular secondary user.

This requirement was outlined in 4.6A(a)(ii) and rule 1.15(5)(b)(i), as discussed in our ceasing secondary user sharing guidance, and was informally referred to as the 'ADR block'.

If this is the area you are referring to, the new rules have repealed 1.15(5)(b)(i) and appear to have removed the cross reference in 4.6A's note. Paragraph 1.15(5)(b) now only refers to these requirements:

(b) allows the account holder, at any time, to withdraw the secondary user instruction; and (c) as part of the process of withdrawing a secondary user instruction, displays a message, in accordance with the data standards, about the consequences of proceeding with withdrawing a secondary user instruction; and (d) is simple and straightforward to use, and is no more complicated to use than the processes for giving the authorisation or instruction; and (e) is prominently displayed and readily accessible to the account holder.

We understand this to mean the 'ADR block' is no longer required, and account holders are instead to rely on the secondary user instruction being removed if they wish to stop a secondary user's ability to share data. This is only a DSB interpretation - this change does not appear to have been included in Treasury's summary, so we will seek CDR agency input for guidance.

[da-banking]

Thanks that would be great. In our earlier comments regarding ceasing secondary user sharing we mentioned the following:

Secondary Users proposed rule change We would like to see this reflected as a change in the standards and request that any Data Holders who have implemented this 'block' remove it. This assists in the maintenance of code and makes the user experience more manageable. Furthermore, could there be clarity regarding any potential 'blocks' already in place. Should these be removed?

[markskript]

The reference to a lack of business uptake being a factor in the decision to not proceed with the nominated rep changes is non-sensical. Businesses are favouring screen-scraping currently due to the complexities of the current process.

We are very much looking forward to hearing from Treasury as to their plans on how resolving this complexity will be addressed,

[CDR-CX-Stream]

@da-banking in response to your query the rules explanatory statement suggests that the ADR block functionality in relation to secondary user sharing is not prohibited, and as such data holders would not be required to remove it:

51. Existing subparagraph 4.6A(a)(ii) in the CDR Rules continues to apply to block data holders sharing data to a particular accredited person where data holders choose to still provide the more granular functionality.

The usual disclaimer applies that this is only a suggested interpretation and compliance is the responsibility of participants - but I hope this helps as a starting point.