The New Oil - The Australian Consumer Data Right Hits The Energy Sector.
Legal News & Analysis - Asia Pacific - Australia - Cybersecurity
18 September, 2019
Treasury and the ACCC release papers consulting on the introduction of the new 'consumer data right' in the Australian energy sector
What you need to know
On 29 August 2019, the Australian Competition and Consumer Commission (ACCC) released a position paper in relation to its proposed data access model for the consumer data right in the energy sector. On the same day, Treasury released a consultation paper seeking feedback on the scope of priority data sets and energy sector participants that should be included in the Treasurer's designation instrument extending the consumer data right to the energy sector.
These papers come hot on the heels of the Federal Government passing the Treasury Laws Amendment (Consumer Data Right) Act 2019 (the CDR Act) on 1 August 2019 (assented to 12 August 2019), originally slated for earlier in the year. The CDR Act amends the Competition and Consumer Act 2010 (Cth) to create a new 'consumer data right' that allows consumers (individuals and businesses) to access, or to direct the transfer to accredited organisations of, certain data held about them by businesses. The primary focus of the consumer data right has to date been implementation in the banking sector (also known as Open Banking, see our article here. However, as these recent papers demonstrate, preparation for implementation of the consumer data right in the energy sector is quickly following, with implementation in the telecommunications sector expected later.
In a previous paper, the ACCC targeted a mid-2020 date for commencement of a roll-out of the consumer data right in the energy sector. The position paper recognises that this timeframe will not be achievable and the ACCC will release a new implementation timetable later in 2019. The paper also clarifies key design aspects of the energy sector consumer data right, adopting a gateway model (where the Australian Energy Market Operator (AEMO) will be the contact point for consumers seeking access to data and various market participants will be required to implement measures to provide data to consumers on request, via a gateway operated by AEMO).
Key points to take away include:
- The Australian Federal Government has passed legislation for the implementation of a new consumer data right, under which consumers will have rights to access, and direct the transfer of, data held about them.
- With implementation of the consumer data right in the banking sector continuing to progress, regulatory attention is now turning to implementation in the energy sector.
- The ACCC has recognised that its previous target of mid-2020 for roll-out in the energy sector is not achievable, and a new timetable will be released later in 2019.
- Treasury, the ACCC and other regulators are consulting on key design decisions around the energy sector consumer data right, which will including changes to NEM regulatory frameworks and the Treasury's designation of in-scope data sets and affected energy sector market participants.
What you need to do
In the energy sector, the introduction of the consumer data right will supplement the data access mechanisms already available to consumers. Market participants with responsibilities for energy data, especially retailers, distributors and metering data co-ordinators, should:
- carefully review the CDR Act and the ACCC and Treasury papers to assess the impact of the consumer data right on their business, including whether they will be a data holder or would like to be an accredited data recipient;
- consider current practices and technologies used for the collection and disclosure of data, including security and privacy compliance, and mechanisms for API access, in light of the incoming consumer data right; and
- consider strategic approaches to assessing their data holdings and how that data may be used given an expected increase in the availability of energy sector data under the consumer data right.
Responses to the Treasury consultation paper are due by 27 September 2019. The ACCC will be continuing its consultations, including public consultation on the extension of the recently-finalised consumer data right rules to the energy sector, the development of a register of accredited data recipients and co-ordination with AEMO in designing its role as the designated gateway and changes to the National Electricity Market regulatory frameworks.
What is the Consumer Data Right?
The CDR Act sets out the regulatory framework for the creation of a new consumer data right for designated sectors of the Australian economy.
The new consumer data right creates a right to access information which a business holds. The right allows not just access to the data but a right to direct the data be transferred to a third party in a specified way (eg automated via an 'application programming interface' or API). For the energy sector, this would likely mean consumer rights to automatically transfer their data between retailers, as well as to third party service providers or intermediaries for 'value-added' services.
An important aspect for the energy sector is that under the CDR Act, the consumer data right is available to all individuals and businesses, regardless of size. This may be subject to limitations under the designation instrument to be issued by Treasury, which will set out the precise categories of data and entities that are considered in-scope.
Which sectors must make the data available?
The consumer data right will be progressively rolled out on a designated sector by sector basis.
After announcing that the first sector to receive the consumer data right will be the banking sector, the Federal Government announced that the next sector will be the energy sector. Under the CDR Act both the banking sector and the energy sector are exempt from the consultation requirements for designating a sector, so long as the Minister makes a designation before 1 July 2020.
Each designated sector will be subject to sector-specific consumer data rules that are to be approved by the Treasurer after being developed by the ACCC. On 2 September 2019, the ACCC has released its 'lock-down' version of the consumer data right rules in the banking sector, available here. Future consultations are expected to inform the development of these rules for the energy sector.
Who must make the data available and at what cost?
The CDR Act requires that all data holders within a designated sector must disclose designated consumer data sets to accredited data recipients, designated gateways or the consumer themselves at the direction of the consumer. Essentially it is the entity that generates or collects the initial transaction records or data about a consumer that will be considered the data holder. In addition, the third party data recipients can be required to disclose designated consumer datasets.
In the context of the energy sector, the consumer data right would cover retailers and AEMO and may be extended to distributors, metering data providers and State or Commonwealth energy comparison services (the Australian Energy Regulator or Victorian Energy Compare). At its commencement, the ACCC has noted that the consumer data right in the energy sector will only apply to the National Electricity Market (NEM), which excludes Western Australia and the Northern Territory.
The CDR Act also allows data holders to charge a fee for the disclosure of certain limited classes of data sets (as designated by the Minister), although the ACCC may intervene and determine a 'reasonable fee' for that data set, if it considers that a proposed fee is unreasonable. In the most recent draft of the Treasury's draft designation instrument (for the banking sector), the scope of data that may be subject to a fee has been significantly limited.
What data must be made available?
Under the CDR Act, the consumer data which must be disclosed to consumers and accredited data recipients includes sector specific designated datasets and any information that is subsequently derived from that data.
For the energy sector, Treasury's consultation paper highlights a range of 'priority data sets' that may be included in the consumer data right, including:
- initially, data sets available in the NEM, such as certain NMI Standing Data, metering data, customer-provided data, billing data, retail product data and distributed energy resource register data (relating to battery or solar photovoltaic systems) as well as additional data sets collected or available via smart meters; and
- in the future, additional 'complex' data sets such as gas metering data, non-NEM electricity metering data, other gas and electricity retail product data and electricity data for off-market embedded network customers. However, these data sets will be de-prioritised, to be addressed in a future version of the regime.
Interestingly, Treasury's discussion paper (much like the previous data access models paper from the ACCC) makes no mention of the categories of 'derived' data (also referred to as 'value added' or 'enhanced' data), including what derived data may be in-scope, or how those data sets may be disclosed under the proposed consumer data right model. This is a particularly important category for the energy sector, where the large data sets available lend themselves well to the development of value-added data sets and insights, and core data sets often require some level of enhancement.
The in-scope data set, and the entities to which the consumer data right will apply, are key questions that will have a significant effect on the operation and nature of the consumer data right in the energy sector. Affected energy sector participants are strongly recommended to review and provide a response to the Treasury consultation on these data sets.
What privacy and security obligations apply?
Under the CDR Act, there are specific enhancements to a consumer's rights in respect of their data which may be transferred under the consumer data right. In particular:
- data can only be transferred under the consumer data right at the direction of the consumer;
- consumer data held by accredited persons and designated gateways must be handled in accordance with specific 'privacy safeguards', which impose constraints on the collection, use and disclosure of consumer data by participants in the regime for all designated sectors. These apply in addition to, or in some cases in substitution of, the Australian Privacy Principles;
- the Privacy Act 1988 (Cth), including the eligible data breach notification regime, is extended to apply to all accredited data recipients, including small to medium sized enterprises; and
- new offences are created for misleading or deceptive conduct by persons about their participation in the consumer data right regime and civil penalties for non-compliance with the regime.
Importantly, the maximum potential civil penalty available in relation to the privacy safeguards (and other contraventions) is the greater of $10 million, three times the value of the benefit (if it can be ascertained) or 10% of the annual turnover of the organisation. This far exceeds the current penalties under the Privacy Act, which are limited to up to $2.1 million (although there have been separate proposals to increase the Privacy Act penalties, following the ACCC's Digital Platforms Inquiry).
Additional security standards will form part of the consumer data rules, developed by the ACCC for each sector, as well as the data standards developed by a newly created Data Standards Body (currently Data61).
Considerations for the Energy Sector
What does the ACCC position paper cover?
In its original discussion paper regarding data access models, the ACCC recognised the significant differences between the banking sector, which has been the focus of much of the consumer data right discussion to date, and the energy sector. For example, in the energy sector:
- data sets are held by a number of parties, including AEMO, retailers, distributors, metering data providers and (in the case of product data) State or Commonwealth energy comparison services;
- complex data flows and regulatory processes already exist, for billing, service provisioning, market settlement and to measure consumption; and
- there are existing rights of access to historical billing data and consumption data (under the National Electricity Rules and relevant State-based codes).
With this in mind, that paper focused on how an consumer data access model might operate in the complex multi-participant market that currently exists. In each case, the model would rely on the development of consistent APIs for the standardised, automated transfer of data between various parties.
After reviewing three different models for access to data, the ACCC proposed the AEMO gateway model, in which AEMO acts as a 'designated gateway', responsible for facilitating access to data, and the data is transmitted on-demand via API from the data holders to AEMO (rather than being held by AEMO on an ongoing basis).
This model will have significant impact on the cost and complexity of the implementation and ongoing operation of a consumer data right in the energy industry, particularly the scope of new capabilities market participants may be required to build and new compliance activities that they will be required to manage.
Consent and authentication under the consumer data right
Under the gateway model, AEMO will likely be responsible for obtaining appropriate consents and authenticating individuals that have rights to access data, in a centralised manner.
The CDR Act envisages that the consumer data rules for the energy sector will cover the requirements for consent to be validly given (including for authorisation for the disclosure and use of data and the rules around how such consent must be made in order to be valid), although the Government has stated that it expects that consent must be express.
For the energy sector, this may require reference to rules around informed consent (for example, under the National Electricity Retail Rules). The ACCC has indicated that it will be considering various issues in relation to authorisation and authentication models as an immediate next step, and a public consultation regarding these models will likely follow later this year.
Interaction with current regimes
To implement the consumer data right in the energy sector, changes to current regimes, including State and Territory regulation, will likely be required. In particular, changes will be needed to current data access regimes under the National Electricity Rules and State-based equivalents, which do not cover the full scope of data that is likely to be made available under the consumer data right. The ACCC expects that procedures will be able to leverage AEMO's existing e-Hub market protocols, although changes to particular standards will be necessary.
Importantly, the consumer data right is a Commonwealth initiative that is expected to apply across Australia, so to bring it to fruition will eventually require data sharing requirements to apply to non-NEM markets as well as to other fuels (eg gas). As noted above, these additional data sets have been left for a future version of the regime.
Next steps for the energy sector
The introduction of the consumer data right is another measure the Federal Government is hoping it can rely upon to be seen to increase competition, increase affordability and assist consumer choice in the energy sector.
The ACCC and Treasury papers demonstrate significant steps forward in the development of an energy sector consumer data right. However, it is clear that the significant effort required to implement the consumer data right will require further co-ordination from a number of regulators and government bodies, as well as considerable effort from market participants for the actual roll-out and various technology upgrades.
As a result, the timeframes for implementation of the energy sector consumer data right remain open, and mid-2020 implementation is unlikely to occur. However, the regime is ever marching forward, with the Treasury continuing with its consultation on in-scope data sets and entities and the ACCC updating the consumer data right rules for the energy sector, as well as the development of a register of accredited data recipients.
Further information about the Consumer Data Right
For further information, see our detailed summaries of previous iterations of the consumer data right and consumer data rules:
For further information, please contact:
Emma Butler, Partner, Ashurst