OAIC Submission to Treasury’s CDR Energy Rules (Version 4 Rules) Consultation

13 September 2021

Part 1: Introduction

1.1 The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on Treasury’s proposed package of amendments to expand the Consumer Data Right (CDR) to the energy sector, including the draft CDR rules amendments (Version 4 Rule amendments), exposure draft regulations and the consultation paper with proposals for further consultation.

1.2 The Version 4 Rule amendments include draft Rules to establish a peer-to-peer data access model and seek to address a number of matters specific to the energy sector. These include eligibility requirements, internal and external dispute resolution processes, reporting obligations and the application of a staged implementation process. The draft Rules also make some consequential amendments to reflect amendments to Part IVD of the Competition and Consumer Act 2010 (Cth) (Competition and Consumer Act) introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020.

1.3 In addition, to accompany the draft Rules, Treasury has released exposure draft regulations for consultation. These draft regulations would, among other things, exempt the Australian Energy Market Operator (AEMO) from certain privacy safeguard obligations in Part IVD of the Competition and Consumer Act, and instead apply these privacy safeguard obligations to a retailer who receives CDR data from AEMO.

1.4 We understand from the consultation paper that Treasury is particularly interested in stakeholder views on the draft Rules relating to the eligibility of CDR consumers, correction requests for AEMO data, the staged application of rules to the energy sector, and the regulatory impacts and costs of extending the CDR to the energy sector.

1.5 The functions of the Australian Information Commissioner (Commissioner) include examining proposed enactments that may have an adverse effect on the privacy of individuals and minimising such effects.[1] Under Part IVD of the Competition and Consumer Act, the Commissioner must also be consulted before CDR rules are made on the likely effect of making the instrument on the privacy or confidentiality of consumers’ information.[2]

1.6 The OAIC makes this submission to provide our current consideration of the privacy impacts of the draft Rules and how any adverse effects may be minimised.

1.7 As outlined in the OAIC’s earlier submission to the Australian Competition and Consumer Commission’s (ACCC’s) consultation on the CDR Energy Rules Framework,[3] we note that energy data can, like banking data, reveal granular insights about many aspects of an individual’s life. For example, emerging technologies, such as smart meters and sensors are increasingly used in the energy sector to improve energy efficiency. Such devices make it easier to analyse consumption patterns, identify the use of specific appliances in a household, and track energy usage, which can be used to profile and extract insights into the movements, lifestyle and interests of occupants. Further, as the CDR is rolled out across the economy and data sets from different sectors can be combined, richer and more granular insights may be derived about individual consumers from CDR data. This may create opportunities for innovation and consumer benefit, but also give rise to increased privacy risk.

1.8 Providing a consistent, high level of protection under the Rules is necessary to reflect the sensitive nature of CDR data, but also for maintaining consumer confidence in the integrity of the CDR system, regardless of the CDR sector with which they engage. The current privacy foundations are built to support the success of CDR and should not be diminished.

1.9 The OAIC supports the approach taken in the Version 4 Rule amendments of applying consistent rules across the economy to the extent possible, with energy-specific rules being developed only when necessary. OAIC notes that there are some energy-specific aspects of the draft Rules that may lead to fragmented privacy rights under the CDR, and result in energy consumers being afforded fewer privacy protections than banking consumers. For example, the proposals in the draft regulations do not apply Privacy Safeguard 11 quality obligations to AEMO data, and defer to existing industry practices. The OAIC makes recommendations for an alternative, more privacy-enhancing approach for Treasury’s consideration below.

1.10 The OAIC supports Treasury’s decision to engage an external legal provider to conduct a Privacy Impact Assessment (PIA) on the Version 4 Rule amendments, and we strongly recommend that Treasury has regard to its recommendations as it finalises the Rules. The OAIC has highlighted specific matters below that it considers should be considered in the PIA. In particular, confirming the assumption that AEMO does not hold, and will not hold as a result of the new peer-to-peer energy data sharing arrangements, any CDR data for which there is a CDR consumer.[4]

1.11 The OAIC provides detailed comments and recommendations regarding the draft Rules and regulations below, and we are available to discuss our submission with Treasury.

Recommendations

Part 2: About the OAIC and our role in the CDR system

2.1 The OAIC is Australia’s independent regulator for privacy and freedom of information. The OAIC co-regulates the CDR system together with the ACCC. The OAIC enforces the privacy safeguards contained in Part IVD of the Competition and Consumer Act as well as the privacy and confidentiality related rules. In addition, the OAIC has a number of statutory advisory and guidance functions under the CDR framework. For example, the OAIC provides advice to the Minister and CDR agencies on the privacy implications of making rules and designating a potential sector,[5] recognising an external dispute resolution scheme,[6] and makes guidelines on the operation of the privacy safeguards.[7]

2.2 The OAIC is also responsible for undertaking strategic regulatory and enforcement action in relation to the protection of privacy and confidentiality, as well as investigating individual and small business consumer complaints regarding the handling of their CDR data.

2.3 Our goal as regulator of the privacy aspects of the CDR system is to ensure that the system’s robust data protection and privacy framework, and effective accountability mechanisms ensure consumers’ CDR data (personal information) is protected.

Part 3: OAIC comments on exposure draft energy rules and regulations

Peer-to-peer rule obligations relating to AEMO data

3.1 The proposed Version 4 Rule amendments give effect to the peer-to-peer model, where the consumer’s retailer is responsible for obtaining the requested AEMO data from AEMO, and disclosing all requested CDR data to the accredited data recipient (ADR). As set out in the draft Rules, ‘AEMO data’ includes National Metering Identifier Standing Data (NMI Standing data), metering data and Distributed Energy Resource (DER) register data.[8]

3.2 Specifically, the retailer is responsible for interacting with the consumer, seeking AEMO data, receiving and responding to consumer data requests, authentication and authorisation, and complying with the privacy safeguards applicable to data holders. The OAIC supports this model of responsibility for a number of reasons. The information flows are less complex, it provides a consistent consumer experience across banking and energy, and it continues to deliver strong and secure processes for the authentication and authorisation of CDR data. This model also will likely align best with consumer expectations (in that consumers can continue to interact with their existing retailer, rather than multiple/new entities). It will however be important to ensure that all retailers, some of whom are relatively small, will be able to comply with the technical requirements of being a data holder.

3.3 Further, to enhance transparency for consumers in relation to the operation of the peer-to-peer model, the OAIC recommends that consumers be made aware of how the retailer will fulfil consumer data requests that include AEMO data. For example, it would be useful for the rules to require retailers to state that they will be responsible for:

• the disclosure of the AEMO data (as well as for authentication, and seeking authorisation for access to AEMO data), and
• notifying the consumer about the disclosure, and to what extent it is responsible for correction and accuracy of that CDR data.

3.4 The OAIC therefore recommends that to further strengthen transparency requirements, Treasury make Rules that require this information to be provided in the retailer’s CDR policy, as well as through the relevant authentication, authorisation and notification processes.

3.5 The OAIC also supports the inclusion of appropriate data handling limitations on retailers to ensure that they are not able to collect, use or disclose AEMO data for a purpose other than fulfilling the consumer’s data request. Specifically, under the draft Rules retailers:

• can only collect, use, or disclose AEMO data for the purpose of securely transmitting the data to an accredited person to fulfil a consumer data request (Rule 1.24(1)), and
• must delete AEMO data in accordance with existing requirements under Rule 1.18, after it has responded to the request (draft Rule 1.24(2)).

3.6 However, based on our reading of draft Rule 1.24(2) regarding the requirement to delete AEMO data, it is not clear how the deletion process interacts with the requirement to keep and maintain records about AEMO data requests and responses under draft Rule 9.3(1)(ca).[9] The OAIC would be concerned if for example, a retailer deleted AEMO data prior to making such a record. The OAIC therefore recommends that the draft Rules are amended to clarify that retailers must make records in relation to AEMO data in accordance with draft Rule 9.3(1)(ca) prior to commencing the deletion process.

3.7 Under the draft Rules and regulations, AEMO is not required to comply with several of the data holder obligations under the CDR system, including the privacy safeguards, dispute resolution processes or authentication and authorisation processes, in carrying out its role in the peer-to-peer model. We understand that this approach is based on the view that AEMO does not hold any CDR data for which there are one or more ‘CDR consumers’.[10]

3.8 If AEMO does not hold any such data, and will not hold any such data under the proposed new data-sharing model for energy, the OAIC does not have concerns with exempting AEMO from its privacy obligations in the way proposed. However, the OAIC notes that it is not aware of the detailed factual basis for reaching this conclusion. We note that understanding the character of the data that will flow between AEMO and energy retailers is critical to identifying and minimising any impacts on privacy under a peer-to-peer model, and whether the proposed approach regarding AEMO’s obligations is appropriate.

3.9 We recommend that to ensure an abundance of clarity, the PIA should explicitly address whether AEMO will hold any CDR data for which there is one or more CDR consumers under the proposed new data-sharing model, to ensure that the proposed privacy settings are appropriate. The PIA could also make recommendations regarding any additional arrangements or protections that would help to ensure that the new energy data flows in CDR do not result in AEMO handling any CDR data for which there is a consumer.

Part 4: Application of the privacy safeguards to AEMO data

4.1 The privacy safeguards are legally binding statutory provisions, which ensure the security and integrity of the CDR system by setting out obligations in relation to the handling of CDR data for which there are one or more consumers. Under section 12 of the Consumer Data Right (Energy Sector) Designation 2020 (the Energy Designation), AEMO is specified as the data holder for NMI Standing data, metering data and DER register information (as they relate to arrangements under which electricity is supplied to consumers). However, we understand that as AEMO’s role in the CDR is unique, the draft regulations propose to exempt AEMO from its data holder privacy safeguard obligations with respect to CDR data held by AEMO under the designation instrument, and instead apply these privacy safeguard obligations to a retailer who receives CDR data from AEMO.

4.2 These draft regulations have been developed based on the view that AEMO data would not ‘be CDR data for which there is one or more CDR consumers’ and would therefore not be subject to the Privacy Safeguards (see e.g. ss 56EB and 56AI(3) of the CCA).[11] Further, as AEMO does not have a direct relationship with CDR consumers, retailers are seen to be better placed than AEMO to ensure the privacy safeguard obligations are met in relation to that data.[12]

4.3 The OAIC is broadly supportive of the development of these regulations which seek to clarify the application of Privacy Safeguards, and to provide a better consumer experience by applying them to the retailer. However, the OAIC would be concerned if these regulations resulted in fragmented privacy rights under the CDR, and afforded energy consumers with fewer privacy protections than CDR banking consumers.

Privacy Safeguard 11 (Quality of CDR data)

4.4 The OAIC notes that under the proposed regulations, there would be no data holder quality obligations (Privacy Safeguard 11) under the energy CDR framework for AEMO data. While we appreciate that there are existing correction processes and obligations under the National Energy Legislation (NEL) and the National Energy Rules (NER), the rationale in Part IVD of the Competition and Consumer Act for having specific privacy safeguards in the CDR system was to impose stronger privacy obligations on participants. For example, in banking, data holders must comply with Privacy Safeguards 11 and 13 instead of the obligations under Australian Privacy Principles 10 and 13 in the Privacy Act. This was intended to ensure that there would be a consistent, high standard of privacy protections for all individuals and business enterprises operating in the CDR system.[13] More specifically, Privacy Safeguard 11 is intended to ensure that the data that flows through the CDR system is of a high standard, and that consumers are able to ensure any data errors are corrected promptly.

4.5 Relying on existing industry practices to ensure the quality of CDR data may therefore lead to fragmented privacy rights under the CDR system, with energy consumers afforded fewer rights around the quality of their CDR data than banking consumers. For example, even if the quality and correction processes under the NEL and NER were equivalent to those in the CDR, these protections cannot be investigated or enforced by the OAIC, and consumers would not have redress under the CDR system in relation to any failures to ensure the quality of AEMO data. By contrast, for all other data holders Privacy Safeguard 11 is a civil penalty provision.

4.6 It is also our understanding that the processes and obligations under the NEL do not provide equivalent protections to Privacy Safeguard 11.[14] For example, there is no equivalent provision to inform the consumer within 5 business days in the event incorrect CDR data is disclosed to an ADR.[15] There is also no express requirement on the retailer to re-disclose corrected AEMO data to the ADR when requested by the consumer.[16]

4.7 While the OAIC appreciates a tailored approach may need to be taken, it appears to us that it would be appropriate to extend certain Privacy Safeguard 11 obligations to retailers (via the amended CDR Rules). For example, the obligation in s 56EN(3) that ensures that a data holder advises the consumer if they later become aware that previously disclosed CDR data is incorrect, and the obligation to re-disclose data that has been corrected where requested by the consumer under s 56EN(4).

4.8 The protections outlined in Privacy Safeguard 11 could be appropriately extended to retailers via the CDR Rules, by taking a similar approach to that proposed for extending the protections in Privacy Safeguard 13 in the draft regulations. The Privacy Safeguard 11 protections could be extended to retailers with appropriate modifications that would enable the retailer to comply, while also giving consumers an effective mechanism for redress. As with the proposed approach for extending Privacy Safeguard 13, the rules could separately set out the appropriate steps a retailer would be expected to take to ensure accuracy of CDR data under the NEL and NER framework, replacing the obligations in s 56EN(1).

4.9 The OAIC therefore recommends that instead of relying solely on existing industry practices, modified Privacy Safeguard 11 quality obligations be provided under the CDR Rules (to the extent possible), to ensure that retailers take appropriate steps to ensure:

• the AEMO data they are disclosing under the CDR system is accurate, up to date and complete
• consumers are informed in the event that the retailer becomes aware that AEMO data it has disclosed under the CDR system is incorrect, and
• the retailer is responsible for disclosing corrected CDR data to the ADR where requested by the consumer.[17]

Privacy Safeguard 13 (Correction of CDR data)

4.10 The draft Rules modify the Privacy Safeguard 13 process for the correction of AEMO data as it applies to retailers. In addition, the draft regulations remove the Privacy Safeguard 13 requirements from AEMO, and allocate the relevant obligations to retailers.

4.11 The modified correction process would allow consumers to request that their AEMO data be corrected through the CDR system, by requiring the data holder to initiate correction processes in accordance with the NER. Specifically, clause 6.1 of Schedule 4 requires retailers to initiate correction procedures under the NER for NMI Standing data and metering data, and refer the correction request to the appropriate electricity distributor to action for DER register data within 5 business days. The retailer is also required to provide the CDR consumer with information that explains what the retailer has done in response to the correction request within 10 business days. If it was not possible or appropriate for the retailer to take such actions, the retailer must explain why it was not possible or appropriate, and outline the complaint mechanisms available.

4.12 The OAIC is broadly supportive of these draft Rules and regulations, as they allow the retailer to comply with the correction obligations relating to AEMO data, while providing redress mechanisms to the consumer. However, while most Privacy Safeguard 13 correction obligations that would otherwise apply to a data holder are included, there are some provisions of clause 6.1 of Schedule 4 where timeframes and obligations are not aligned with existing Rule 7.15. For example, the modified Privacy Safeguard 13 obligations for responding to correction requests relating to AEMO data do not extend a similar obligation under existing Rule 7.15 to acknowledge the consumer’s correct request. It is also not clear why the retailer has 5 business days to initiate the correction processes, instead of aligning with the existing rule requirement that this occur ‘as soon as practicable’.

4.13 The OAIC therefore recommends that the Privacy Safeguard 13 correction processes for AEMO data be further aligned with those in existing Rule 7.15, to the extent possible.

Part 5: Customer eligibility - protections for non-consumers who are the subject of CDR energy data

5.1 The Version 4 Rule amendments set out consumer eligibility for the energy sector, providing that a consumer must be a customer of the retailer in relation to an ‘eligible arrangement’, and where the account(s) relate to the arrangement. An ‘eligible arrangement’ is an arrangement that relates to one or more connection points or child connection points for which there is a financially responsible market participant in the National Electricity Market.[18]

5.2 Under this eligibility criteria, CDR data may be shared irrespective of whether the requesting consumer resides at the premises to which the CDR data relates (for example, in a scenario where a landlord pays a tenant’s utility bill, and the landlord makes a CDR consumer data request). We note that under existing Rule 4.12(3)(b), ADRs are prohibited from using CDR data to identify, compile insights in relation to, or build a profile in relation to any identifiable individuals who are not the consumer who made the consumer data request.

5.3 Based on our reading of this rule, and when taken together with the eligibility criteria and definition of CDR consumer in s 56AI of the Competition and Consumer Act, it is not clear to us whether ADRs would be prevented by Rule 4.12 from using CDR energy data for these purposes (i.e. identifying, profiling of an identifiable individual), where the data relates to a premises where the account holder themselves does not reside.

5.4 The OAIC therefore recommends that Treasury consider how 4.12(3)(b) applies to the sharing of CDR data in the energy sector, and whether there are specific scenarios or use cases involving non-consumers that may raise significant privacy risks and require additional protections. For example, whether landlords are able to share energy data with ADRs to identify, compile insights to, or build a profile in relation to their residential tenants in a way that reveals granular and/or sensitive personal information, in ways the tenant may not reasonably expect or consent to.[19]

5.5 While we appreciate that the Rules need to remain workable to allow ADRs to derive granular insights about a CDR consumer’s energy account generally, we consider that further privacy enhancements and protections may be required to prohibit specific uses of CDR energy data that may raise significant privacy risks for individuals who are the subject of that data, but not the CDR consumer. We consider that CDR data privacy issues affecting non-consumers - for example, some residential tenants – are likely greater in the energy sector when compared with the banking sector,[20] and so this issue requires some further consideration to ensure the privacy settings are appropriate.

Part 6: External dispute resolution

6.1 Clause 5.2 of Schedule 4 sets out the external dispute resolution (EDR) processes for the energy sector, subject to a notifiable instrument being made.

6.2 Under the proposed rules data holders who are retailers must be members of each relevant State or Territory energy and water ombudsman scheme. Accredited persons must be members of the Australian Financial Complaints Authority (AFCA).

6.3 While we note that this approach of having two EDR schemes is more complex than the single-EDR model in banking, we appreciate that this helps to align with existing processes in the energy sectors. The OAIC does not have concerns with such an approach, provided consumers are given clear information on how they can access EDR schemes in energy, and which EDR they should approach. Further, we note the OAIC would be able to assist in line with the ‘no wrong door’ approach, referring any complaints to the relevant EDR scheme if appropriate under s 50 of the Privacy Act.

6.4 However, we note that under proposed clause 5.2(3), energy retailers who are collecting and using non-energy data in their capacity as an ADR for the purpose of providing a service outside of the energy sector would be allowed to continue to be members of the energy and water ombudsman only in relation to any complaints, unless they do not have such an EDR in their jurisdiction.[21]

6.5 The OAIC considers that if an accredited person who is also an energy retailer handles non-energy CDR data for a non-energy purpose, that accredited person should be required to be a member of AFCA. This is because the OAIC understands that, pursuant to the draft Rules being made in their current form, AFCA will be the only EDR able to consider CDR complaints from multiple sectors. This would also ensure that all consumers are able to access consistent EDR processes where an ADR that holds their data is operating across multiple sectors. It will also ensure that complaints that are of a similar nature are handled consistently, regardless of what sector they are operating in.

Part 7: Consequential amendments to the Competition and Consumer Act

7.1 The OAIC supports the amendments to the Rules made under Privacy Safeguards 1, 2 and 5[22] to ensure alignment with the amendments to Part IVD of the Competition and Consumer Act introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020.

7.2 This instrument also amended Privacy Safeguard 11 (section 56EN) so that a consumer’s request for correction and the subsequent disclosure of corrected data must be in accordance with the CDR Rules.[23] The OAIC notes however that no such Rules have been proposed to be made in the Version 4 Rules.

7.3 Consistent with parliamentary intent, the OAIC recommends that Rules be made under Privacy Safeguard 11, for example to clarify that a valid (current) consent should be in place as a precondition to being able to make a request to disclose corrected data under s 56EN(4), as well as outlining the circumstances in which a CDR participant is not required to comply with a request (such as when an ADR no longer provides relevant CDR services).[24] Such Rules are required to provide certainty to CDR participants about how they should comply with their obligations to disclose corrected data under Privacy Safeguard 11 (section 56EN(4)), and minimise the risk that a CDR participant might breach this obligation (a civil penalty provision).[25]