INSIGHT

Consultation begins on the CDR energy rules framework

By Phil O'Sullivan, Anna Collyer, Claudia Hall, James Daniel, Erica Tan
ACCC Competition law Cybersecurity & Privacy Data Energy Power Technology

In brief 13 min read

In preparation for the implementation of the Consumer Data Right (CDR) in the energy sector, on 8 July 2020 the ACCC released a draft energy rules framework (Framework) for consultation. The Framework explores the ACCC's approach to the CDR Rules (Rules) and CDR data sets for the energy sector, and matters which may require energy-specific rules.

This article provides an overview of the Framework and highlights the key issues which have been left open for further consideration.

Key takeaways

  • The Framework provides more detail on how the ACCC intends the CDR regime to apply in the energy sector, including amendments to the current Rules to accommodate the energy CDR.
  • The Framework re-emphasises that, given existing rights in the energy sector, the initial iteration of CDR will focus on transfers of CDR data to accredited data recipients (ADR) as opposed to access by consumers to their CDR data.
  • The ACCC explores and seeks feedback on the following energy-specific requirements in the Framework (to address the characteristics of energy data, the sector, and to ensure the energy CDR regime operates consistently with pre-existing standards and practices in energy):
    • Gateway considerations – the ACCC has clarified that AEMO (as the gateway) will be restricted from holding or storing data which it receives from data holders, except as required for its gateway role.
    • Authentication models – the Framework sets out two possible models for authenticating CDR data requests, each of which adopts a modified version of the consumer redirect model under open banking. The ACCC has expressed its preference for authentication to be conducted by retailer data holders.
    • Dashboard – the ACCC has stated its preference for a single dashboard provided to consumers in connection with CDR, and is seeking consultation on whether this dashboard should be provided by AEMO or the retailer data holder.
    • Eligible consumer – the ACCC has suggested that eligible consumers for the sector will include customers without an online account, data requests will be limited to the consumer's current premises and (unlike open banking) data holders will not require a joint account management service.
    • Phased implementation – the Framework suggests that, similar to open banking, the largest energy retailers will be subject to the CDR regime first.
    • Costs – the Framework seeks comments on the ACCC's cost estimates for compliance with the CDR regime and Rules in the energy sector.
  • The Framework also identifies the following issues which will have an impact on other CDR sectors:
    • Accreditation – the ACCC is considering creating a new lower tier of accreditation for ADRs who are seeking to receive energy CDR data (and potentially less sensitive banking CDR data). This will have significant impacts across the energy and banking sectors if adopted, and will make it easier for entities to be accredited and to engage with the regime.
    • Customer threshold – the Framework suggests that smaller retailers (under a threshold number of customers) will be excluded from the CDR regime unless they opt in. This approach acknowledges the costs involved in engaging with the CDR regime, and may be adopted by the ACCC for future sectors.

Recap – what's happening with the CDR?

The ACCC's consultation on the Framework seeks to identify where changes to the Rules are necessary for application to the energy sector.

On 26 June 2020, the Government formally extended the CDR regime to the energy sector, under the Consumer Data Right (Energy Sector) Designation 2020.

The ACCC has confirmed that the current Rules are intended to apply equally across all sectors, including energy, and that changes will only be made where they are strictly necessary for additional functionality or to incorporate new sectors into the CDR regime. As such, the ACCC's consultation on the Framework seeks to identify where changes to the Rules are necessary for application to the energy sector. The ACCC is also providing the opportunity for stakeholders to comment on the existing cost estimates for compliance with CDR regime and the Rules.

For further background, see our Insight: The CDR is coming to the energy sector – have your say now.

How does the CDR relate to existing access obligations?

The National Electricity Rules currently provide customers with the ability to access or receive certain data relating to their electricity consumption and to authorise a third party to access or receive that data. There have also been a number of comparator websites established which are intended to assist customers to compare offers by retailers, which can utilise data on the customer's authorisation (eg Victorian Energy Compare or Energy Made Easy). These mechanisms are intended to assist customers to make informed choices about retail offers so they can move to better deals which may be available. The benefit of the CDR over and above these existing avenues is to make it easier for customers by authorising the transfer of their data, so there is less for customers to do in order to facilitate the use of that data for the customer's benefit.

Key dates

The ACCC has provided the following indicative dates for implementation of CDR in the energy sector.

11 August 2020

Rules framework webinar will be held

28 August 2020

Submissions on the Framework due

Quarter 3 - 4 2020

ACCC will consider submissions on the Framework and commence drafting the Rules for the energy sector

Quarter 4 2020

The draft Rules will be published for consultation

Quarter 2 2021

Version 1 of the energy Rules to be finalised

What data sets will be captured in the energy sector?

The scope of data set out in the Framework broadly reflects the categories of data outlined in the designation instrument (described in our previous Insight). However, the Framework has provided more detailed guidance on certain data sets, including in the below areas:

  • Customer data – the designation for the energy sector includes authentication information as a component of customer data (this was not covered in the draft designation instrument). The Framework proposes that the Rules will expressly specify customer identifying information (eg customer's name, business name, ABN, ACN or business contact person's name) and that authentication information will cover both information used to authenticate the identity of a customer and the outcomes of an authentication process. The explanatory statement to the designation suggests that this authentication information has been included to enable AEMO to ensure that data it releases have been appropriately authorised. However, it is unclear how this will interact with the redirect models for consumer authentication discussed below. We consider that the inclusion may be of benefit to ADRs in determining if particular individuals are authorised under an account.
  • Billing data – the Framework provides further detail on what constitutes billing data (eg account and customer ID).

The Framework acknowledges that customer data could include sensitive information – such as a customer's eligibility for hardship arrangements or life support equipment. The Framework explores two approaches to sensitive information:

  • excluding sensitive information from customer data – such that this data cannot be transferred as part of a CDR data request; or
  • separating sensitive information from other data sets in the consent process – this approach gives greater control to consumers in what information is shared with ADRs, but the need for an additional, separate consent process may impact the consumer experience.

The first approach would need to ensure the exclusion of sensitive data does not impact the usefulness of remaining CDR data for consumers or retailers – and therefore impact the ability for CDR to stimulate competition in the energy sector. For example, if a consumer is under a short-term hardship arrangement, and concession amounts under that arrangement – as sensitive information – are not disclosed as part of a data request, other retailers will not be able to adjust their pricing structure to reflect these concession amounts, and therefore may not be able to provide a competitive alternative-energy offer to the consumer.

Energy-specific rules

Authentication models

The ACCC proposes to adopt a modified approach to the redirect model for consumer authentication. The Framework sets out two possible redirect models:

  • Model 1 – the consumer's current retailer carries out the authentication process for the consumer. This model allows flexibility for the development of outsourced authentication services for retailers in the future, leverages existing retailers' authentication processes and minimises privacy risks by reducing data flows.
  • Model 2 – AEMO carries out the authentication process for the consumer. This model reduces the authentication capabilities required of retailers and may result in more efficient implementation due to AEMO's IT expertise and scale.

Model 1 is preferred by the ACCC. The Framework proposes that other data holders will be able to rely on authentication carried out by the consumer's current retailer. The Framework does not provide detail on how this reliance will be facilitated. It is conceivable that AEMO (in its capacity as a data holder) may be able to rely on authentication carried out by the current retailer under Model 1. The application of this reliance as between multiple retailers is less clear. Such a situation could arise for consumers that occupy multiple premises or where a data request relates to a period during which the consumer swapped retailers.

The Framework also contemplates an additional method of authentication to allow the sharing of AEMO data sets (eg NMI standing data) without retailer input or 'strong authentication'. This authentication method would be based on other factors such as NMI, postcode and retailer name. Although the ACCC is only proposing the sharing of limited data using this method, the privacy risks it poses are significantly greater. Given the relatively small amount of switching by consumers between electricity retailers, NMI, postcode and retailer name would conceivably be known by a wider range of parties (eg former tenants of a property) than is desirable.

Consumer dashboards

As the ACCC favours retailer-based authentication, and as no strong case is made for an AEMO dashboard in the Framework, we think it is more likely the ACCC will propose that retailers provide this dashboard.

The ACCC has stated its preference for one party, either the retailer data holder or AEMO, to have the responsibility of providing the dashboard for all energy consumer data requests relating to a single consumer. The Framework contemplates three options for this:

  • Option 1 – the consumer's current retailer provides the dashboard for all energy consumer data requests that relate to the consumer;
  • Option 2 – AEMO provides the dashboard for all energy consumer data requests that relate to the consumer; or
  • Option 3 – the consumer's current retailer provides the dashboard for all energy consumer data requests that relate to the consumer using an AEMO-provided authentication data application programming interface (API).

The ACCC does not state a preference between these options. However, for AEMO to provide the dashboard under Option 2, AEMO would require a method to authenticate consumers. As the ACCC favours retailer-based authentication, and as no strong case is made for an AEMO dashboard in the Framework, we think it is more likely the ACCC will propose that retailers provide this dashboard.

Gateway considerations

As a gateway, AEMO's role will be to act as a conduit for data provided by data holders to ADRs. As such, AEMO will be restricted from holding or storing this transferred data except as is required to facilitate its gateway role.

One advantage of the gateway approach was that it could facilitate the operation of the CDR regime where there were a large number of energy retailers. However, as the ACCC has now proposed limiting the energy CDR to active retail accounts, this advantage is somewhat mediated as retailers would be able to provide this active data directly (in a similar manner to open banking).

Other important questions about the use of AEMO as a gateway remain. In particular, the Supplementary Privacy Impact Assessment (SPIA) reiterated the risk of AEMO being a central repository of information in the event of a data breach. To that end, the Framework contemplates AEMO holding additional data sets about consumers which were not considered in the SPIA (eg authentication information about consumers in order to provide a consumer dashboard).

Eligible consumer

The Framework made the following proposals in relation to eligible consumers in the sector.

  • Inclusion of customers with no online account – this diverges from the approach in open banking, where eligible consumers need to have an online account with their bank. However, as the energy CDR will – at first – only permit CDR data to be transferred to ADRs, the inclusion of this group of CDR consumers may be more manageable for energy retailers. If the ACCC includes direct-to-consumer energy data sharing functionality in the future, retailers will need to consider how information can be displayed to these customers, both from an authentication and dashboard perspective.
  • Limitation to current premises – limiting the ability of CDR consumers to transfer CDR data relating to their current premises will enable a faster rollout of the CDR in the energy sector. It also removes the need for authentication of previous premises or retailers. However, the limitation may reduce the richness of data sets (and the usefulness of the CDR), particularly for individuals who have recently moved premises.
  • Joint accounts – while the ACCC acknowledges there are joint energy accounts, the ACCC is not currently proposing to require a joint account management service in the energy sector. This is a requirement in open banking and requires each joint account holder to authorise the management of CDR data by the other joint account holder. The difference in approach is premised on the lower sensitivity of energy data compared to banking data. Whilst this difference in sensitivity may be true in general, consideration should still be given to the privacy implications. For example, any novel ability of a joint account holder to access or approve the disclosure of the new address of a former domestic partner.

The ACCC is also currently seeking feedback on how nominated persons (eg a family member of an account holder) could be authenticated for requesting the transfer of CDR data. Whether a different authentication process is required for nominated persons will partially depend on what identifying information is currently collected by retailers concerning nominated persons.

Accreditation

Although the current Rules provide only for a single level of accreditation for ADRs, the ACCC has expressed its intention to introduce additional tiers of accreditation across all sectors of CDR.

If stakeholder feedback continues to indicate energy data is not as sensitive as banking data, the ACCC will consider creating a new lower tier of accreditation to access energy data. The ACCC is also considering whether a lower tier of accreditation is appropriate across other CDR sectors for less sensitive CDR data. Depending on the scope of 'less sensitive' banking data sets and energy data sets made available at the lower tier, this is likely to increase the number of ADRs who seek to participate in the regime (in respect of both banking and energy data).

Phased implementation

The ACCC proposes a phased approach, with the effect that the largest retailers will be the first entities subject to the regime. Remaining retailers would be phased in over time (unless they opt in earlier). The first tranche will include AEMO and, at a minimum, the largest incumbents (Origin Energy, AGL and EnergyAustralia).

The ACCC is likely to adopt a threshold for the application of the regime, such that retailers under a certain threshold would not be subject to the obligations under the CDR regime unless they opt in. Retailer customer numbers are being considered as a basis for this threshold to exempt smaller retailers who may have difficulty complying with data sharing obligations. However, the ACCC is considering whether any exempted small retailers should be required to comply with the authentication process to enable the disclosure of AEMO-held data sets. This differs from the approach taken in the banking sector, but may be an approach the ACCC continues to adopt as further sectors are designated under the CDR regime.

What's next?

  • Engage with the CDR's development – review the Framework to determine how the ACCC's proposals may affect your organisation's compliance with the CDR. Consider making submissions to the ACCC before 28 August 2020.
  • Keep up with the Rules – given the ACCC's view that the Rules should apply equally across sectors, any organisations that intend to be involved in the CDR ecosystem in the future, or are participants in sectors that are intended to be subject to the CDR, should keep up to date with changes and consultations regarding the Rules.