Commonwealth Numbered Regulations - Explanatory Statements

[Index] [Search] [Download] [Related Items] [Help]

COMPETITION AND CONSUMER AMENDMENT (CONSUMER DATA RIGHT) REGULATIONS 2021 (F2021L01617)

EXPLANATORY STATEMENT

Issued by authority of the Minister for Superannuation, Financial Services and the Digital Economy

Competition and Consumer Act 2010

Competition and Consumer Amendment (Consumer Data Right) Regulations 2021

Section 172(1) of the Competition and Consumer Act 2010 (the Act) provides that the Governor-General may make regulations prescribing matters required or permitted by the Act to be prescribed, or necessary or convenient to be prescribed for carrying out or giving effect to the Act.

Section 56GE of the Act provides that regulations may exempt a person, or a class of persons, in respect of particular CDR data, or one or more classes of CDR data from all or part of the CDR obligations. The regulation may also provide that CDR obligations apply to a person, or a class of persons, in respect particular CDR data, or one or more classes of CDR data. The regulations can also modify the operation of the CDR obligations.

The Competition and Consumer Amendment (Consumer Data Right) Regulations 2021 (the Regulations) support the implementation of the Government's decision to apply the Consumer Data Right to the energy sector through a peer-to-peer (P2P) data access model for primary and secondary data holders who share responsibility for responding to consumer data requests. Under the P2P model, responsibility for CDR data is shared between an energy retailer (who has a direct relationship with the consumer) and the Australian Energy Market Operator (AEMO) (who has no direct relationship with the consumer). The retailer will be treated as if it were the relevant data holder for all the CDR data, including AEMO data, relevant to a consumer data request. The Regulations support the P2P model by providing that Privacy Safeguard obligations that would otherwise apply to the AEMO are instead applied to retailers who receive data from AEMO, who are better situated to protect consumer's data privacy.

Division 5 of Part IVD of the Act sets out privacy safeguards that impose obligations on accredited persons, data holders and designated gateways in relation to their handling of CDR data to protect the privacy and confidentiality of CDR consumers' CDR data.

Under section 12 of the Consumer Data Right (Energy Sector) Designation 2020 (the Energy Designation), AEMO is specified as the data holder for specified types of information relating to arrangements under which electricity is supplied to consumers. However, AEMO never holds any information that allows it to identify a consumer in relation to any of the designated data it holds and has no direct relationship with any CDR consumer.

Retailers are also specified in the Energy Designation as data holders for information related to specific customers and their arrangements, as outlined in the Competition and Consumer (Consumer Data Right) Rules 2020 (the CDR Rules). Significantly, the CDR Rules authorise the disclosure of CDR data from one data holder directly to another data holder (whereas previously CDR data could only be disclosed from a data holder to an accredited person or from an accredited data recipient to another accredited data recipient).

In practice, consumer data requests are made to retailers, not AEMO, and it is the retailer responding to a request that includes AEMO data who is able to identify and interact with the consumer. Consequently, retailers are better placed than AEMO to ensure the privacy safeguard obligations are met in relation to that data.

The Regulations make minor technical amendments to the Competition and Consumer Regulations 2010 to exempt AEMO from four privacy safeguard obligations, and in circumstances where AEMO provides CDR data to a retailer, to apply appropriate privacy safeguard obligations to the retailer in relation to that data as if the retailer were the data holder for that data.

The Regulations were subject to public consultation in conjunction with the  Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2021 (the Amending Rules), which ran between 17 August and 13 September 2021. Submissions were received from 30 respondents. Most submissions addressed the Amending Rules, however, a number of stakeholders raised concerns about correction of AEMO-held data, which directly concerns whether the Regulations provided adequate scope for the CDR Rules to determine the appropriate processes for retailers to make corrections. In response to these submissions, the Regulations were amended to modify the operation of Privacy Safeguard 13 so that the CDR Rules are not restricted as to the matters that can be dealt with when specifying steps that retailers must take when responding to requests to correct AEMO data.

Details of the Regulations are set out in Attachment A.

The Regulations are a legislative instrument for the purposes of the Legislation Act 2003.

The Regulations commenced on the day after they were registered on the Federal Register of Legislation.

The compliance costs of the Regulations are considered as part of the Amending Rules and are included in the Regulation Impact Statement for the Amending Rules.

A statement of Compatibility with Human Rights is at Attachment B.

ATTACHMENT A

Details of the Competition and Consumer Amendment (Consumer Data Right) Regulations 2021

Section 1 - Name

This section provides that the name of the instrument is the Competition and Consumer Amendment (Consumer Data Right) Regulations 2021.

Section 2 - Commencement

This section provides that the instrument commences on the day after it is registered on the Federal Register of Legislation.

Section 3 - Authority

This section provides that the instrument is made under the Competition and Consumer Act 2010 (the Act).

Section 4 - Schedules

This section provides that each instrument that is specified in a Schedule to this instrument will be amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in the Schedules to this instrument has effect according to its terms.

Schedule 1 - Amendments

Schedule 1 to the Regulations amends the Competition and Consumer Regulations 2010 by inserting new Part 2BA, which is made for the purposes of section 56GE of the Act. The new Part modifies the application of certain Consumer Data Right (CDR) provisions as they relate to the Australian Energy Market Operator (AEMO), as well as retailers that AEMO makes disclosures to in accordance with the Act.

New regulation 28RA(2)(a) exempts AEMO from sections 56ED (Privacy Safeguard 1), 56EN (Privacy Safeguard 11) and 56EP (Privacy Safeguard 13) of the Act. The effect of removing these obligations is that AEMO is not required to:

•                 have policies, procedures, and systems in place to ensure compliance with the CDR regime or enable the open and transparent management of CDR data (section 56ED); or

•                 ensure the CDR data they hold is accurate, up to data and complete, nor to disclose corrected data (section 56EN); or

•                 respond to consumer requests in relation to data correction (section 56EP).

New regulation 28RA(2)(b) exempts AEMO from section 56EM (Privacy Safeguard 10) of the Act in relation to data disclosed to a retailer under the Act.

New regulation 28RA(3) provides that retailers who have data disclosed to them by AEMO as required or permitted by the Act, are required to apply Privacy Safeguards 1 and 10. New regulation 28RA(4) provides that Privacy Safeguard 13 applies to retailers in relation to that data, however, it is modified to work in conjunction with the CDR Rules.

The effect of these additions is that when CDR data is provided to a retailer by AEMO, the privacy safeguards that apply to data holders apply to the retailer in relation to that data as if they were the data holder, and conversely, do not apply to AEMO.

Regarding Privacy Safeguard 13, retailers are not required under section 56EP(3)(a) of the Act to correct CDR data or to include a statement with CDR data ensuring that it is accurate, up to date, complete and not misleading, nor to give notice under section 56EP(3)(b) of any corrections or statements, or notice of why a correction is unnecessary or inappropriate. Instead, retailers are required to follow new requirements in Schedule 4 to the CDR Rules, which leverage the existing National Electricity Rules (NER) processes for correcting data. Similarly, Privacy Safeguard 11 is not applied to retailers as the national energy legislation and NER contains existing correction processes for energy retailers and other market participants.

ATTACHMENT B

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Competition and Consumer Amendment (Consumer Data Right) Regulations 2021

This Legislative Instrument is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Legislative Instrument

The Regulations make minor technical amendments to the Competition and Consumer Regulations 2010 to exempt the Australian Energy Market Operator (AEMO) from four privacy safeguard obligations, and in circumstances where AEMO provides CDR data to a retailer. Additionally, where appropriate, the Regulations apply privacy safeguard obligations to energy retailers in relation to data received from AEMO as if the retailer were the data holder for that data.

Human rights implications

This Legislative Instrument engages the right to protection from unlawful or arbitrary interference with privacy under Article 17 of the International Covenant on Civil and Politics Rights (ICCPR) because it amends how privacy safeguard protections apply to certain types of data within the CDR Regime.

The right in Article 17 may be subject to permissible limitations, where these limitations are authorised by law and are not arbitrary. In order for an interference with the right to privacy to be permissible, the interference must be authorised by law, be for a reason consistent with the ICCPR and be reasonable in the particular circumstances. The UN Human Rights Committee has interpreted the requirement of 'reasonableness' to imply that any interference with privacy must be proportional to the end sought and be necessary in the circumstances of any given case.

Under the existing rules, data holders can disclose consumer data to authorised data recipients (ADRs), where the consumer to whom the data pertains has provided consent for their data to be transferred. The privacy of the consumer is protected by several privacy safeguards that require data holders and data recipients to ensure the protection of the consumers for whom they hold data.

The Regulations remove a number of privacy safeguards from AEMO, and proportionally applies most of these privacy safeguards to retailers who receive data from AEMO as if they were the data holder. In the case of Privacy Safeguard 13, section 56EP of the Act is modified so that correction of data is undertaken in conjunction with the CDR Rules, and leverages existing correction mechanisms under the National Electricity Rules.

As such, the privacy of consumer data is still protected within the broader CDR regime.

Conclusion

This Legislative Instrument is compatible with human rights as it does not raise any human rights issues.