Three reminders for exempt businesses from the latest AER Compliance Report  

Three reminders for exempt businesses from the latest AER Compliance Report  

AU Energy Compliance

The Australian Energy Regulator’s (AER) Quarterly Compliance Report: National Electricity and Gas Laws 1 January – 31 March 2018 was recently released.[1] It canvasses a range of compliance activities carried out by the AER over that three-month period, including compliance for wholesale market participants such as retailers, distributors and generators.  Rather than market participants, our focus today is on the AER’s compliance activities with respect to businesses operating under network or retail exemptions. In particular, we look at compliance lessons for Embedded Network Operators (ENOs) and exempt businesses using power purchase agreements (PPAs).

exempt businesses

By Dr Drew Donnelly, Regulatory Specialist, Compliance Quarter.
  1. Advising embedded network customers that seek to go ‘on market’

The AER observes that embedded networks are now expected to be fully in compliance with the power of choice reforms requiring the appointment of Embedded Network Managers (ENMs) in certain states and territories. AER comments that where ENMs are required to be appointed and have not been, the AER will consider taking steps to revoke an ENO’s network exemption.[2]

Problematically, AER has identified a phenomenon of market retailers being unwilling to provide offers to embedded network customers who do not have a Network Metering Identifier (NMI).[3] This is primarily a compliance issue for retailers; it is the responsibility of the market retailer to request the ENM to create a child NMI. However, this also instructive for ENOs. An embedded network customer may, based on retailer refusal, approach the ENO seeking an NMI. In that case, an ENO should contact the retailer advising them of the appropriate procedure (and, if an ENM does not currently exist, begin the process for appointing or becoming one).

  1. Ensuring that MSATS data is correct for child connection points

The Australian Energy Market Operator (AEMO) has identified discrepancies between wholesale metering data at transmission nodes and the sum of metering data for downstream connection points.[4] This suggests that participants are either incorrectly entering NMI data relating to regional electricity loss (captured in ‘Transmission Node Identities’ or ‘TNIs’) or it has not been updated where necessary. AER identified Local Network Service Providers (LNSPs) as the culprits. So, what does this have to do with ENOs?

For those ENOs who have also been appointed as ENMs, it is their responsibility to ensure that the data relating to ‘on-market’ child connection points is accurate and up-to-date. I.e. they act as the LNSP for those child connection points. This includes responsibility for TNIs which capture regional electricity loss. All ENMs must have a procedure in place for ensuring that they have accurate and up-to-date TNIs for connection points in their embedded networks. Up-to-date TNIs can be requested from AEMO.

  1. Metering obligations of Solar Energy Businesses

An increasingly popular renewable energy arrangement is the solar Power Purchase Agreement (solar PPA). This involves a third party installing solar photovoltaic (PV) panels on a customer’s premises from which that customer is sold the energy produced. Vendors of solar PV are eligible for both retail authorisation and network exemptions.

The AER observed that some solar PV businesses are unsure of their metering obligations.[5] AER confirmed that solar PV with PPAs  (and holding a valid exemption) are not subject to the metering rules in the National Electricity Rules and associated Metrology Procedure. Rather, through their network exemptions they are simply subject to the condition that meters comply with the requirements of the National Measurement Act. Further information, including pattern approval requirements and pattern approval application forms, are available on the National Measurement Institute’s website.


[1] See

[2] See compliance report, p15.

[3] See compliance report, p16.

[4] See compliance report, p10.

[5] See compliance report, p17.

GDPR: The Legitimate Interests test

GDPR: The Legitimate Interests test


On 25 May the EU General Data Protection Regulation (GDPR) came into force. If you need help in working out whether or not your Australian business will be affected by GDPR, please get in touch with us without delay. We have offered updates recently on:

– Cross-country data transfer (;
– Consent (

GDPR legitimate interests

Photo by Yeo Khee on Unsplash

By Dr Drew Donnelly, Regulatory Specialist, Compliance Quarter

Today we update you on one of the more perplexing aspects of the GDPR; the ‘legitimate interests’ ground for processing personal data. On the one hand, the GDPR makes it easier for organisations to know when personal data processing is permitted (or ‘lawful’). The clear-cut definition of ‘consent’ means all organisations can be on the same page as to whether consent holds. On the other hand, the ‘legitimate interests’ ground requires each organisation to engage in a ‘balancing’ exercise where they determine for themselves whether processing in a particular case is justified or not. We explain this ground below.

GDPR Legitimate Interests

Article 6(1) describes a range of grounds under which processing of personal data of EU data subjects is permitted (‘lawful’). Article 6(1)(f) of the GDPR provides that processing is lawful where:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”[1]

This might be separated into three tests that the organisation can ask itself in determining whether or not the legitimate interests ground is met.[2]

Purpose test: are you pursuing a legitimate interest?

Necessity test: is the processing necessary for that purpose?

Balancing test: do the individual’s interests override the legitimate interest?

While the necessity test is self-explanatory, we consider the other two tests below.

GDPR legitimate interests – Purpose test

No definition of a ‘legitimate interests’ is given in the GDPR to make it clear when a purpose will be a legitimate, or illegitimate interest. However, the EU’s Article 29 Data Protection working group offered the following in its guidance on the old EU Directive[3]:

  • The purpose must be lawful (i.e. in accordance with EU and national law);
  • be sufficiently clearly articulated to allow the balancing test to be carried out against the interests and fundamental rights of the data subject (i.e. sufficiently concrete);
  • represent a real and present interest (i.e. not be speculative).

On a practical level, an organisation using this ground must document a concrete purpose of the processing, that the purpose is lawful and that it represents a real, not hypothetical or possible future purpose for collecting the data. Other constraints on this test include:

  • it cannot be used by a public authority (art 6(1));
  • The processing of personal data strictly necessary for the purposes of preventing fraud is a legitimate interest (see recital 47);
  • The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest (see recital 47).

Note that this advice is of a general nature (except in the case of fraud). Direct marketing is not automatically a legitimate interest. It may be a legitimate interest (i.e. in some cases) depending on the judgement of the organisation (and always subject to the balancing test besides).

GDPR legitimate interests – Balancing Test

Assuming that the first two tests are met, the organisation needs to then consider whether their legitimate interest is outweighed by the interests or fundamental rights and freedoms of data subjects. Recital 47 emphasises the need for “careful assessment as to whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place”.

It is worth noting here that ‘interests’ is a broader term than rights, covering anything that might be important to the data subject. Note also that it need not be a ‘legitimate’ interest – even unlawful interests of the data subject need to be taken into consideration. In carrying out the balancing itself, it will be useful to consider:

  • how important the organisation’s ‘legitimate interest’ is;
  • the nature of the data;
  • the way in which the data are processed (e.g. large scale, data mining, profiling, disclosure to a large number of people or publication).[4]

If you think we could be of any assistance in carrying out a ‘legitimate interests’ assessment for the EU Personal data you control or process, please get in contact with us.


[1] For the full GDPR see

[2] See helpful guidance from the United Kingdom Information Commissioner’s Office at


[4] See, pp55-56.

Are electricity prices in Australia being driven by an excessive tax allowance?

Are electricity prices in Australia being driven by an excessive tax allowance?

AU Energy Compliance

The Australian Energy Regulator (AER) recently announced a review on how much estimated tax it will allocate when making revenue decisions for network businesses.[1] This is, in part, a recognition that network costs have been the key driver of rising electricity prices over the last decade or so.[2] As part of that review, AER has released an issues paper for consultation. We summarise this below.

electricity prices

By Dr Drew Donnelly, Regulatory Specialist, Compliance Quarter

Estimate of tax payments

When setting revenue allowances for network businesses (i.e. deciding how much revenue monopoly distributors are allowed to make), the AER estimates expected tax payments for electricity and gas distributors. By reviewing the current approach to estimating tax, the end result may change the total revenue allowance for network businesses, and thereby contribute to bringing down energy prices.

The estimated tax payment is combined with other calculations in AER’s ‘building block’ approach to its revenue determinations including:

  • return on capital (compensating investors for the opportunity cost of funds invested in the business);
  • return of capital (depreciation, to return the initial investment to investors over time);
  • operating expenditure (covering the day-to-day costs of maintaining the network and running the business).

Differences between estimated tax allowance and actual tax paid

Advice from the Australian Tax Office (ATO) suggests that tax is being over-estimated (i.e. network businesses), particularly for privately-owned network businesses.[3] Possible causes identified by ATO include:

  • Ownership structure. Some structures attract a lower statutory tax rate (e.g. 15%) but the tax is being estimated by AER at the corporate rate (30 per cent);
  • High gearing. Some network businesses might be highly geared (greater than 60 per cent), compared to the benchmark (60 per cent) which means a higher interest expense, and lower taxable income than on AER’s model;
  • Some network businesses may use diminishing value depreciation for tax purposes, and thereby front-load depreciation compared to the straight-line model used by AER;
  • Self-assessed shorter asset lives. This makes the depreciation expense higher than in the AER model;
  • Low-value pools. Network businesses may aggregate assets worth less than $1000 and then rapidly depreciate them, meaning a greater depreciation expense than on the AER model;
  • Prior tax losses not accounted for on the AER model.

AER asks a range of questions, including:

  • Are there other publicly available sources that provide tax data for the regulated networks?
  • Of the available data sources, which are the most appropriate for the purposes of the AER’s review?
  • What information would the AER need to obtain on actual tax payments in order to inform this review and any potential adjustments to the regulatory treatment of taxation?
  • Are there other potential drivers that could cause the difference (between expected tax costs and actual tax paid) identified by ATO?
  • How should we assess the materiality of the potential drivers?
  • Which of these potential drivers should be the focus for the AER’s review?

The issues paper is available at

Contact the team at Compliance Quarter should you need anything – click here.

[1] See

[2] E.g. see

[3] See

Understanding your breach reporting obligations as an AFS Licence Holder

Understanding your breach reporting obligations as an AFS Licence Holder

Financial Services

Last month’s wealth management hearings before the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Banking Royal Commission) highlighted the need for AFS licensees to understand and fully comply with their breach reporting obligations in a timely and not overly legalistic way. You can read more about our coverage of the issues coming out of the Banking Royal Commission here

In our article covering AFSL breach reporting obligations we take a closer look at those obligations and the consequences of non-compliance.

What must an AFS licensee report?

AFS licensees must notify ASIC in writing of any ‘significant’ breach (or likely breach) of their obligations under s912A (including licence conditions), s912B (compensation arrangements) or financial services laws, as soon as possible, and in any event within ten (10) business days of becoming aware of the breach or likely breach. If you don’t tell ASIC about a significant breach (or likely breach) then ASIC will consider that this itself is a significant breach. As such, an AFS licensee should have a clear, well-understood and documented process for identifying and reporting breaches. It is worth noting that, responsible entities are also subject to breach reporting requirements.

AFSL breach reporting obligations – What does ‘significant’ breach mean?

Whether a breach is significant will depend on the individual circumstances – it is a subjective assessment. As such, licensees need to give proper consideration to whether the breach (or likely breach) is significant, and, if so, provide timely notification to ASIC. You will need to decide whether a breach (or likely breach) is significant and therefore, reportable to ASIC.

What factors determine whether is a breach is ‘significant’?

The non-exhaustive list of factors that determine whether a breach (or likely breach) is ‘significant’ include:
• the number or frequency of similar previous breaches;
• the impact of the breach or likely breach on the licensee’s ability to provide the financial services covered by the licence;
• the extent to which the breach or likely breach indicates that the licensee’s arrangements to ensure compliance with those obligations is inadequate; and
• the actual or potential loss to clients or the licensee itself.

If you are not sure whether a breach is significant, ASIC has indicated you should err on the side of caution and report the breach. ASIC Regulatory Guide 78 ‘Breach reporting by AFS Licensees’ (RG78) also provides further guidance as to how ASIC interprets and will apply the law.

How do you report a breach?

A breach can be reported to ASIC by completing Form FS80 and/ or written report to ASIC via email at

What are the penalties for non-compliance?

It is important that licensees report significant breaches to ASIC as early as possible, even where you are still gathering further information on the breach. ASIC states in RG78 that a failure to report a significant breach is an offence and may itself result in penalties up to $42,500 for companies.

What are the key takeaways?

The insights that have been emanating from the Banking Royal Commission, it’s coverage and associated regulatory matters, are that breach reporting is an area where there has been significant divergence by AFS licensees in how they are managing that process. The issue of governance internally around the breach reporting process has itself been a matter of considerable focus and debate – the ability of those charged with the responsibility to escalate incidents for consideration within the breach reporting framework and bring those to the attention of the board of licence holders in particular.

If you’re an AFS licence holding entity (or on the board of an entity that is) now is the time to be reviewing your breach reporting and incident management policies and considering the workflows within your organisation for how such matters are to be managed. At the board level, you should also be reflecting on what has been coming through from your audit and risk committee reports and whether there have been any details around incidents or breaches reported recently. If not, it may be worth contemplating a review of that process to ensure that adequate transparency is being afforded internally to such matters. Other matters that AFS licence holders should be reflecting on in this space include, how remuneration is structured for senior management and at the board level when there have been breaches identified and reported and ensuring that remuneration structures align with the obligations of the AFS licensee – for example, clawbacks or bonus ineligibility where there has been a major incident or significant breach. It would also be worth looking at how the organisation is learning from incidents and breaches – are they applying the right tools to identify how and why the incident or breach occurred along with adopting a lessons-learned mindset to avoid any future repeats within the business.

AFSL breach reporting obligations – Need more assistance?

If you would like assistance with better understanding your breach reporting obligations or an assessment of your internal procedures for managing issues in this space, please get in touch with us at Compliance Quarter and one of our regulatory specialists would be pleased to assist you.