The impact of COVID-19 on Energy Retailers

The impact of COVID-19 on Energy Retailers


COVID-19 is having a dramatic impact on all areas of the economy. On an individual level it is resulting in illness, isolation, and a loss of income.

Energy retailers provide an essential service that is at the foundation of our economy. In this article we look at the consequences of COVID-19 on energy retailers.

  1. Existing Contracts & Key Service Providers

Many energy retailers are reliant on third party service providers for functions including billing and customer service. Customer service is typically centralised in call centres which may, over the coming months, simply close down or have reduced capacity.

Energy retailers should review the contracts they have in place with key service providers and take particular note of the following:

  • Termination for convenience

Now is an important time to review your service provider contracts and the circumstances in which termination occurs.

Should your contract expressly provide for ‘termination for convenience’ it may be open to your business or, potentially, the service provider to rely on such a clause. A termination for convenience clause allows the benefiting party to terminate the contract for any reason. 

A termination for convenience clause removes the need to wait for a breach, repudiation, frustration, or some other stated termination trigger.

  • Force Majeure

Force Majeure is an expression that derives from French Civil Law. A force majeure clause is a risk allocation mechanism used to limit the liability of a party for events which delay, restrict, or hinder the performance of the contract – where such events are beyond the control of the parties and fall within defined triggers. 

The party seeking to rely on a force majeure clause has the ‘burden of proof.’ i.e. is required to prove that the clause has been triggered. The triggers of a force majeure event often include acts of God such as fire, storms, earthquakes, and floods, as well as civil unrest, strikes, riots, and acts of war or terrorism.

As COVID-19 has and will continue to have far reaching consequences, a force majeure clause may be triggered even where the clause does not specify that an epidemic or pandemic is a trigger i.e. triggered as a result of a secondary consequence of COVID-19.

Force majeure is different to frustration. Force majeure is a contractual construct and typically operates to suspend performance. Frustration, on the other hand, operates where the performance of the contract is impossible or radically different and termination results. As such, force majeure can only be relied upon if express provision is made for it within the contract (it cannot be implied as a term of the contract). 

  • Frustration

The common law principle of frustration may come into play where performance of a contract becomes impossible or illegal. For example, in the case of Taylor v Caldwell, a licence to use a music hall for a series of performances was held to be frustrated when the hall burnt down. As a result, the owner of the hall was not liable to reimburse the hirer for advertising expenses and the hirer was relived from the obligation to pay the licence fee for use of the hall. 

A contract will be frustrated where, without the default of either party, circumstances would result in performance being radically different from that originally contemplated in the contract. So the question is (as expressed in Brisbane City Council v Group Projects Pty Ltd by Stephen J:)  ‘how dramatic must be the impact of an allegedly frustrating event. To what degree or extent must such an event overturn expectations, or affect the foundation upon which the parties have contracted…’

In considering frustration, a court will look at whether events were foreseeable at the time the contract was made. Consequently, it will be harder to argue that COVID-19 has frustrated a contract made yesterday than it would be if the contract had been made in November 2019.  

There are some clear cases where a contract will be frustrated: such as when a customer service team has been given an order by a government department to isolate themselves for a set period of time, their contractual obligation to attend a particular location to take calls will be frustrated.

  1. Customer Hardship

Under the Retail Law, all authorised retailers must develop, maintain and implement customer hardship policies for their residential customers. Hardship policies represent regulatory obligations- if a retailer breaches their hardship policy they will be in breach.  Retailers are required to identify customers experiencing payment difficulties due to hardship and to assist those customers to better manage their energy bills on an ongoing basis.

COVID-19 clearly has the potential to cause financial hardship as families are isolated, unable to work, or unable to derive their usual income. Household illness is recognised, in standardised statement one of the AER’s Hardship Guideline, as being a factor that may give rise to financial hardship.

Given the increased likelihood of financial hardship over the coming months, retailers need to ensure that they strictly comply with the Retail Law and with their own Hardship Policies. Typically, this will mean that retailers:

  1. Need to exercise vigilance in their monitoring of customer accounts- specifically looking for customer’s self-identifying, for missed payments, and for customers who are sent disconnection warning notices.
  2. Should consider the assistance they are planning to provide to customers experiencing hardship as a result of COVID-19. There are a range of government rebates and concessions available and emergency payments- such as EAPA- that may be available to those experiencing hardship. Retailer should ensure that they are familiar with the support options available and that all customer facing staff understand the measures that can be taken to support someone experiencing hardship.
  3. Consider their approach to the disconnection of customers for non-payment. There is no prohibition on the disconnection of energy supply during pandemic- as there is during ‘extreme weather events’ (see r 108 of the National Energy Retail Rules) however there is a greater risk that a retailer will disconnect a customer who is in hardship at this time. Consequently, additional steps may need to be taken to ensure that disconnection is conducted in accordance with the rules.


  1. Business Continuity

As with all other businesses, retailers should be examining their business continuity plans and ensuring that they are fit for purpose.

Should your employees work from home, ensure that they are set up to do so and that you are discharging your obligations under Workplace Health and Safety legislation. Over the coming days we will be developing specific online training for our clients on working from home- including on how to set up a safe workplace, how to communicate with your staff, and what to avoid. 

Why Compliance Matters

Why Compliance Matters

CQ covers (13)
Connor James

Connor James

Connor James is the Principal of Compliance Quarter.

Why Compliance Matters

Unsurprisingly, it is our view that compliance matters. We say this in the context of a business environment characterised by increasing and increasingly complex regulation.

More Regulation and More Complexity

Despite various governments now having ‘deregulation’ Ministers or Departments, the truth is that regulation is increasing. Whether it’s driving home from work in complying with the Road Rules or speaking to a customer at work in complying with the National Energy Retail Rules, much of what we do on a day-to-day basis is regulated.

The purpose of regulation is to codify society’s expectations. Society’s expectations are constantly changing, and so, regulation is constantly trying to catch up. This is evident in industries that are marked by technological advance with regulation constantly lagging technological advances. Despite various shortcomings, regulation -by and large – does its job and does it well. 

Regulatory Burden

The consequence of additional regulation and additional complexity in regulation is regulatory burden. Regulatory burden is felt both at an organisational level and at an individual (senior executive and director) level.  Personal liability on directors continues to expand, including recently personal liability with unpaid PAYG, meaning that directors can no longer rely on the protection afforded to them by the corporate veil.

A lot of regulatory burden can be lifted with simple rules based automation, but not all. Ask any lawyer who has argued about the meaning of a specific sub-section of an act in the Supreme Court whether all legislation can be codified and be prepared to be laughed at. 

Why Comply

Businesses should understand and operate to the expectations of the society in which they operate.  A business that is not operating in a compliant manner is typically operating outside of society’s expectations and often with negative consequences for its customers, employees, and wider society.

Compliance is closely linked to ethics. Ethical conduct is typically compliant conduct and unethical conduct is often non-compliant. When making a business decision, rather than starting with your lawyer on a technical question of interpretation, first ask yourself if the outcome would be ethical. 

How to Comply

The first step every business should take in seeking to comply is identifying the various applicable obligations and standards. Many businesses have not taken this first step and operate without knowing what they should or indeed must be doing. All businesses should have a regulatory obligation register that sets out all of the key applicable obligations and standards. All businesses should have a process in place to ensure that their regulatory obligation register is up-to-date at all times.

Once your business has an obligation register it needs to consider what steps it will take to ensure compliance. The steps that a business takes to ensure compliance are the controls that it has in place. Controls can take the form of training, regular meetings, updates, systems, and policies and procedures.

Once controls have been mapped to obligations, on an ongoing basis, your business should consider whether those controls are adequate and fit for purpose. This means monitoring non-compliance as you would monitor any other risk. The consequence of non-compliance is obvious and may include fines, negative PR, loss of revenue, and termination of licence.

Of all the businesses that we are involved with, we can predict future non-compliance with close to absolute certainty based on the attitude demonstrated by its directors and senior executives. When we come across a senior executive in a business that has no interest in compliance we can tell that that business is significantly more likely to be found to be non-compliant, to be fined, to lose revenue, or to lose a licence. 

In order to ensure compliance, senior executives and directors must have a good understanding of their businesses’ regulatory obligation registers and the function of each control. If, for example, you are a senior executive in an energy retail business you must read the National Energy Retail Rules and the various other regulatory guidelines. Once you have done so, you should then ask your business whether it has adequate controls in place, whether it is monitoring the effectiveness of those controls, and whether your business is operating in the way that society would expect it to. 

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
How to obtain an energy retail authorisation

How to obtain an energy retail authorisation


If you’re planning to become an energy retailer in those states that have adopted the National Energy Customer Framework, you will require a retail authorisation issued by the Australian Energy Regulator. Broadly, you will need to demonstrate that you:

  • Have the necessary organisational and technical capability;
  • Have financial resources, or access to resources, to operate as a retailer; and
  • Are a suitable person to hold a retail authorisation.

In this post we look at some of the key components of an energy retail authorisation application. 

Organisational and technical capability

When examining your organisational and technical capacity to hold a retail authorisation, the AER will look at your industry experience, operational systems and staff expertise. In practice this means reviewing the resumes of your key staff, the various policies and procedures that you have to ensure compliance with all applicable law, and the systems that you will rely upon to ensure that you operate compliantly.

Experience in the industry

The AER will expect you to have key staff and executives with the necessary level of experience in the energy market. Typically, this means that you will need to have individuals with responsibility for operations, compliance, finance, and risk management who each have experience in the energy market. If you do not have individuals with such experience, you will need to explain how you will bring such capability into the business for example by working with an experienced consultant.

Business plan

your business plan will form the foundation of the AER’s assessment of your retail authorisation application. It provides the context of your proposed operations and scope of operations. In broad terms, your business plan should describe your business, its objectives, its unique selling position, financial and operating forecast for the first 3 to 5 years including anticipated customer growth, revenue and expenses, and a cash flow analysis.

Compliance and risk management

Energy retail is a highly regulated industry, more so than any other industry in Australia. In your energy retail authorisation application, you will need to clearly demonstrate how you are able to comply with all applicable laws. This means that you will need to show that you have a compliance program that is consistent with the relevant Australian standard and that you have various documents in place that set out how you will comply. Alongside compliance is risk management. You will need to provide details of your risk management strategy covering both financial and operational risks.

Financial capability

The AER carries out a point in time assessment of an applicant’s financial capacity. They are looking to ensure that an applicant has (or has access to) adequate financial capacity to support the planned retail operations. Consequently, such an assessment relies heavily on an applicant’s business plan and approach to managing financial risk. In practice, the AER looks to ensure that you will have access to capital equal to at least one years’ worth of operating expenses assuming that you have no revenue. In examining operating expenses, the AER would expect you to include staffing, insurance, accommodation, wholesale acquisitions, network service costs, customer support and billing system cost, and ombudsman fees.

In terms of satisfying this criterion, the AER will examine your financial reports, if you are an existing business, and details of your current financial position such as interim financial statements and bank statements. The AER will also examine your ownership structure, contractual arrangements, and require declarations from your chief financial officer or chief executive officer. Finally, the AER requires a written declaration from an independent auditor or from your principal financial institution stating that an insolvency event has not occurred, that an insolvency official has not been appointed, and that they are unaware of any other factor that would impede your ability to finance your energy retail activities under the authorisation.

The AER’s assessment of financial capacity is a point in time assessment. On an ongoing basis AEMO is responsible for oversight of a retailer’s financial capacity with respect to wholesale acquisitions.

Suitable Person

The question of whether a person is suitable to retail energy goes beyond an assessment of financial and organisational capacity and extends to a person’s character and reputation. The test here is similar to that applied when a regulator is considering whether a person is ‘fit and proper.’ In examining suitability, the AER looks to previous commercial dealings, as well as that of your offices, associates and any other entity that exerts control over your business activities. Such assessment looks at the degree of honesty and integrity shown in those commercial dealings and whether you are likely to contribute to the national energy retail objective. In satisfying this criterion, you will be required to include a number of declarations including as to any previous criminal convictions and regulatory actions.

Webinar on obtaining a retail authorisation

In the following webinar we provide an overview of the application process for a retail authorisation along with detail on some of the common traps. 

Frequently Asked Questions

No, Victoria has a separate guideline and there are a range of significant differences in the process and expectations of the Victorian Essential Services Commission when compared to those of the Australian Energy Regulator. Typically, you will require new documents i.e. a financial hardship policy, specifically for Victoria. You should also note that the Essential Services Commission also takes significantly longer to assess an application than the Australian Energy Regulator.

As noted above, you will need to satisfy the AER that you have access to the resources you require elsewhere for example from a consultant. 

If your entity is the one selling energy, it will have the need for a retail authorisation. There is no option to rent a retail authorisation. From the perspective of the AER, the applicant is the entity who was assessed and so needs to satisfy the eligibility criteria. 

If your main business activity is selling energy then it is likely that you will need a retail authorisation. There are various exemptions available if you are selling energy incidentally, for example if you are an owners corporation, however a number of these will be phased out over time.

There is no application fee payable to the AER. There is a fee to apply to become a market participate with AEMO, which is needed if you are going to trade on the energy market and supply on market customers. There are also fees for joining the ombudsman schemes in each state and, finally, SA charge a fee for retailers operating in their state. 

Ausgrid’s Proposed Embedded Network Tariff.

Ausgrid’s Proposed Embedded Network Tariff.


Ausgrid's Proposal

The Australian Energy Regulator (AER) has published its determination on Ausgrid’s proposed Amendments to its Tariff Structure Statement (TSS). The AER has decided to not approve the proposed amendments which would have introduced a new network tariff for embedded networks. The AER was not satisfied that the threshold to amend the TSS had been met.

Ausgrid’s current TSS applies for the 2019 to 2024 period, and was approved by the AER in April 2019. In September 2019, Ausgrid submitted a proposal to amend its current TSS. The proposal sought to introduce a new network tariff for certain embedded networks on 1 July 2020.

The AER's Consideration and Conclusion

In considering the proposed amendment, the AER examined whether an event had occurred that was beyond the Ausgrid’s reasonable control and that could not have been foreseen by the Ausgrid at the time of the final decision, and secondly, whether as a result of the event, the proposed amended TSS would be, or would be likely to be, materially better comply to the distribution pricing principles than the existing TSS.
Ausgrid based its proposal on three events:

1. The AER’s decision not to approve its placeholder network tariff embedded networks;
2. An unanticipated forecast increase in the number of embedded network customers in its distribution area; and
3. the release of the AEMC’s final report on updating the regulatory arrangements for embedded networks.

The AER concluded that it was not reasonably satisfied that there was an event that occurred beyond Ausgrid’s reasonable control or that could not have been reasonably foreseen at the time the final decision was made.

Power Purchase Agreements – PPAs – new compliance challenges webinar

Power Purchase Agreements – PPAs – new compliance challenges webinar

AU Energy Compliance, Uncategorized

Solar Power Purchase Agreements are on the rise in Australia. Solar PPAs are regulated primarily through AER’s (and in Victoria, the ESC’s) retail and network exemption framework. This presentation follows on from our earlier webinar on PPAs. We address two current PPAs compliance challenges for solar PPAs: The new lease accounting standard and metering requirements.

Solar Panel installation - PPAs compliance challenges

What is a Power Purchase Agreement (PPA)?

  • A contract to purchase electricity at a pre-determined price for a fixed period.
  • PPAs take a variety of forms physical/virtual, behind-the-meter/market, solar/non-solar.
  • Each type of PPA presents an opportunity as well as certain potential costs.

Regulatory Framework for PPAs

General Rules

Generally, applicable laws and regulations govern PPAs such as:

  • Australian Consumer Law
  • The Corporations Act 2001, including Part 2M.3 Financial Reporting

Sector Specific Rules

Standard solar PPA form is governed by retail and network exemptions frameworks administered by the AER and the ESC (Vic).

New Regulatory Challenges

1. IFRS 16/AASB 16

The new accounting standard, AASB 16, may require PPA purchasers to change the way they report PPAs.
Generally, operating leases will now be a ‘right-of-use’ asset with a corresponding lease liability. They will now be ‘on balance sheet’.


There is some confusion amongst PPA businesses as to metering obligations
Recently clarified by the AER in its Quarterly Compliance report.


The existing (old) standard

Operating and finance leases are distinct for both lessees and lessors.
Operating Leases expensed rather than listed as an asset.
Operating leases ‘off’ balance sheet.

The new test

A contract AASB 16 collapses the distinction between operating and finance leases for lessees. This means that most leases must now be ‘on’ balance sheet. It introduces a new test:

A contract is, or contains, a lease if the contract conveys the right to control the use of an identified asset for a period of time in exchange for consideration (AASB 16, para 9).

Right to control

The right to obtain substantially all of the economic benefits from use of the identified asset; and the right to direct the use of the identified asset (AASB, Appendix B9)


  • PPA purchasers need to consider whether existing PPAs incorporate and are now ‘on balance sheet’. This has a range of effects.
  • Impact on net debt, debt-to-equity, return on assets, quick ratio.
  • Effect on profitability, EBITDA, operating cash flows.
  • Effect on KPIs, including debt covenants, remuneration, bonuses etc.

First Example

PPAs compliance challenges example 1

Deloitte Touche Tohmastu. Leases: A Guide to AASB 16, p100.

Second and third examples

PPAs compliance challenges example 2

From Deloitte Touche Tohmatsu. Leases: A Guide to AASB 16, p100.

Metering and behind the meter PPAs

Metering requirements for ‘on-market’ PPAs supplied through the grid, subject to National Electricity Law, National Electricity Rules and associated procedures including the Metrology Procedure.

In its recently released Quarterly Compliance Report, AER reported a number of inquiries from solar providers about metering requirements for Solar PPAs.

Consequently AER has confirmed those requirements that apply to ‘behind-the-meter’ solar PPAs.

Solar PPA metering

Behind-the-meter Solar PPAs are not subject to the same metering requirements as on-market solar PPAs.

In virtue of the network exemption guideline, they are subject to the accuracy requirements of the National Measurement Act. This means only meters with National Measurement Institute pattern approval are compliant with both the conditions of network exemption and federal law. Go to

Note. These PPAs also have obligations under Schedule 7.4 of the NER which sets out technical inspection and testing requirements.

Compliance Quarter

If you have any questions or want further information or assistance please contact me at or

For a confidential chat or free quote for our services, please contact us on , phone us on 02 8234 1333 or click here for our contact form.

Should Australia follow Argentina and introduce a National Regime for Distributed Generation?

AU Energy Compliance, Uncategorized

One year ago, I arrived in Buenos Aires for the first time. Heading to a salsa club in the fashionable Palermo Soho district, my partner and I discovered that not only the club, but the entire city block, was pitch black. Chatting with fellow salseros in the dark we were informed that, yes, this kind of power outage was normal and no, power would not be restored any time soon.

Power outages both planned and unplanned are not uncommon in Buenos Aires. In February of this year, a power outage on one of the hottest days of the year left around 370,000 people in the city without power. Of course, unplanned outages and load shedding happen in Australia too. As in Argentina, the catalyst for outages tends to be heat wave events where residential consumption soars.

In today’s article, I look at how Argentina’s new distributed generation regime (the Regime) is intended to strengthen reliability and security in the grid and how this compares with the Australian policy settings for distributed (or ‘embedded’ generation).

Distributed Generation

Photo by Sasha • Stories on Unsplash

By Dr Drew Donnelly, Regulatory Specialist, Compliance Quarter

1. The Similarities in the Argentine and Australian Energy Landscapes 

There are some instructive similarities between Argentina and Australia when it comes to energy:

• Abundant natural gas resources, with a significant quantity being exported;
• Enormous renewable energy potential (solar for Australia and Northern Argentina, wind for the vast Patagonia region);
• A federal system of government with substantial devolution of energy policy to regional jurisdictions (states and territories in Australia, provinces and the capital in Argentina);
• Strong population growth and ‘clumping’ in certain areas as opposed to even distribution (focused on the south-eastern seaboard in Australia, and on the banks of the River Plate in Argentina);
• Extreme temperature variation across seasons, including heat waves in summer.

As mentioned earlier, the last similarity is the catalyst for power outages in both countries. However, the underlying cause of outages in both countries are distinct. In Argentina, the outages are caused by heavily degraded network infrastructure, including low-voltage wiring and transformers. The network infrastructure fails when consumption is high. By contrast, in Australia, a key contributor to outages has been the proliferation of non-dispatchable renewables such as wind and solar and a technical limit on importing dispatchable generation from adjacent states via interconnectors.

Like Australia, Argentina struggles with the same question that guided the Finkel Review; how does any nation in the 21st century balance a secure and reliable energy system with one that is affordable and meets emissions targets? The Australian Commonwealth Government’s response is the National Energy Guarantee (the NEG) with its ‘reliability’ and ‘emissions’ obligations. However other important initiatives that are part of the Government’s response are distributed/embedded generation and demand response initiatives. Distributed generation is electricity generation by many separate electricity users at their point of consumption (such as through rooftop solar photovoltaic (PV) or an in-house diesel generator).

2. The Argentine Response: Distributed Generation

Argentina has not developed a market-based response (such as the NEG) to the ‘Finkel question’. With respect to reducing emissions, the Federal Government has set a renewable energy target of 20 per cent renewables by 2025, which is supported by ‘RenovAr’, a series of public bidding rounds for renewable investment with long-term Power Purchase Agreements (PPA). Through this, the Argentine Government expects US $15 billion of renewable investment.

What about dealing with power outages? The Australian example has shown that, unless other measures are taken, investment in renewables can be negatively correlated with system security and reliability. As a part-solution, as well as an attempt to increase renewable generation, in November last year, the National Congress passed a law titled the Promotion Regime for Distributed Generation of Renewable Energy Integrated in the Public Electricity Grid (the Regime). This is designed to increase the use of solar PV in dwellings and hence reduce the load drawn from the grid during extreme weather events.

The key elements of the Regime include:

• a procedure that the customer, the ‘user-generator’, must follow with the distributor for authorisation to connect to the grid;
• obligations on the user-generator and the distributor to sign a distributed generation agreement;
• a billing framework to compensate the user-generator for the value of their energy ‘injected’ into the grid through a ‘net metering’ mechanism;
• a prohibition on distributors charging access fees or any other kind of tax associated with the installation of distributed generation systems;
• a fund for distributed generation, which will be used for grants, loans and other incentives in order to support take-up by customers;
• a framework for tax incentives and other support (such as preferential financing) for the manufacture of equipment that promotes the distributed generation of renewable energy; and,
• an obligation to incorporate distributed generation systems in national public buildings.

Regulations setting out the operational details of the Regime are under development and should be released shortly.

3. Differences between the Argentine and Australian approach to Distributed Generation

We discussed some core elements of the Australian approach to distributed or ‘embedded’ generation at What are the key differences between the Regime and the Australian approach?

• It is a federal approach, standardising the rules for distributed generation across the country. While some rules for connecting embedded generation are contained in the National Electricity Rules in Australia (and therefore apply across the National Electricity Market (NEM) jurisdiction), many matters including funding, pricing and licensing requirements differ significantly by state/territory;
• The Regime prohibits connection charging by the distributor. This is permitted in Australia. This could further incentivise distributed generation in Argentina. On the other hand, this will be facilitated by Government subsidies to distributors, the details of which are not yet available. If the subsidies are not sufficient then distributors will inevitably cut costs somewhere (such as cutting investment in new network infrastructure);
• The Regime legislates nationally for distributed generation to be settled by net-metering. That is, the customer’s electricity consumption bill will be discounted by the amount produced and fed into the grid. While Australian jurisdictions have moved to a net (rather than ‘gross’) metering regime in recent years, some argue that this disincentivises solar investment. In particular, this may be an insufficient financial benefit to encourage battery storage of solar. In Australia, at least the tariff structure can be varied by states and territories depending on their success.

On the one hand, a nationally uniform approach to distributed generation, such as Argentina’s, may be beneficial in publicising, simplifying and clarifying for everyone the rules for distributed generation and solar PV. The Australian approach with considerable differences in rules between states and distribution network areas can be confusing and result in some states/territories (with the more supportive distributive generation arrangements) carrying a disproportionate burden. On the other hand, whether or not distributive generation will be successful in reducing the burden on network infrastructure ultimately depends on the economics of that investment. Currently, the prohibitive cost of solar PV equipment in Argentina, and lack of clarity around subsidies means that a substantially increased uptake in distributed generation is some way off.

[1] See

[2] It is usually claimed that this network under-investment is a result of utility price freezes by successive Governments meaning that distributors have had insufficient funding to upgrade the network for population growth. For more, see

[3] See Independent Review into the Future Security of the National Electricity Market – Final Report (the ‘Finkel’ Review), p36-40.

[4] For more information, see

[5] To learn about demand response, see

[6] For more information see

[7] See

[8] See

[9] As a result of high import duties, and lack of local manufacturing, it is estimated it would take 12-13 years for a customer to recover their solar PV investment. See

GDPR: The Legitimate Interests test

GDPR: The Legitimate Interests test


On 25 May the EU General Data Protection Regulation (GDPR) came into force. If you need help in working out whether or not your Australian business will be affected by GDPR, please get in touch with us without delay. We have offered updates recently on:

– Cross-country data transfer (;
– Consent (

GDPR legitimate interests

Photo by Yeo Khee on Unsplash

By Dr Drew Donnelly, Regulatory Specialist, Compliance Quarter

Today we update you on one of the more perplexing aspects of the GDPR; the ‘legitimate interests’ ground for processing personal data. On the one hand, the GDPR makes it easier for organisations to know when personal data processing is permitted (or ‘lawful’). The clear-cut definition of ‘consent’ means all organisations can be on the same page as to whether consent holds. On the other hand, the ‘legitimate interests’ ground requires each organisation to engage in a ‘balancing’ exercise where they determine for themselves whether processing in a particular case is justified or not. We explain this ground below.

GDPR Legitimate Interests

Article 6(1) describes a range of grounds under which processing of personal data of EU data subjects is permitted (‘lawful’). Article 6(1)(f) of the GDPR provides that processing is lawful where:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”[1]

This might be separated into three tests that the organisation can ask itself in determining whether or not the legitimate interests ground is met.[2]

Purpose test: are you pursuing a legitimate interest?

Necessity test: is the processing necessary for that purpose?

Balancing test: do the individual’s interests override the legitimate interest?

While the necessity test is self-explanatory, we consider the other two tests below.

GDPR legitimate interests – Purpose test

No definition of a ‘legitimate interests’ is given in the GDPR to make it clear when a purpose will be a legitimate, or illegitimate interest. However, the EU’s Article 29 Data Protection working group offered the following in its guidance on the old EU Directive[3]:

  • The purpose must be lawful (i.e. in accordance with EU and national law);
  • be sufficiently clearly articulated to allow the balancing test to be carried out against the interests and fundamental rights of the data subject (i.e. sufficiently concrete);
  • represent a real and present interest (i.e. not be speculative).

On a practical level, an organisation using this ground must document a concrete purpose of the processing, that the purpose is lawful and that it represents a real, not hypothetical or possible future purpose for collecting the data. Other constraints on this test include:

  • it cannot be used by a public authority (art 6(1));
  • The processing of personal data strictly necessary for the purposes of preventing fraud is a legitimate interest (see recital 47);
  • The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest (see recital 47).

Note that this advice is of a general nature (except in the case of fraud). Direct marketing is not automatically a legitimate interest. It may be a legitimate interest (i.e. in some cases) depending on the judgement of the organisation (and always subject to the balancing test besides).

GDPR legitimate interests – Balancing Test

Assuming that the first two tests are met, the organisation needs to then consider whether their legitimate interest is outweighed by the interests or fundamental rights and freedoms of data subjects. Recital 47 emphasises the need for “careful assessment as to whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place”.

It is worth noting here that ‘interests’ is a broader term than rights, covering anything that might be important to the data subject. Note also that it need not be a ‘legitimate’ interest – even unlawful interests of the data subject need to be taken into consideration. In carrying out the balancing itself, it will be useful to consider:

  • how important the organisation’s ‘legitimate interest’ is;
  • the nature of the data;
  • the way in which the data are processed (e.g. large scale, data mining, profiling, disclosure to a large number of people or publication).[4]

If you think we could be of any assistance in carrying out a ‘legitimate interests’ assessment for the EU Personal data you control or process, please get in contact with us.


[1] For the full GDPR see

[2] See helpful guidance from the United Kingdom Information Commissioner’s Office at


[4] See, pp55-56.

OAIC releases first quarterly statistics report under the NDB Scheme

Consumer, Uncategorized

NDB scheme

By Anne Wardell, Compliance Quarter. 

Photo by Jefferson Santos on Unsplash

The OAIC has published its first quarterly statistics report under the NDB Scheme, Notifiable Data Breaches Quarterly Statistics Report: January 2018 – March 2018. It is interesting to note that the total number of breaches received for the first quarter was 63. Remember that the NDB only commenced at the end of February 2018.

The report provides useful snapshots of the findings such as the top five industry sectors where an NDB occurred:

NDB Scheme

The most common type of personal information revealed was contact information. It is perhaps of some concern that the next two most common types of information disclosed were financial details and health information:

NDB Scheme

Although 73% of the eligible data breaches involved the personal information of fewer than 100 individuals, there were 27% of breaches which involved more than 100 individuals.

NDB Scheme

The OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, commented on the report and indicated that:

‘Over time, the quarterly reports of the eligible data breach notifications received by the OAIC will support improved understanding of the trends in eligible data breaches and promote a proactive approach to addressing security risks.

‘Just over half of the eligible data breach notifications we received in the first quarter indicated that the cause of the breach was human error. In the 2016–2017 financial year 46 percent of the data breach notifications received by the OAIC voluntarily were also reported to be the result of human error.

‘This highlights the importance of implementing robust privacy governance alongside a high-standard of security. The risk of a data breach can be greatly reduced by implementing practices such as Privacy Impact Assessments, information security risk assessments, and training for any staff responsible for handling personal information.’ (Source: Notifiable Data Breaches first Quarterly report released OAIC News, 11 April 2018).

Although human error was responsible for 32% of the breaches, malicious or criminal attacks represented 28% of the breaches.  It is important for data systems which deal with personal information to ensure they are protected from such attacks.

NDB Scheme

The Report provides the following overview:

NDB Scheme

It is important for all Australian businesses to be aware of the quarterly reports and review the findings as a way to ensure they maintain the effectiveness of their systems and the protections installed.

Should you wish to discuss the NDB scheme with the team here at Compliance Quarter please click here.

Solar feed-in tariffs 2018/19 for NSW call for submissions

AU Energy Compliance, Uncategorized

Solar feed-in tariffs

By Anne Wardell, Compliance Quarter. 

The Independent Pricing and Regulatory Tribunal (IPART) has released an Issues Paper for discussion on the solar feed-in tariffs for 2018/19. IPART is seeking written submissions to be made by 16 April 2018. Information about how to lodge a submission are contained in the Issues Paper.

IPART has provided the following useful infographic in relation to the process:

Solar feed-in tariffs

The Terms of Reference set out the following parameters which must be considered in conducting the investigation:

  • There should be no resulting increase in retail electricity prices; and
  • The benchmark range should operate in such a way to support a competitive electricity market in NSW.

The final report is to be provided by 30 June 2018.

Further information about the investigation can be found on the IPART website at Solar feed-in tariffs 2018/19.

Or contact the Compliance Quarter team by clicking here.

February Fintech Roundup: The Open Banking Review and Fintech lending to SMEs

February Fintech Roundup: The Open Banking Review and Fintech lending to SMEs


February Fintech Roundup: The Open Banking Review and Fintech lending to SMEs. In February we saw the release of two reports that could have a significant impact on financial technology (fintech) in Australia. The first is the final report of the ‘Open Banking Review’ which is currently open for public consultation. The second is a collaborative report from the Australian Small Business and Family Enterprise Ombudsman (ASBFEO), FinTech Australia and the BankDoctor into fintech lending to small and medium-sized enterprises (SMEs).

Today we address the key impacts these reports could have on fintech businesses (fintechs).

The Open Banking Review and Fintech lending

Photo by Fabrizio Verrecchia on Unsplash

By Dr Drew Donnelly, Compliance Quarter. 

Open Banking Review: Final Report

In February 2018, the final report of the Open Banking Review was released for consultation (  The report recommends that all authorised deposit-taking institutions (ADIs) must implement Application Programming Interfaces (APIs) allowing customers to share their transaction data with the third parties that they choose.

There is a range of matters in the report that will impact on fintechs, but the more significant ones are:

  • Eligibility for fintechs to become accredited to receive transaction data. This will be crucial for fintechs that trade in financial products in assessing the creditworthiness of customers;
  • Fintech involvement in the process of developing APIs for transaction data.

All the recommendations contained in the report are being consulted on and submissions can be made to by 23 March 2018.

Report on Fintech lending to small and medium-sized enterprises (SMES)

This wide-ranging report (the Report) into the current state-of-play for fintech lending to SMEs, released on February 27, is based on an in-depth survey of fintech lenders (fintechs) to SMEs and deliberations of an industry working group (see The report discusses a range of challenges for the sector with solutions in various stages of development:

  • Compliance with unfair contract terms provisions of the Australian Consumer Law (ACL). Analysis of survey results showed that lenders were aware of their obligation to comply with this law and have been taking steps to comply. The fintech lending industry has committed to working with ASIC and the ASBFEO to review contracts in order to ensure compliance across the industry (the Report, p32).
  • Glossary of lending terms. This is provided as a schedule to the report with the intention of standardising certain terms across the industry. It has been reported that, as fintechs can use different names for the fees they charge, there has been confusion for SMEs attempting to make comparisons between products (the Report, p41).
  • Dispute resolution. It is not currently a requirement for fintech lenders to SMEs to be a member of an external dispute resolution service (unless they are otherwise required to do so, such as when they hold a credit license). This makes it all the more important that fintech lenders have robust internal dispute resolution processes in place (the Report, p41).
  • Comparison. Currently, there are inconsistencies in the comparison tools and metrics used to compare different fintech lending products. Industry participants aim to implement a standardised approach for comparing unsecured fintech business loan products by June 2018 (the Report, p42).
  • Simple loan contract summaries. It is proposed that transparency and disclosure would be aided by a simple loan contract summary page that summarises key industry-agreed rates, fees and costs. Fintechs have agreed to try and resolve what information should be included as part of a standardised simple loan contract summary for unsecured small business loans (the Report, p42).
  • Code of Conduct. The industry working group has committed to developing (after consultation) a Code of Conduct to cover fintech lending for unsecured business loans (the Report, p42). This code will:
    • outline best practice principles;
    • set out legitimate customer expectations;
    • prescribe the comparative measures to be used; and
    • be expanded upon incrementally to include the full range of financial products.

Keep an eye on our website or provide your email in the popup for more curated analysis and content regarding the banking, financial and fintech sectors in Australia. Alternatively, contact us directly by clicking here.

Free Webinars on during the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services

Every Tuesday at 2pm (AEST/Sydney time) we will be running a free webinar to look at the last week’s developments from the Royal Commission. You can signup for our first in the series by clicking here.