Among EU’s top priorities, one can find Energy and Climate. The EU aims to replace 80% of electricity meters with smart meters by 2020. As a matter of fact, the usage of smart metering and smart grids would reduce emissions in Europe up to 9% and would have a similar effect on the annual household energy consumption.
Smart grids and smart meters are devices to help consumers and suppliers to adapt their energy usage (in time and volume) by providing information on real-time energy consumption and switching certain devices on and off automatically to optimise the load on the grid.
The rollout of ‘smart metering systems’ across Europe enables collection of electricity consumption in every household, that can be personal data. Developing such technology in a world where everybody was speaking of data protection and the famous General Data Protection Regulation (GDPR) raises some questions.
In that respect the European Commission has set up a Smart Grids Task Force, consisting of five Experts Groups focusing on different specific areas. One of those, Expert Group 2, is in charge of mitigating the risk on privacy and security of smart metering systems. Several documents have already been produced by that Group.
Together with the Commission, Expert Group 2 developed a template for carrying out a Data Protection Impact Assessment (DPIA). The GDPR requires that “where a type of processing in particular using new technologies, (…) is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”. In 2017, the WP29 adopted Guidelines, in order to clarify where a DPIA should be undertaken. The Guidelines set up a list of nine criteria, the more criteria the processing meets, the more likely it is to present a high risk to data subjects and therefore to require a DPIA. The WP29 suggests that having two out of nine criteria is the trigger to conduct a DPIA. Regarding the specific topic of smart meters, at least three seem applicable: Evaluation or scoring, including profiling and predicting; data processed on a large-scale and; innovative use/application of new technological or organizational solutions.
The new Electricity Directive as a lex specialis to the GDPR
Next to the Task Force, the European Commission proposed to adapt the Electricity Directive in order to include in the text some provisions regarding data protection issues specific to smart meters. In that way, while the GDPR provides a generic legal framework for privacy and data protection of the consumers, the new proposal for an Electricity Directive (still under discussion) would act as Lex specialis.
The text stipulates that smart metering deployment and data management have to be settled at Member States’ level. However, no clear recommendation exists at the European level regarding the different roles of processor and controller allocated by the GDPR.
Nevertheless, one can define the controller as the “metered data responsible”, who handles metered, contractual and network data. In most of the cases this would be the Distribution System Operator (for example in Belgium Fluvius). As for the processor, it would for instance be the organisation in charge of meter reading or quality control of the reading or any other organisation to which the controller would delegate the part of the processing on its behalf.
Besides those very important Distribution System Operator, some Member States, have chosen to set up a separate entity: a central communication hub. In such a model, the data are stored on the smart meter itself, the central communication hub is responsible for routing the data to the Energy Suppliers, Distribution Systems Operators and other third parties, but does not store them. This system would require an appropriate consent from the data subject before any transmission of the personal data.
Finally, attention should be given to the rights of the data subjects set up in the GDPR.
Indeed, the GDPR includes a wide range of rights for data subjects, most of them are underlined as well in the proposal for an Electricity Directive. Special attention should be given to the right of portability that, we believe, would be of great importance in the context of Energy Providers relating to competition and switching from one Energy provider to another. In Belgium, Atrias is the clearing house that has taken this in charge. WP29 has adopted Guidelines regarding the right of portability in which it states that the data subjected to the right are not only the “data actively and knowingly provided by the data subject” but it includes as well personal data that are observed from the activities of users such as raw data processed by smart meters. However, user profiles obtained after the analysis of metering data collected, do not appear to fall within the definition of data “provided by” the data subject.
The right of Portability applies without prejudice of the right to be forgotten and does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This task can be taken in charge by the Distribution System Operator, if a law gives it this function.
In conclusion, the massive rollout of smart meters across the European Union will bring significant benefits but will also introduce challenges to the protection of personal data. Next to the European legislation, most of the Members States are also building a legal framework for the introduction of smart meters.
Needless to say, that challenges are going to be high in the Utility sector in the near future.