Thursday 22 March 2018

Data protection and smart meters: the GDPR and the ‘winter package’ of EU clean energy law







Alessandra Fratini and Giulia Pizza, FratiniVergano, European Lawyers - a Brussels-based law firm specialising in European and international law


On 30 November 2016, the Commission launched the Clean Energy for All Europeanslegislative package, aimed at modernizing the European electricity market and facilitating the transition to more decentralized, clean energy solutions. “Decentralization” is seen as a driver for innovation and the key factor for rebalancing energy actions in favour of a demand-driven policy, where consumers are equipped with the right tools to actively participate in this paradigm shift. Smart metering systems are one of the “right tools” for consumer empowerment, as they allow users to make decisions about their energy consumption by reacting to real-time tariffs.
The proper functioning of smart meters requires that a significant amount of sensing data be collected and processed by eligible parties and made available to entitled stakeholders. That generates data protection challenges and creates new risks for the data subjects with a potential impact in areas (e.g. price discrimination, profiling, household security) previously absent in the energy sector. While the General Data Protection Regulation (GDPR) provides the general legal framework for ensuring privacy and data protection of final consumers in the context of the smart meters’ roll-out, the Commission’s proposal for a recast of the Electricity Directive (which is part of the “Clean Energy for All Europeans” package and specifically regulates smart meters’ deployment) includes detailed provisions to ensure that data protection issues are properly tackled. It is understood that, once adopted, the latter would act as lex specialis with reference to the generally applicable GDPR provisions.
After an overview of the evolution of smart meters in EU law, this article reviews the challenges that smart metering systems pose to the protection of personal data and how these can be addressed under the GDPR provisions, read in conjunction with the specific requirements on data protection foreseen in the recast Electricity Directive.
Smart Metering Systems in EU law
Smart meters are electronic devices that record real-time production and consumption of electricity and communicate that information to the utility operator for monitoring and billing. Smart meters allow consumers to adapt their consumption – in time and volume - to real-time energy prices, thereby helping them to manage their usage more effectively and, conceivably, save money.
The deployment of smart meters is expected to improve customer service, with more accurate billing, easier and quicker switching between payment methods. It will also increase the opportunities for consumers who produce their own energy to respond to prices and sell excess to the grid.
The idea of equipping consumers with intelligent systems allowing them to manage their energy consumption was developed in the 2006 Energy Service Directive (ESD) and later taken up in the (still in force) 2009 Third Energy Package, which marked a turning point in the energy market integration process within the EU. With the third package, in fact, the focus shifted to the development of an effective retail market, with specific measures being designed to grant energy consumers a number of rights, such as the right to switch energy providers and receive clear energy bills. It is exactly from the perspective of consumer empowerment that the 2009 Electricity Directive strongly promotes the use of intelligent metering systems for the long-term benefit of consumers.
In line with the same spirit, the 2012 Energy Efficiency Directive (EED) includes a comprehensive set of measures on metering and billing with a view to extending the scope and further clarifying the provisions foreseen in the Third Package and in the ESD. In addition, for the first time, the EED touches upon data privacy and security in the installation of smart meters and foresees, among the obligations imposed on Member States, compliance with relevant Union data protection and privacy legislation.
Finally, the 2016 Clean Energy Package, also known as the “Winter Package”, further fits into this picture. The Commission acknowledged that it was time to update the existing framework to make it compatible with the higher levels of flexibility and decentralisation of today’s energy sector, and to create the enabling environment to facilitate the “paradigm shift” to a more competitive and consumer-centred market structure.
In particular, the proposal for a recast of the Electricity Directive introduces new rights to empower and better protect end users, such as the right to clearer billing information and certified comparisons tools, the entitlement to a dynamic price contract, the possibility to engage in demand-response and in self-generation of electricity. Smart meters are the essential tools to allow for an effective exercise of these rights. In this context, the recast Directive provides specific definitions for smart metering systems and interoperability and devotes a specific section (Articles 19-24) to smart meters’ functionalities, deployment, and data management issues.
Article 20 of the proposal sets out seven principles to be applied when rolling out smart meters. Out of those seven principles, four relate to the protection of personal data, including consumers-data subjects’ rights. In particular, points b) and c) state that security of data communication and data protection of final consumers shall be ensured in compliance with relevant Union security and data protection legislation. On data subjects’ rights, point e) stipulates that energy consumers are entitled to access metering data on their electricity input and off-take in an easily understandable format, while point f) requires Member States to ensure that consumers are duly informed at the time of installation of smart meters of the collection and processing of their personal data. 
Besides the abovementioned principles, a more specific set of provisions (Articles 23 -24 and Annex III) focuses on energy data access and management and reiterates the need to ensure the highest level of cyber-security and data protection by applying the best available techniques in the field.
Key data protection issues in smart metering systems under the GDPR and the Winter Package
A smart meter is supported by a communications network that collects and processes an increasingly high quantity of personal data and makes it available to entitled stakeholders and systems. These data are collected everywhere in the smart electricity system, including consumers’ homes and, possibly, electric vehicles. In this respect, final consumers’ trust and confidence are crucial: without proper guarantees on data protection, consumers are likely to be reluctant to take risks and might possibly dismiss innovation in favour of conventional meters.
Being the development of standards for data protection and security key to realising the full potential of smart metering in the EU, an express reference to the recently adopted GDPR is included in the section on smart meters (Article 23) of the recast Electricity Directive. Investments in smart metering technology also depend on consumer’s trust in the utilities and network operators. The draft Directive aims at stimulating consumer involvement with attractive incentives, while at the same time creating an indissoluble bond between smart meters’ technical implementation and compliance with EU data privacy and security standards.
The specificities of smart meters raise some key specific issues in relation to the application of the GDPR and the (future) recast Electricity Directive, such as the qualification of “energy data”, the allocation of responsibilities in energy data management and the rights of the data subjects.
 Qualification of “Energy data”
Smart metering systems process huge amounts of data as part of their routine technical operations. The first issue that arises is thus whether all of those data shall be regarded as personal data.
Nulla questio for registration data provided by the data subject when entering a contract for the roll-out of a smart meter, i.e. name, address and information on consumer’s billing data and payment methods, which are unquestionably “personal data”. The conclusion is less undisputable when it comes to consumer’s “energy data”, which are identified by the recast Electricity Directive as metering and consumption data, and data required for consumer switching. While these data, at first sight, might be considered as technical data and, as such, deemed to fall outside the scope of the GDPR, they are actually – and inextricably - linked with the natural person who is responsible for the metering account via a unique identifier, such as a meter identification number. These data are therefore to be regarded as personal data because they are associated with an identified or identifiable user and disclose information on his/her energy usage, thereby providing insights on the daily life of the data subject. When the data subject is a “prosumer”, i.e. a small or medium-sized agent which both consumes and produces electricity, the “energy data” refer to the amount of energy and power injected into the grid, which in turn provide information on the amount of available energy resources of the data subject.
The above reading of “energy data” as personal data would be in accordance with the GDPR, whose definition of personal data includes information revealing the economic situation of the data subject. That is all the more true, if one considers that energy data may be more or less detailed based on the consumer’s needs, as they can be designed and tailored accordingly. “Energy data” represent therefore an increasingly valuable asset not only for final consumers, who can adjust their behaviour to variable tariffs to reduce their energy expenditure, but also and especially for policy makers who have a precious instrument (consumers’ real-time feedback) at their disposal to effectively target, monitor and evaluate measures and actions in the field.
However, data gathered from smart meters can also be used for other purposes. Energy data allow for a better understanding of customer segmentation, customer behaviour and how pricing influences usage. As such, those data might be used for specific profiling exercises, e.g. to gather sensitive information on the end-user’s energy-based footprint in his/her private environment, his/her behavioural habits and preferences by analysing the information collected through the meters. Smart meters will likely have an impact on the competitive pressure within energy supply markets, as the provision of accurate and reliable data flows by the smart metering infrastructure will enable easier and quicker switching between suppliers. Accessing consumers’ data on energy preferences will therefore constitute a significant advantage for energy utilities. That is why adequate levels of protection shall be ensured during both the transmission and the processing phase, to avoid unauthorised consumer profiling based on the detailed meter readings and other possible “further” uses of those data.
In addition, the potential risks associated with the collection of detailed consumption data are likely to increase in the context of the so called “internet of things”, where energy data can be combined with data from other sources, such as geo-location data, data available through tracking and profiling on the internet, video surveillance systems and radio frequency identification (RFID) systems. The critical issue is in fact that smart meters could constitute the entrance gate to get a privileged access to the digital domain of a household.
Data management and allocation of responsibilities
As clearly established by Article 23 of the recast Electricity Directive on data exchange and management in the context of smart meters’ roll-out, any issues relating to energy data handling are to be tackled at national level. It follows that Member States, or the competent authorities, “shall organise the management of data in order to ensure efficient data access and exchange” including specifying the eligible parties which may have access to data of the final customer, provided that explicit consent is given in accordance with GDPR provisions. Eligible parties shall include at least customers, suppliers, Transmission system operators (TSOs) and Distribution system operators (DSOs), aggregators, energy service companies, and other parties which provide energy or other services to customers. This list is understood to be purely indicative and non-exhaustive, considering the highly dynamic environment of the energy sector.
The GDPR identifies characteristics and responsibilities of data controllers, processors and third parties authorised by controllers and processors to collect and process personal data. The controller is the sole responsible, alone or jointly with others, for determining the purposes and means of the processing of personal data while the processor performs the processing of personal data on behalf of the controller. The third party processes personal data under the direct authority of the controller or processor and solely if authorised to do so by those. Finally, recipient is the party to which the personal data are disclosed, whether a third party or not.
As the implementation of smart meters involves a number of actors in the processing of personal data, it is crucial to identify who, in that context, should be regarded as data controller, processor or simply an authorised third party. The allocation of roles and responsibilities might not be straightforward, since the arrangements for smart metering deployment - and consequently the data management model - are a matter to be addressed at Member States’ level and no clear guidance exists at EU level. Given the number and complexity of relationships, it is likely that there will be difficulties in applying the relevant definitions.
Nevertheless, based on the GDPR, the following set of roles and responsibilities can be identified. The controller could be defined as the “metered data responsible”, who handles metered, contractual and network data. Its responsibilities are collecting, validating, analysing and archiving historical data as well as ensuring that customers have at their disposal their consumption data and giving, by explicit agreement and free of charge, any registered supply undertaking access to its metering data. The role of the processor can be associated with that of the “metered data collector” or of the “metered data aggregator”, who are respectively responsible for meter reading and quality control of the reading and for the establishment and qualification of metered data from the metered data responsible or controller. The recast Electricity Directive proposes that the parties which are managing data be authorised and certified by the national competent authorities in order to ensure compliance with the data protection requirements. This is in line with the GDPR, which encourages Member States to establish certification mechanisms and codes of conduct to demonstrate the existence of appropriate safeguards provided by controllers or processor.
In most Member States, the DSO is the metering operator and, as such, it is the data controller in the first phase of the metering data process. The DSO´s process ends with creating a bill for network usage; in a second step, the metering data are passed on to the electricity supplier, who is responsible for billing and serving consumers, thus acting as the data controller in this final phase of the processing operation. As a matter of fact, DSOs are already involved in the processing of personal data because they have detailed information on the status of network components, generators connected to the network and energy flows throughout the network. In some cases, the DSO outsources parts of its metering business to a metering operator (MO), an entity which offers services to install, maintain and operate metering equipment related to supply. This role might be further split into two entities, one responsible for managing the meter and another responsible for managing the metering data. In this case, the MO performs the role of the processor based on a contractual arrangement with the DSO. However, in the majority of Member States the metering sector is considered part of the distribution business, with the DSO being both the owner and the responsible party for smart meters’ roll-out and granting accessing to metering data.
Notwithstanding the leading role of DSOs in smart meters’ data management, some Member States have opted for a separate entity (central communication hub), which shall provide third parties access to metering data, decoupling the processing of data from the physical meter. In such a system, consumers’ data are stored on the smart meter installed at their premises and the central hub entity is responsible for routing (but does not store) data, gathering those from the equipment in the consumer’s premises and delivering the same to energy suppliers, DSOs and other third parties. Such a transmission can occur, pursuant to the GDPR, further to consent appropriately expressed by the data subject.
A similar allocation could apply in those Member States, who have instead adopted a communication structure based on a middleware (the “data concentrator”, or “data aggregator”), located at medium voltage/low voltage substations, which works as a communication gateway between the data management system and the smart meters. The data concentrator collects information and data, often from multiple meters, in a particular geographical area before communicating the data to a central database for billing, troubleshooting and analysing. Concentrators are heavily used in densely-populated areas.
Rights of the Data Subject
The GDPR includes a wide range of rights for data subjects, some brand new, some existing already under the Data Protection Directive but enhanced by the reform.
Amongst the existing rights, the right to be informed when personal data are being collected and processed, the right of access as well as the right to object to certain processing activities (including profiling) and to automated individual decision-making are relevant in the smart metering systems’ context. Amongst the new rights, the right to data portability is also likely to be of relevance when smart meters are fully operational.
Article 20 (1) f) of the recast Electricity Directive reflects Article 14 of the GDPR listing the information to be provided by the data controller where personal data are collected from the data subject. In particular, appropriate information on the energy consumption and on the collection and processing of personal data shall be given at the time of installation of the smart meter. As regards the minimum details of the information notice, the provision explicitly refers to applicable Union data protection legislation.
Article 20 (1) e) of the Directive establishes the right for the customer to access his/her metering data on electricity input and off-take, while Article 23 (4) specifies that such access should be free of charge for final customers. Article 20 describes the minimum principles to be observed when smart metering systems are designed and implemented. Data protection measures enabling provision of information and availability of metering data constitute therefore a set of minimum functionalities to be integrated in all smart metering systems. That is a clear reference to the “data protection by design” principle under the GDPR.
However, the right of access to consumer’s data shall be also guaranteed to all eligible third parties under the Directive, in a non-discriminatory manner and simultaneously, so as to ensure that the system works properly. Eligible parties’ access finds its legal basis in Article 23 (2), which stipulates that, independently of the data management model chosen by the Member State, the party or parties responsible for data management shall provide any eligible party access to the data of the final customer, subject to the latter’s explicit consent. Access to consumers’ data by eligible parties may not be free of charge according to paragraph 4. Nevertheless, the Directive places an obligation on Member States to set the relevant access costs in order to ensure that regulated entities that provide data services do not profit from that activity.
Finally, Article 20 (1) GDPR defines the right of data portability as “the right to receive the personal data, which the data subject has provided to a controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the controller to which the data have been provided”. Accordingly, data portability is the right of the data subject to receive a subset of the personal data processed by a data controller concerning him/her, and to store those data for further personal use. In addition, that right allows data subjects to transmit personal data from one data controller to another “without hindrance”. As regards the type of personal data concerned, the first condition for the exercise of this right is that the data pertain to the data subject, while the second condition is that the data have been provided by the data subject to the data controller.
The Article 29 Data Protection Working Party (WP29) has clarified in its Guidelines that data that fall within the definition of data “provided by” the data subject are not only the “data actively and knowingly provided by the data subject” but include also those personal data that are observed from the activities of users such as raw data processed by smart meters. In the smart meters’ context, the data subject is therefore entitled to exercise his/her right to data portability only with respect to his/her usage data regularly generated by the metering system and simply collected by the data controller, without being processed or manipulated by the latter. As a result, data that are created by the data controller using the data observed or directly provided as input, such as a user profile designed by analysis of the raw smart metering data collected, do not appear to fall within the definition of data “provided by” the data subject.
The GDPR places some requirements on data controllers for the format to be used in data transfers to other data controllers when the data subject exercises his/her right of portability. More specifically, personal data must be provided “in a structured, commonly used and machine-readable format”. The terms “structured”, “commonly used” and “machine-readable” are a set of minimal requirements that should facilitate the interoperability of the data format provided by the data controller. Given the wide range of data types that might be processed and the specificities of each sector, the GDPR does not provide specific recommendations as to the data format, thus leaving it to each industry to develop the common set of interoperable standards and patterns to deliver the minimum requirements of the right to data portability.
Welcoming the industry-focus approach, the recast Electricity Directive outlines the minimum features the format for metering data transmission should have. Article 20 (1) e) stipulates that “metering data on electricity input and off-take shall be made available via a local standardised interface and/or remote access in an easily understandable format, allowing customers to compare deals on a like-for-like basis”. Here the primary aim of data portability seems to be price comparability, to facilitate service switching and enhance competition between services. This provision closely mirrors Article 24 of that Directive, which requires Member States to develop a common data format and a transparent procedure for eligible parties to have access to the consumers’ data. Here too, competition is the driver since the data format is conceived to ensure that energy utilities active on the retail market get simultaneous and non-discriminatory access to final costumers’ data. However, the Directive does not establish a minimum set of specifications for eligible parties’ access data format. That shall be defined by the Member States and then by the Commission, who is explicitly called on to determine a common European Data format that will replace the ones adopted at national level.
DPIA in Smart Meters’ roll-out
The Data Protection Impact Assessment (DPIA) is a tool designed to describe the envisaged processing operations carried out by an organisation during its activities in order to evaluate the origin, nature, particularity and severity of risks of these operations to the rights and freedoms of the data subjects. The outcome of the assessment helps to determine the appropriate measures to be taken to mitigate the risks and demonstrate that the processing of personal data complies with data protection requirements.
In its first Recommendation on the roll-out of smart metering systems issued in 2012, the Commission called on Member States to adopt and apply a template for DPIA that should be developed by the Commission and submitted to the WP29 for its opinion. In 2013, the Commission submitted to the WP29 the first version of the DPIA template prepared by a dedicated expert group under the Smart Grid Task Force. In its opinion, the WP29 welcomed the objectives identified by the template but expressed concerns on various parts and invited the Commission to revise it. A new version of the template was subsequently submitted to the WP29. The WP29’s final opinion issued in December 2013 recognized the improvements with respect to the previous version and recommended to organise a test case with some real cases. After having taken into account these final comments of the WP29, the Commission issued a Recommendation to promote the adoption of the template.
While having been issued before the formal adoption of the GDPR, both the Commission Recommendation and the Opinion of the WP29 are fully in line with it. However, no obligation to ensure that a DPIA is carried out is imposed on the Member States, given that the Data Protection Directive established the discretional nature of performing a smart meter’s DPIA. On the contrary, the GDPR renders the DPIA mandatory under certain conditions and calls on competent supervisory authorities to impose fines in case of failure to carry out a DPIA when required. According to the GDPR, a DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”. In order to ensure a consistent interpretation of the circumstances in which a DPIA is mandatory, the WP29 Guidelines, adopted in April 2017 and further revised in October 2017, clarify this notion and provide criteria for the development of a common EU list of processing operations for which a DPIA is obligatory.
The more criteria the processing meet, the more likely it is to present a high risk to data subjects and therefore to require a DPIA. Of the nine criteria identified by the 2017 Guidelines in this respect, at least three seem applicable to the operation of smart meters. In particular, the evaluation or scoring criterion, including profiling and predicting, is fully applicable to smart meters insofar metering data help utility companies building behavioural or marketing profiles based on consumers’ energy usage. Data processed on a large-scale criterion is also likely to be relevant in the smart meters’ context. Smart meters register consumption data at short, regular intervals and ensure their timely transmission to the data controllers or concentrators which, in turn, organise the huge volume of data received from users in a specific geographical area in aggregated forms for the efficient maintenance of the grid and for allowing energy utilities to adjust their energy production accordingly. Finally, the innovative use/application of new technological or organisational solutions criterion is undoubtedly of relevance in the deployment of smart metering systems, to the extent that this can involve novel forms of data collection and usage that have unknown, significant impacts on individuals’ daily lives, depending on the data management model adopted at national level.   
In addition, still in the context of the new technology product criterion, another privacy concern that might trigger the need to carry out a DPIA may be the case of a piece of hardware or software, where this is likely to be used by different data controllers to carry out various processing operations. The data controller remains certainly obliged to carry out its own DPIA with regard to the specific implementation of the new product, but this can be informed by a DPIA prepared by the product provider. In smart meters, the above applies to the relationship between manufacturers of smart meters and DSOs or utility companies. Each product provider or processor should share useful information with neither compromising secrets nor leading to security risks by disclosing vulnerabilities.
Once the assessment of the criteria has been completed and the existence of an obligation to carry out a DPIA has been ascertained, the process can be initiated, possibly according to the procedure identified in the DPIA template developed by the Smart Grid Task Force. The generic iterative process consists of several procedural steps going from the identification of necessary resources and constitution of the DPIA team, to the description of the smart grid/metering systems and the identification and assessment of relevant and residual risks to be concluded with the drafting of the DPIA report and the development of measures for reviewing and maintenance.
Conclusions
Smart metering systems are becoming one of the primary tools to promote participatory processes and decentralization which are at the heart of the energy transition and the development of new energy services. A massive deployment of smart meters is expected in the near future, after the Third Energy Package made the roll-out compulsory, should the economic assessment be positive, and the Winter Package put it at the centre of its reform as a key instrument to empower energy consumers. The potential privacy risks posed by their implementation need to be tackled with highest priority. It is in fact essential that consumers have access to trusted mechanisms to manage their energy data and create value with it, while being in complete control of their private environment and behavioural habits.
For years, there was no specific binding legislation devoted to data protection in smart metering systems, while a number of soft-law instruments were adopted to balance energy policy goals with data protection concerns. In recent years, the EU legislator has started paying special attention to personal data protection in smart meters’ deployment, and some important progress has been made as a result, starting with the development of the DPIA template.
Today, the development of standards and safeguards for data protection and security in smart meters’ roll-out is a major objective in the EU. Against the background of the recently adopted GDPR, a specific data protection and security framework for smart meters has been proposed in the recast Electricity Directive. The aim is to embed relevant GDPR provisions in the new text and tailor those to the needs and specificities of smart meters’ implementation and functioning. It follows that a new, comprehensive legal framework to ensure high level of personal data protection in smart metering systems is being shaped, which is expected to lead to greater trust and confidence of energy consumers and, in turn, to their increased participation in the decentralisation process.

Photo credit: Utility Week

9 comments:

  1. You can have all the legislation required but when the regulator of such legislation is corrupt and designed to ensure that the energy companies are not held to account, it's just window dressing. Which is the case in ireIrel

    ReplyDelete
    Replies
    1. Ray, GDPR is a Directive; meaning compliance with it and accountability for it is mandatory. Legislation refers to the laws that are enacted by the legislature or a law that is in process of being enacted, while regulations are the process of monitoring and enforcing a law as well as a document that contains the details of a written rule. These two should not be confused as they are completely different from each other. Also, go easy on your homeland. Respect.

      Delete
    2. The "R" in GDPR stands for Regulation. It isn't a Directive. The GDPR replaces old legislation, which was itself a Directive. While you're right to suggest they shouldn't be confused, you have, in fact, confused them.

      Delete
    3. All the references to Directives in this blog post are to electricity legislation, which is separate from the GDPR. The issue is how the GDPR and those Directives interact.

      Delete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete