Data protection and smart meters: the GDPR and the ‘winter package’ of EU clean energy law

Alessandra Fratini and Giulia Pizza, FratiniVergano, European Lawyers - a Brussels-based law firm specialising in European and international law

Introduction

On 30 November 2016, the Commission launched the “Clean Energy for All Europeans” legislative package, aimed at modernizing the European electricity market and facilitating the transition to more decentralized, clean energy solutions. “Decentralization” is seen as a driver for innovation and the key factor for rebalancing energy actions in favour of a demand-driven policy, where consumers are equipped with the right tools to actively participate in this paradigm shift. Smart metering systems are one of the “right tools” for consumer empowerment, as they allow users to make decisions about their energy consumption by reacting to real-time tariffs.

The proper functioning of smart meters requires that a significant amount of sensing data be collected and processed by eligible parties and made available to entitled stakeholders. That generates data protection challenges and creates new risks for the data subjects with a potential impact in areas (e.g. price discrimination, profiling, household security) previously absent in the energy sector. While the General Data Protection Regulation (GDPR) provides the general legal framework for ensuring privacy and data protection of final consumers in the context of the smart meters’ roll-out, the Commission’s proposal for a recast of the Electricity Directive (which is part of the “Clean Energy for All Europeans” package and specifically regulates smart meters’ deployment) includes detailed provisions to ensure that data protection issues are properly tackled. It is understood that, once adopted, the latter would act as lex specialis with reference to the generally applicable GDPR provisions.

After an overview of the evolution of smart meters in EU law, this article reviews the challenges that smart metering systems pose to the protection of personal data and how these can be addressed under the GDPR provisions, read in conjunction with the specific requirements on data protection foreseen in the recast Electricity Directive.

Smart Metering Systems in EU law

Smart meters are electronic devices that record real-time production and consumption of electricity and communicate that information to the utility operator for monitoring and billing. Smart meters allow consumers to adapt their consumption – in time and volume - to real-time energy prices, thereby helping them to manage their usage more effectively and, conceivably, save money.

The deployment of smart meters is expected to improve customer service, with more accurate billing, easier and quicker switching between payment methods. It will also increase the opportunities for consumers who produce their own energy to respond to prices and sell excess to the grid.

The idea of equipping consumers with intelligent systems allowing them to manage their energy consumption was developed in the 2006 Energy Service Directive (ESD) and later taken up in the (still in force) 2009 Third Energy Package, which marked a turning point in the energy market integration process within the EU. With the third package, in fact, the focus shifted to the development of an effective retail market, with specific measures being designed to grant energy consumers a number of rights, such as the right to switch energy providers and receive clear energy bills. It is exactly from the perspective of consumer empowerment that the 2009 Electricity Directive strongly promotes the use of intelligent metering systems for the long-term benefit of consumers.

In line with the same spirit, the 2012 Energy Efficiency Directive (EED) includes a comprehensive set of measures on metering and billing with a view to extending the scope and further clarifying the provisions foreseen in the Third Package and in the ESD. In addition, for the first time, the EED touches upon data privacy and security in the installation of smart meters and foresees, among the obligations imposed on Member States, compliance with relevant Union data protection and privacy legislation.

Finally, the 2016 Clean Energy Package, also known as the “Winter Package”, further fits into this picture. The Commission acknowledged that it was time to update the existing framework to make it compatible with the higher levels of flexibility and decentralisation of today’s energy sector, and to create the enabling environment to facilitate the “paradigm shift” to a more competitive and consumer-centred market structure.

In particular, the proposal for a recast of the Electricity Directive introduces new rights to empower and better protect end users, such as the right to clearer billing information and certified comparisons tools, the entitlement to a dynamic price contract, the possibility to engage in demand-response and in self-generation of electricity. Smart meters are the essential tools to allow for an effective exercise of these rights. In this context, the recast Directive provides specific definitions for smart metering systems and interoperability and devotes a specific section (Articles 19-24) to smart meters’ functionalities, deployment, and data management issues.

Article 20 of the proposal sets out seven principles to be applied when rolling out smart meters. Out of those seven principles, four relate to the protection of personal data, including consumers-data subjects’ rights. In particular, points b) and c) state that security of data communication and data protection of final consumers shall be ensured in compliance with relevant Union security and data protection legislation. On data subjects’ rights, point e) stipulates that energy consumers are entitled to access metering data on their electricity input and off-take in an easily understandable format, while point f) requires Member States to ensure that consumers are duly informed at the time of installation of smart meters of the collection and processing of their personal data. 

Besides the abovementioned principles, a more specific set of provisions (Articles 23 -24 and Annex III) focuses on energy data access and management and reiterates the need to ensure the highest level of cyber-security and data protection by applying the best available techniques in the field.

Key data protection issues in smart metering systems under the GDPR and the Winter Package

A smart meter is supported by a communications network that collects and processes an increasingly high quantity of personal data and makes it available to entitled stakeholders and systems. These data are collected everywhere in the smart electricity system, including consumers’ homes and, possibly, electric vehicles. In this respect, final consumers’ trust and confidence are crucial: without proper guarantees on data protection, consumers are likely to be reluctant to take risks and might possibly dismiss innovation in favour of conventional meters.

Being the development of standards for data protection and security key to realising the full potential of smart metering in the EU, an express reference to the recently adopted GDPR is included in the section on smart meters (Article 23) of the recast Electricity Directive. Investments in smart metering technology also depend on consumer’s trust in the utilities and network operators. The draft Directive aims at stimulating consumer involvement with attractive incentives, while at the same time creating an indissoluble bond between smart meters’ technical implementation and compliance with EU data privacy and security standards.

The specificities of smart meters raise some key specific issues in relation to the application of the GDPR and the (future) recast Electricity Directive, such as the qualification of “energy data”, the allocation of responsibilities in energy data management and the rights of the data subjects.

 Qualification of “Energy data”

Smart metering systems process huge amounts of data as part of their routine technical operations. The first issue that arises is thus whether all of those data shall be regarded as personal data.

Nulla questio for registration data provided by the data subject when entering a contract for the roll-out of a smart meter, i.e. name, address and information on consumer’s billing data and payment methods, which are unquestionably “personal data”. The conclusion is less undisputable when it comes to consumer’s “energy data”, which are identified by the recast Electricity Directive as metering and consumption data, and data required for consumer switching. While these data, at first sight, might be considered as technical data and, as such, deemed to fall outside the scope of the GDPR, they are actually – and inextricably - linked with the natural person who is responsible for the metering account via a unique identifier, such as a meter identification number. These data are therefore to be regarded as personal data because they are associated with an identified or identifiable user and disclose information on his/her energy usage, thereby providing insights on the daily life of the data subject. When the data subject is a “prosumer”, i.e. a small or medium-sized agent which both consumes and produces electricity, the “energy data” refer to the amount of energy and power injected into the grid, which in turn provide information on the amount of available energy resources of the data subject.

The above reading of “energy data” as personal data would be in accordance with the GDPR, whose definition of personal data includes information revealing the economic situation of the data subject. That is all the more true, if one considers that energy data may be more or less detailed based on the consumer’s needs, as they can be designed and tailored accordingly. “Energy data” represent therefore an increasingly valuable asset not only for final consumers, who can adjust their behaviour to variable tariffs to reduce their energy expenditure, but also and especially for policy makers who have a precious instrument (consumers’ real-time feedback) at their disposal to effectively target, monitor and evaluate measures and actions in the field.

However, data gathered from smart meters can also be used for other purposes. Energy data allow for a better understanding of customer segmentation, customer behaviour and how pricing influences usage. As such, those data might be used for specific profiling exercises, e.g. to gather sensitive information on the end-user’s energy-based footprint in his/her private environment, his/her behavioural habits and preferences by analysing the information collected through the meters. Smart meters will likely have an impact on the competitive pressure within energy supply markets, as the provision of accurate and reliable data flows by the smart metering infrastructure will enable easier and quicker switching between suppliers. Accessing consumers’ data on energy preferences will therefore constitute a significant advantage for energy utilities. That is why adequate levels of protection shall be ensured during both the transmission and the processing phase, to avoid unauthorised consumer profiling based on the detailed meter readings and other possible “further” uses of those data.

In addition, the potential risks associated with the collection of detailed consumption data are likely to increase in the context of the so called “internet of things”, where energy data can be combined with data from other sources, such as geo-location data, data available through tracking and profiling on the internet, video surveillance systems and radio frequency identification (RFID) systems. The critical issue is in fact that smart meters could constitute the entrance gate to get a privileged access to the digital domain of a household.

Data management and allocation of responsibilities

As clearly established by Article 23 of the recast Electricity Directive on data exchange and management in the context of smart meters’ roll-out, any issues relating to energy data handling are to be tackled at national level. It follows that Member States, or the competent authorities, “shall organise the management of data in order to ensure efficient data access and exchange” including specifying the eligible parties which may have access to data of the final customer, provided that explicit consent is given in accordance with GDPR provisions. Eligible parties shall include at least customers, suppliers, Transmission system operators (TSOs) and Distribution system operators (DSOs), aggregators, energy service companies, and other parties which provide energy or other services to customers. This list is understood to be purely indicative and non-exhaustive, considering the highly dynamic environment of the energy sector.

The GDPR identifies characteristics and responsibilities of data controllers, processors and third parties authorised by controllers and processors to collect and process personal data. The controller is the sole responsible, alone or jointly with others, for determining the purposes and means of the processing of personal data while the processor performs the processing of personal data on behalf of the controller. The third party processes personal data under the direct authority of the controller or processor and solely if authorised to do so by those. Finally, recipient is the party to which the personal data are disclosed, whether a third party or not.

As the implementation of smart meters involves a number of actors in the processing of personal data, it is crucial to identify who, in that context, should be regarded as data controller, processor or simply an authorised third party. The allocation of roles and responsibilities might not be straightforward, since the arrangements for smart metering deployment - and consequently the data management model - are a matter to be addressed at Member States’ level and no clear guidance exists at EU level. Given the number and complexity of relationships, it is likely that there will be difficulties in applying the relevant definitions.

Nevertheless, based on the GDPR, the following set of roles and responsibilities can be identified. The controller could be defined as the “metered data responsible”, who handles metered, contractual and network data. Its responsibilities are collecting, validating, analysing and archiving historical data as well as ensuring that customers have at their disposal their consumption data and giving, by explicit agreement and free of charge, any registered supply undertaking access to its metering data. The role of the processor can be associated with that of the “metered data collector” or of the “metered data aggregator”, who are respectively responsible for meter reading and quality control of the reading and for the establishment and qualification of metered data from the metered data responsible or controller. The recast Electricity Directive proposes that the parties which are managing data be authorised and certified by the national competent authorities in order to ensure compliance with the data protection requirements. This is in line with the GDPR, which encourages Member States to establish certification mechanisms and codes of conduct to demonstrate the existence of appropriate safeguards provided by controllers or processor.

In most Member States, the DSO is the metering operator and, as such, it is the data controller in the first phase of the metering data process. The DSO´s process ends with creating a bill for network usage; in a second step, the metering data are passed on to the electricity supplier, who is responsible for billing and serving consumers, thus acting as the data controller in this final phase of the processing operation. As a matter of fact, DSOs are already involved in the processing of personal data because they have detailed information on the status of network components, generators connected to the network and energy flows throughout the network. In some cases, the DSO outsources parts of its metering business to a metering operator (MO), an entity which offers services to install, maintain and operate metering equipment related to supply. This role might be further split into two entities, one responsible for managing the meter and another responsible for managing the metering data. In this case, the MO performs the role of the processor based on a contractual arrangement with the DSO. However, in the majority of Member States the metering sector is considered part of the distribution business, with the DSO being both the owner and the responsible party for smart meters’ roll-out and granting accessing to metering data.

Notwithstanding the leading role of DSOs in smart meters’ data management, some Member States have opted for a separate entity (central communication hub), which shall provide third parties access to metering data, decoupling the processing of data from the physical meter. In such a system, consumers’ data are stored on the smart meter installed at their premises and the central hub entity is responsible for routing (but does not store) data, gathering those from the equipment in the consumer’s premises and delivering the same to energy suppliers, DSOs and other third parties. Such a transmission can occur, pursuant to the GDPR, further to consent appropriately expressed by the data subject.

A similar allocation could apply in those Member States, who have instead adopted a communication structure based on a middleware (the “data concentrator”, or “data aggregator”), located at medium voltage/low voltage substations, which works as a communication gateway between the data management system and the smart meters. The data concentrator collects information and data, often from multiple meters, in a particular geographical area before communicating the data to a central database for billing, troubleshooting and analysing. Concentrators are heavily used in densely-populated areas.

Rights of the Data Subject

The GDPR includes a wide range of rights for data subjects, some brand new, some existing already under the Data Protection Directive but enhanced by the reform.

Amongst the existing rights, the right to be informed when personal data are being collected and processed, the right of access as well as the right to object to certain processing activities (including profiling) and to automated individual decision-making are relevant in the smart metering systems’ context. Amongst the new rights, the right to data portability is also likely to be of relevance when smart meters are fully operational.

Article 20 (1) f) of the recast Electricity Directive reflects Article 14 of the GDPR listing the information to be provided by the data controller where personal data are collected from the data subject. In particular, appropriate information on the energy consumption and on the collection and processing of personal data shall be given at the time of installation of the smart meter. As regards the minimum details of the information notice, the provision explicitly refers to applicable Union data protection legislation.

Article 20 (1) e) of the Directive establishes the right for the customer to access his/her metering data on electricity input and off-take, while Article 23 (4) specifies that such access should be free of charge for final customers. Article 20 describes the minimum principles to be observed when smart metering systems are designed and implemented. Data protection measures enabling provision of information and availability of metering data constitute therefore a set of minimum functionalities to be integrated in all smart metering systems. That is a clear reference to the “data protection by design” principle under the GDPR.

However, the right of access to consumer’s data shall be also guaranteed to all eligible third parties under the Directive, in a non-discriminatory manner and simultaneously, so as to ensure that the system works properly. Eligible parties’ access finds its legal basis in Article 23 (2), which stipulates that, independently of the data management model chosen by the Member State, the party or parties responsible for data management shall provide any eligible party access to the data of the final customer, subject to the latter’s explicit consent. Access to consumers’ data by eligible parties may not be free of charge according to paragraph 4. Nevertheless, the Directive places an obligation on Member States to set the relevant access costs in order to ensure that regulated entities that provide data services do not profit from that activity.

Finally, Article 20 (1) GDPR defines the right of data portability as “the right to receive the personal data, which the data subject has provided to a controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the controller to which the data have been provided”. Accordingly, data portability is the right of the data subject to receive a subset of the personal data processed by a data controller concerning him/her, and to store those data for further personal use. In addition, that right allows data subjects to transmit personal data from one data controller to another “without hindrance”. As regards the type of personal data concerned, the first condition for the exercise of this right is that the data pertain to the data subject, while the second condition is that the data have been provided by the data subject to the data controller.

The Article 29 Data Protection Working Party (WP29) has clarified in its Guidelines that data that fall within the definition of data “provided by” the data subject are not only the “data actively and knowingly provided by the data subject” but include also those personal data that are observed from the activities of users such as raw data processed by smart meters. In the smart meters’ context, the data subject is therefore entitled to exercise his/her right to data portability only with respect to his/her usage data regularly generated by the metering system and simply collected by the data controller, without being processed or manipulated by the latter. As a result, data that are created by the data controller using the data observed or directly provided as input, such as a user profile designed by analysis of the raw smart metering data collected, do not appear to fall within the definition of data “provided by” the data subject.

The GDPR places some requirements on data controllers for the format to be used in data transfers to other data controllers when the data subject exercises his/her right of portability. More specifically, personal data must be provided “in a structured, commonly used and machine-readable format”. The terms “structured”, “commonly used” and “machine-readable” are a set of minimal requirements that should facilitate the interoperability of the data format provided by the data controller. Given the wide range of data types that might be processed and the specificities of each sector, the GDPR does not provide specific recommendations as to the data format, thus leaving it to each industry to develop the common set of interoperable standards and patterns to deliver the minimum requirements of the right to data portability.

Welcoming the industry-focus approach, the recast Electricity Directive outlines the minimum features the format for metering data transmission should have. Article 20 (1) e) stipulates that “metering data on electricity input and off-take shall be made available via a local standardised interface and/or remote access in an easily understandable format, allowing customers to compare deals on a like-for-like basis”. Here the primary aim of data portability seems to be price comparability, to facilitate service switching and enhance competition between services. This provision closely mirrors Article 24 of that Directive, which requires Member States to develop a common data format and a transparent procedure for eligible parties to have access to the consumers’ data. Here too, competition is the driver since the data format is conceived to ensure that energy utilities active on the retail market get simultaneous and non-discriminatory access to final costumers’ data. However, the Directive does not establish a minimum set of specifications for eligible parties’ access data format. That shall be defined by the Member States and then by the Commission, who is explicitly called on to determine a common European Data format that will replace the ones adopted at national level.

DPIA in Smart Meters’ roll-out

The Data Protection Impact Assessment (DPIA) is a tool designed to describe the envisaged processing operations carried out by an organisation during its activities in order to evaluate the origin, nature, particularity and severity of risks of these operations to the rights and freedoms of the data subjects. The outcome of the assessment helps to determine the appropriate measures to be taken to mitigate the risks and demonstrate that the processing of personal data complies with data protection requirements.

In its first Recommendation on the roll-out of smart metering systems issued in 2012, the Commission called on Member States to adopt and apply a template for DPIA that should be developed by the Commission and submitted to the WP29 for its opinion. In 2013, the Commission submitted to the WP29 the first version of the DPIA template prepared by a dedicated expert group under the Smart Grid Task Force. In its opinion, the WP29 welcomed the objectives identified by the template but expressed concerns on various parts and invited the Commission to revise it. A new version of the template was subsequently submitted to the WP29. The WP29’s final opinion issued in December 2013 recognized the improvements with respect to the previous version and recommended to organise a test case with some real cases. After having taken into account these final comments of the WP29, the Commission issued a Recommendation to promote the adoption of the template.

While having been issued before the formal adoption of the GDPR, both the Commission Recommendation and the Opinion of the WP29 are fully in line with it. However, no obligation to ensure that a DPIA is carried out is imposed on the Member States, given that the Data Protection Directive established the discretional nature of performing a smart meter’s DPIA. On the contrary, the GDPR renders the DPIA mandatory under certain conditions and calls on competent supervisory authorities to impose fines in case of failure to carry out a DPIA when required. According to the GDPR, a DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”. In order to ensure a consistent interpretation of the circumstances in which a DPIA is mandatory, the WP29 Guidelines, adopted in April 2017 and further revised in October 2017, clarify this notion and provide criteria for the development of a common EU list of processing operations for which a DPIA is obligatory.

The more criteria the processing meet, the more likely it is to present a high risk to data subjects and therefore to require a DPIA. Of the nine criteria identified by the 2017 Guidelines in this respect, at least three seem applicable to the operation of smart meters. In particular, the evaluation or scoring criterion, including profiling and predicting, is fully applicable to smart meters insofar metering data help utility companies building behavioural or marketing profiles based on consumers’ energy usage. Data processed on a large-scale criterion is also likely to be relevant in the smart meters’ context. Smart meters register consumption data at short, regular intervals and ensure their timely transmission to the data controllers or concentrators which, in turn, organise the huge volume of data received from users in a specific geographical area in aggregated forms for the efficient maintenance of the grid and for allowing energy utilities to adjust their energy production accordingly. Finally, the innovative use/application of new technological or organisational solutions criterion is undoubtedly of relevance in the deployment of smart metering systems, to the extent that this can involve novel forms of data collection and usage that have unknown, significant impacts on individuals’ daily lives, depending on the data management model adopted at national level.   

In addition, still in the context of the new technology product criterion, another privacy concern that might trigger the need to carry out a DPIA may be the case of a piece of hardware or software, where this is likely to be used by different data controllers to carry out various processing operations. The data controller remains certainly obliged to carry out its own DPIA with regard to the specific implementation of the new product, but this can be informed by a DPIA prepared by the product provider. In smart meters, the above applies to the relationship between manufacturers of smart meters and DSOs or utility companies. Each product provider or processor should share useful information with neither compromising secrets nor leading to security risks by disclosing vulnerabilities.

Once the assessment of the criteria has been completed and the existence of an obligation to carry out a DPIA has been ascertained, the process can be initiated, possibly according to the procedure identified in the DPIA template developed by the Smart Grid Task Force. The generic iterative process consists of several procedural steps going from the identification of necessary resources and constitution of the DPIA team, to the description of the smart grid/metering systems and the identification and assessment of relevant and residual risks to be concluded with the drafting of the DPIA report and the development of measures for reviewing and maintenance.

Conclusions

Smart metering systems are becoming one of the primary tools to promote participatory processes and decentralization which are at the heart of the energy transition and the development of new energy services. A massive deployment of smart meters is expected in the near future, after the Third Energy Package made the roll-out compulsory, should the economic assessment be positive, and the Winter Package put it at the centre of its reform as a key instrument to empower energy consumers. The potential privacy risks posed by their implementation need to be tackled with highest priority. It is in fact essential that consumers have access to trusted mechanisms to manage their energy data and create value with it, while being in complete control of their private environment and behavioural habits.

For years, there was no specific binding legislation devoted to data protection in smart metering systems, while a number of soft-law instruments were adopted to balance energy policy goals with data protection concerns. In recent years, the EU legislator has started paying special attention to personal data protection in smart meters’ deployment, and some important progress has been made as a result, starting with the development of the DPIA template.

Today, the development of standards and safeguards for data protection and security in smart meters’ roll-out is a major objective in the EU. Against the background of the recently adopted GDPR, a specific data protection and security framework for smart meters has been proposed in the recast Electricity Directive. The aim is to embed relevant GDPR provisions in the new text and tailor those to the needs and specificities of smart meters’ implementation and functioning. It follows that a new, comprehensive legal framework to ensure high level of personal data protection in smart metering systems is being shaped, which is expected to lead to greater trust and confidence of energy consumers and, in turn, to their increased participation in the decentralisation process.

Photo credit: Utility Week

The Essent judgment: Another revolution in the case law on free movement of goods?

Filippo Fontanelli, Lecturer in International Economic Law, University of Edinburgh

Introduction

On 11 September 2014, the Court of Justice of the EU delivered the judgment in the Essent case (Joined Cases C-204 to C-208/12, not to be confused with Case -91/13, also named Essent, of the same day). The judgment contains a delicate assessment of proportionality involving several interlaced interests: promotion of free energy trade, protection of the environment and human health, compliance with international commitments on emission-reduction, promotion of local employment, and incentives to achieve energy self-sufficiency.

If this maelstrom of values were insufficient to raise the interest of the readership, the judgment has also a purely doctrinal undertone. Indeed, the Court appears to ignore – deliberately – the summae divisiones which it itself has maintained for decades between distinctly and indistinctly applicable measures, as well as between justifications under Article 36 TFEU (which set the explicit Treaty-based grounds for restricting the free movement of goods) and other mandatory requirements (the other grounds for restricting such free movement). Thousands of EU law academics might now need to finally drop the standard exam-questions on “Measures equivalent to a quantitative restriction (MEQRs) from Cassis to Keck and beyond” yearly rephrased and administered since time immemorial: it might turn out that, after all, Cassis is no longer good law.

The case

The facts of the main proceedings relate to a complex domestic regulatory regime which, in turn, implements devilishly detailed EU acts. However, the crux of the dispute is easily summarised: a Flemish Regional scheme requires energy suppliers connected to the electricity grid to demonstrate the use of a certain amount of renewable energy, on pain of a hefty penalty. Only locally produced green energy counts toward that quota, hence suppliers cannot use green energy produced abroad to prove compliance.

Essent could have met or at least approached the quota had it been allowed to factor in the calculation renewable energy that it had sourced from Norway, Denmark, Sweden and the Netherlands, but it was not. It then incurred a series of yearly sanctions, and challenged them repeatedly before the Belgian courts. The Belgian judges raised a preliminary question to the Court of Justice asking, essentially, whether the discriminatory treatment of foreign green energy towards the fulfilment of the compulsory quota is in violation of the treaty obligations regarding freedom of movement of goods and the prohibition of discrimination based on nationality.

[Skip to the next section if you arrived to this post by Googling “mandatory requirements” and you must submit your essay three hours from now. For the others, a few words on the legal context of the dispute.]

Directive 2001/77 (governing the facts of the main proceedings, now replaced by Directive 2009/28) recognizes that renewable energies are underused in the Union, an unfortunate circumstance given that the development of a green energy industry could, at once, alleviate the dependence of EU countries from foreign supply, contribute to the fulfilment of the climate-change commitments entered into under the Kyoto protocol, and foster local employment policies. Therefore, the EU encourages national schemes supporting the consumption of renewable energy, without harmonising them. Better, “until a [Union] framework is put into operation”, which is presumably in the works (see recital 14 of the Preamble of Directive 2001/77).

In order to facilitate the trade in green energy, the Directive established a compulsory system of certification, whereby energy derived from renewable sources is entitled to a “guarantee of origin”. Guarantees of origin issued in EU members are mutually recognized across the Union.

National support schemes can provide various incentives to facilitate the production and consumption of green energy. Typically, benefits are available only to producers and suppliers handling green energy, which necessarily hold the relative guarantees of origin. However, member states are not required to make the specific benefits dependent on the possession of the guarantees. The Preamble of the Directive is clear in this sense: “[s]chemes for the guarantee of origin do not by themselves imply a right to benefit from national support mechanisms established in different Member States”. Guarantees of origin are therefore necessary but possibly insufficient conditions to enjoy national incentives.

The Flemish scheme implementing the Directive, for instance, is premised on the possession (and periodic surrendering) of “green certificates”. Green certificates are granted to producers of green energy based in the Flemish region, which sell them alongside the energy. Suppliers are under an obligation to surrender a certain quota of green certificates to avoid sanctions. At the stage of surrendering, guarantees of origin attached to green energy purchased abroad cannot substitute for the missing green certificates to fill the quota.

A provision of the relevant Flemish Decree envisages the possibility for the Flemish government to accept non-Flemish certificates for the purpose of filling the quota, but no implementing act has been adopted to regulate this possibility, which therefore remained wishful thinking.

The Flemish scheme was challenged under the Directive, under Article 34 TFEU prohibiting measures equivalent to quantitative restrictions (MEQRs), and under Article 18 TFEU prohibiting discrimination based on nationality.

The Directive clearly does not require Member States to link support schemes to guarantees of origin. It simply requires States to issue them and recognize them across the Union, so that consumers are always informed of the green-ness (or lack thereof) of the energy they purchase.

The real challenge to the Flemish scheme was brought under Article 34 TFEU. The domestic measure encourages suppliers operating in the Flemish regions to buy renewable energy from local producers, as equally green foreign energy is unusable towards fulfilment of the quota. Local green energy is artificially made more precious, because of the green certificates it is associated with, which rational producers must crave, to avoid fines. The restrictiveness of the scheme was plainly acknowledged by the Court (para. 83), although it focused on the trade of electricity rather than the trade of guarantees of origin, an impossibly murky issue that would have required determining whether intangible guarantees qualify as “goods”.

The Court therefore examined whether the scheme was justifiable “on one of the public interest grounds listed in Article [34 TFEU] or by overriding requirements” and whether it satisfied the test of proportionality (para. 89).

The purpose of the scheme was found in the promotion of the use of renewable sources for producing energy (para. 95). This legitimate purpose does not feature in Art. 36 TFEU and therefore, by exclusion, was provisionally accepted by the Court under the doctrine of the rule of reason. Under this principle, domestic measures setting mandatory requirements on goods, which restrict inter-state trade, are justified if they pursue a reasonable policy objective and the restriction entailed is not disproportionate to the contribution made towards that objective. Mandatory (or “overriding”) requirements are not limited to the values listed in Art. 36 TFEU, and routinely include objectives such as consumer interests and environmental protection. In its customary incarnation, the rule of reason can only be used to justify rules that do not discriminate according to the origin of the goods.

The reasoning of the Court on the proportionality of the Flemish scheme is not linear, but proceeds by accumulation. It essentially lists the reasons why the scheme is not as vicious as Essent would claim, invoking contextual elements, policy considerations and semantic tricks. In short, the Courts makes the following remarks, which I briefly assess in the brackets.

Essent claimed that the Flemish scheme does not encourage the consumption of green energy, but only its production. The Court objected (para. 98) that this is normal, as the greenness of energy relates precisely to its method of production (This is a massive non sequitur. If taken seriously, this would mean that green energy might as well be wasted after production, as the benefit to the environment was done already. To the contrary, the only raison d’être of renewable energy is that it is supposed to supplant the consumption of non-renewable energy).

The Court also noted that Member States are allowed by the Directive to set national targets of production of green energy (para. 99), suggesting perhaps that the discrimination inherent in the support scheme was dictated by the concern to achieve these targets (This suggestion is misleading. Whether its motivation is allowed or not by EU law has nothing to do with the EU-compliance of the Flemish measure).

The Court answered also the most difficult question. If the Flemish scheme genuinely aims to increase the production of green energy for environmental purposes, how come it does in fact discourage the purchase of green energy produced abroad, by refusing to accept foreign guarantees of origin as substitutes of Flemish green certificates? The brief answer is worthy of a Sibyl: “it should be observed that the starting points, the renewable energy potential and the energy mix of each Member State vary” (para. 100) (This is too obscure to attempt a reading. Suffice it to say that because guarantees of origin are subject to mutual recognition under the Directive, one would presume that these alleged variations are capable of being taken into account to certify the green nature of the energy, therefore an equivalence between Flemish certificates and any other guarantee is arguably possible to concoct).

Finally, the Court noted (para. 101) that national support schemes are important to achieve the objectives of the Directive (irrelevant per se) and that “it is essential that Member States be able to control the effect and costs of their national support schemes according to their potential, whilst maintaining investor confidence” (para. 102) (With a bit of effort, one can see why discrimination is justified: Member States do not want to make available to all EU producers subsidies whose cost is “ultimately [borne] by the [local] consumers” (para. 107). Also, they cannot suddenly withdraw support schemes when it turns out that they operate mainly for the benefits of foreign producers: investor claims would follow and hit hard).

“In the light of the foregoing,” the Flemish scheme was found to be proportionate, and therefore compliant with Article 34 TFEU (para. 103).

The Court then extended the proportionality analysis to other accessory elements of the schemes. It considered the penalties imposed, leaving it to the national judge to assess their proportionality to the sought objective (para. 114). It also speculated on the fairness of the market of green certificates that can fulfil the compulsory quotas, whose supply is artificially restricted. The Court therefore advocated the establishment of mechanisms under which these certificates can be traded “under fair terms” (para. 111). The irony of the last remark is highlighted in the comments below.

Comments

The Court nonchalantly applied a mandatory requirement to a facially discriminatory measure, sending Cassis to the museum of judge-made law no longer in force, and tacitly ignoring the exhaustiveness of Article 36 TFEU. It conflated overriding requirements and values listed in Article 36 TFEU into a single pool of excuses.

The passing reference to the contribution of reduced emissions to human health (para. 93) should not mislead: if human health hat were indeed the relevant objective of the Flemish scheme, it would have been at the centre of the ensuing proportionality test (just to mention one element, there should have been an analysis of the Flemish scheme’s contribution to increased health protection). That the quota has discriminatory effects which hinder trade was also undoubtable.

Therefore, a distinctly applicable measure was justified on the basis of a public interest other than those listed in Article 36 TFEU. This had also been the case in the parallel case of Ålands Vindkraft, C‑573/12, on which the Court delivered its judgment on 1 July 2014; see paras. 76-77 (the Opinion of this case was also prepared by Bot, and delivered shortly after his Opinion in Essent). Indeed, the Court has seemingly lost interest in making a big deal of the difference between discrimination de jure and discrimination de facto.

Advocate Bot had suggested the Court to abandon the distinction and expressly overturn its previous case-law. The Court did the former but not the latter, suddenly dropping a carefully constructed judicial test that it itself had devised in the wild years of Article 34 TFEU to accommodate reasonable policies which fell outside the scope of Article 36 TFEU.

That direct and indirect discrimination should be treated alike makes perfect sense. This is, for instance, the practice in the GATT, the agreement regulating the removal of trade barriers for trade in goods in the WTO regime. Treating them differently, for instance allowing one to be justified by excuses that do not apply to the other, is irrational: the hindering effect of de jure or de facto discriminatory measures can be identical in the facts, and a harsher treatment of direct discrimination serves only as an incentive for Member States to disguise discrimination on the basis of nationality within the folds of maliciously designed neutral measures.

However, there was some intuitive value to the bygone distinction: direct discrimination is prima facie illegal and must be hard(er) to justify. Think of the judgment in Test-Achats, which does not even attempt to look at a justification for gender-based direct discrimination. In fact, as registered by AG Kokott in the Opinion to that case (para. 59), justifications based on statistical data can support a proportionality assessment of indirect discrimination but cannot suffice to excuse direct discrimination.

In his proposal, AG Bot had reflected this concern, calling for a reinforced test of proportionality applicable to distinctly applicable measures: the reasons advanced to justify direct discrimination must be of particular weight. See at para. 94: “I think that discriminatory measures, particularly those which infringe a principle as fundamental as that of the prohibition of direct discrimination on grounds of nationality, ought to be subject to a strict requirement of proportionality” (emphasis added).

The Court did not deem it necessary to devise a reinforced (“strict”) proportionality test and, in my view, this might have contributed to a puzzling proportionality analysis, which features several controversial passages.

In short, by applying the routine test of proportionality the Court focused on the pursued objective (protection of the environment through increased production of green energy). In so doing, the discriminatory (and trade-restrictive) nature of the Flemish scheme was side-lined in the analysis. Once a decent contribution to the environment was somewhat found, it was downhill from there. The happy run of proportionality apparently skipped the stop of necessity: was there a less restrictive measure available for Flemish authorities to encourage the consumption and production of green energy? Yes there was: the interchangeability of green certificates and foreign guarantees of origin would have averted trade-restriction and promoted environmental protection even more than the Flemish scheme could possibly do.

The measure can only appear proportionate if the elective purpose is another unconfessed one, which is itself somewhat discriminatory. For instance, it could be argued that the growth and operation of a local green-energy industry is the real purpose, and therefore no alternative policy is available: any infant industry policy inherently involves some deal of temporary protectionism, but is for a good cause. The Court, however, did not resort to this “lesser-evil” reasoning, and pretended that discrimination is fully justified by the environmental purpose of the measure at large.

The irony of the finding is the after-thought of the Court with respect to the fairness of the market for green certificates. By virtually banning substitutable foreign certificates, the Flemish government is providing absolute protection to local producers, which might be few in number and, by definition, have the luxury of setting a higher price than they could if an undistorted transnational market were in function. Formally, there is no ban, but the value of local certificates is artificially inflated by the Flemish schemes, and makes it inconvenient for energy-suppliers to purchase green energy from abroad. This is a textbook example of a market distorted by protectionism, where demand is forced to opt for the local product, and foreign competitors are treated much less favourably. The Court concedes that buyers of green certificates, which need to comply with a compulsory quota, might find it unfair that the supply of certificates is artificially restricted to the collective monopoly of local producers, which can charge above-market prices. Local content requirements such as those envisaged by the Flemish scheme constitute a prototypical instrument of protectionism, and not surprisingly they are included, for instance, among the measures prohibited in the WTO Agreement on Trade-Related Investment Measures. It does not get any more protective and trade-distorting than that.

However, the Court limits itself to elegantly call for some “mechanisms” to ensure that suppliers can purchase green certificates “under fair terms” (para. 111), a puzzling statement in light of the previous validation of a protectionist scheme which is trade unfairness incarnated.

Ultimately, this is a memorable case, because it seemingly puts to bed the rule of reason as we knew it. Also, the reasoning on the merits is very hard to decode because the dropping of direct discrimination as a crucial element of the analysis resulted indeed in a confusing assessment of proportionality, which often loses sight of the differential treatment at stake and forgets about the necessity test altogether.

Barnard & Peers: chapter 12, chapter 16, chapter 22