In April 2011, the Article 29 Data Protection Working Party issued its opinion 12/2011 on Smart Metering in Working Paper 183 and now in June 2011 the Belgian Data Protection Commission has issued its Recommendation No 04/2011 regarding principles for smart grids and smart meters. In this document the Commission goes further than the Working Party and provides more detailed additional guidance for both the law and soft law after a comprehensive global study of how other jurisdictions are implementing smart grids and issuing guidance regarding data protection and privacy.
Cédrine Morlière, Attorney and Senior Associate with Bird & Bird in Brussels, provides us with a summary of the Commission’s report and helps us understand the way forward in implementing smart grids in Belgium and highlights some of the challenges throughout Europe.
Cédrine joined the Data Protection and IT Practice of the Bird & Bird Brussels office in early 2011 as a senior associate. She advises on a wide range of Data Protection matters, with a particular focus on International Transfer of Data and Data Protection Compliance Programmes. Cédrine has very good relations with stakeholders in the energy sector and advises on privacy aspects of smart meters.Nymity: What does the Commission view as the benefits of the smart grid and smart metering environment for Belgians?
Morlière: The Belgian Data Protection Commission holds the view that the smart grid and smart metering technologies offer an opportunity to plan the supply of electricity in a more efficient and cost-cutting way so as to reduce the overall consumption of electricity as required by the EU Directive 2006/32/CE on energy end-use efficiency and energy services.
Those goals can be achieved thanks to new functionalities embedded in smart meters. Providing consumers and energy providers with detailed information about energy consumption, the possibility to develop new tariffs and services based on energy profiles and on the period when electricity is being purchased, the possibility to carry out electricity consumption audits more easily, would help in reducing energy use, whereas new functionalities making it possible to read and activate or deactivate smart meters remotely, would lead to more cost-effective energy services.
The costs of designing privacy compliant smart metering technologies, such as imbedding the data subject’s consent to the processing of their data via smart meters, should not be underestimated. The Belgian Data Protection Commission thus insists on the need to carry out an assessment of the privacy impact of each new possible function embedded in smart meters, and weight these against the expected benefits to/financial impact on Belgian consumers.Nymity: What are the key data protection concerns the Commission has raised over the implementation of the smart grid and
smart metering in Belgium?
Morlière: As mentioned by WP 183, the smart meters will make possible the processing of much more data and, and much more granular data on consumers’ consumption than traditional meters. It will be possible to collect data in real-time relating to end-users’s electricity consumption, as well as to collect information on when and how long any particular product is being used (e.g. refrigerator, washing machine, etc.) and this, due to their appliance load signature.
As mentioned by WP 183, a key question is also whether there are legitimate grounds for the envisaged new functionalities. Some kind of processing via smart meters may be necessary to perform a contract (e.g. in respect of billing), or could be carried out in the public interest (e.g. for making studies of electricity consumption). Other kinds of processing (e.g. for making energy profiles) would need the consumer’s fully informed consent.
The Commission also focuses on the need to put appropriate security measures in place so as to avoid data breaches, and this entails analysing the whole chain of communication of smart meter data.Nymity: Are these benefits and risks different than those identified by the WP 183, and if so how?
Morlière: The benefits and risks identified by the WP 183 are the Belgian Commission’s starting point. The Commission’s guidance examines the possible impact of those risks in Belgium. One big concern is the implementation of the general requirement of transparent processing in the context of the Belgian energy market which is governed by regional bodies issuing their own regulations (Brussels, the Flemish region and the Walloon region). As a lack of consistency between those regulations could result in a lack of transparency for the consumers (e.g. when moving from one region to another) and impair the development of smart meters in Belgium, the Data Protection Commission suggests that electricity suppliers and data controllers should work together at federal level so as to avoid undue complexity as regards the level and means of data protection in each region.Nymity: What are key recommendations of the Commission for the various stakeholders or actors in smart grid and smart metering
implementation in Belgium?
Morlière: The Commission is in favour of the issuance of new legislation setting out clear conditions for each purpose for which smart meter data will be processed, such as remote deactivation, debt mediation, campaigns against unoccupied buildings, police, judicial and tax authority access.
The law should also set out very precisely which third parties may have access to the data (e.g. debt mediators, consumer associations).
Both WP 183 and the Commission emphasise the necessity of obtaining the consumer’s consent for each commercial service via for example, a push button on the smart meter. The consumer should also have the option of easily withdrawing his consent in order to revert to less privacy-intrusive processing of smart meter data, and this should be possible without having to pay high fees or to replace the entire smart meter.
The data controller should also put adequate technical and organisational measures in place in order to provide transparent information on the processing of smart meter data. Moreover, any access by third parties to those data should be granted via a federal or a regional body. An independent state body should also control the implementation of the advantages (e.g. reduced costs, positive impact on climate change,) promised to the consumer in exchange for privacy intrusive data processing.
The energy providers and smart grid owners will have to provide clear information to consumers about how to exercise their rights (e.g. how to withdraw their consent). The point of contact for any question in relation to privacy should be clearly mentioned in information leaflets. The Commission also emphasises the need for providing neutral information on the benefits and risks of some functionalities (e.g. consumer profiles) and not only publicising the positive points.Nymity: How do the Commission’s recommendations differ for the WP 183?
Morlière: The Commission examines in more detail the limits of processing smart grid data for contentious purposes. According to the Commission, it should be possible to check at smart grid level whether the energy provided corresponds to the energy paid, and then identify whether any possible disparity could be due to technical problems or energy theft. Inquiring into this at a more granular level should not be permitted, as this is within the competence of public policy and judicial authorities.Nymity: The Commission has introduced the notion of an ‘independent public service’. What would this entity do and why?
Morlière: The Commission wishes to make each processing of smart meter data for new purposes subject to a double GO-ahead: from the data provider (the data subject or the energy provider); and from an independent public service which will take care of the implementation of data protection laws on smart meters.Nymity: How does the Commission address the issue of privacy amongst multiple adult data subjects within a household; between a landlord and tenant; between a university and student; employer and employee; where one adult, the landlord, the university or the employer are the entity ‘owning’ the personal data about the other data subjects?
Morlière: As also stressed by WP 183, several actors will have access to the smart meter data and it is not easy to determine which company is to be considered as the data controller, i.e. the body which alone or in cooperation with another body, determines the means and purposes of the processing and is ultimately responsible for this processing.
Energy suppliers will access the data transmitted by the meters and use them e.g. to issue bills or tailored energy audits; energy network operators (which own the grid) will be responsible for the installation and the running of the smart meters and will determine how the data are collected, stored and used.
The Commission recommends this issue be dealt with in new legislation which would appoint the data controller in relation to all existing and new functions.
The Commission also suggests imposing the duty of compliance on each actor (whether controller or not) in the smart grid: they must be able to prove that they have addressed any relevant privacy issue on the basis of an accountability principle (be accountable for their own processing of data). The law indeed is not likely to solve any practical issues regarding the implementation of smart meters.Nymity: What is soft law in Belgium referred to and how does it come about for the smart grid and smart metering?
Morlière: In addition to ad hoc legislation on smart metering, the Commission is in favour of the issuance of a sector code of conduct in order to address the practical implementation of the forthcoming rules on smart meters.Nymity: Often in Europe one speaks of making personal data anonymous? In the US the term is de-identification. In both situations, the goal is to reduce the risk of re-identification. What Commission recommendations, if any, or academic research is being performed to create scientific methods of anonymization for the smart grid and smart metering industry in Belgium?
Morlière: The Commission stresses the importance of developing appropriate methods of anonymization of data as well as methods of blocking access to data at a more granular level (e.g. per appliance). Moreover, it should be standard practice for meters to provide a low level of precision as regards smart meter data. Higher granularity should only be based on consent.Nymity: You mentioned that there might be lessons to learn from the telecommunications industry as the energy industry implements the smart grid and smart metering environment?
Morlière: According to the Commission, meters should be designed so as to allow access to the police, the same way as the police has access to telecom networks for investigation purposes. The Commission also gives an example within the framework of telecommunications legislation as regards the maximum retention period for those data: from 6 months to 2 years should be a standard, to be further defined in the forthcoming legislation on smart meters. New legislation should set out how long, where and how those data should be kept and coded.Nymity: What about the rights of law enforcement? How are these rights addressed while the protection of privacy sustained?
Morlière: It is a little premature to talk about how a forthcoming law on smart meters would be enforced, bearing in mind that rights on law enforcement may have changed by then in the context of the revision of the Data Protection Directive 95/46/EC. Strengthening the data subjects’ rights and bringing the rights of law enforcement on a same level in every EU country is indeed one of the key goals of the forthcoming Data Protection legal framework.