the GDPR and the ‘winter package’ of EU clean energy law


Alessandra Fratini
and Giulia Pizza, FratiniVergano,
European Lawyers – a Brussels-based law firm specialising in European and international law

On 30 November 2016, the Commission launched the Clean Energy for All Europeans
legislative package, aimed at modernizing the European electricity
market and facilitating the transition to more decentralized, clean energy
solutions. “Decentralization” is seen as a driver for innovation and the key
factor for rebalancing energy actions in favour of a demand-driven policy,
where consumers are equipped with the right tools to actively participate in
this paradigm shift. Smart metering systems are one of the “right tools” for
consumer empowerment, as they allow users to make decisions about their energy
consumption by reacting to real-time tariffs.
The proper functioning of smart meters requires that a
significant amount of sensing data be collected and processed by eligible
parties and made available to entitled stakeholders. That generates data
protection challenges and creates new risks for the data subjects with a potential
impact in areas (e.g. price discrimination, profiling, household security)
previously absent in the energy sector. While the General
Data Protection Regulation
(GDPR) provides the general legal framework for ensuring
privacy and data protection of final consumers in the context of the smart
meters’ roll-out, the Commission’s proposal for a recast of the Electricity
Directive
(which is part of the “Clean Energy for All Europeans” package
and specifically regulates smart meters’ deployment) includes detailed
provisions to ensure that data protection issues are properly tackled. It is
understood that, once adopted, the latter would act as lex specialis with reference to the generally applicable GDPR
provisions.

After an overview of the evolution of smart meters in EU law,
this article reviews the challenges that smart metering systems pose to the
protection of personal data and how these can be addressed under the GDPR
provisions, read in conjunction with the specific requirements on data
protection foreseen in the recast Electricity Directive.

Smart Metering
Systems in EU law

Smart meters are electronic devices that record real-time
production and consumption of electricity and communicate that information to
the utility operator for monitoring and billing. Smart meters allow consumers to
adapt their consumption – in time and volume – to real-time energy prices, thereby
helping them to manage their usage more effectively and, conceivably, save
money.

The deployment of smart meters is expected to improve customer
service, with more accurate billing, easier and quicker switching between payment
methods. It will also increase the opportunities for consumers who produce
their own energy to respond to prices and sell excess to the grid.

The idea of equipping consumers with intelligent systems
allowing them to manage their energy consumption was developed in the 2006 Energy
Service Directive
(ESD) and later taken up in
the (still in force) 2009 Third
Energy Package
, which marked a turning point in the energy market
integration process within the EU. With the third package, in fact, the focus
shifted to the development of an effective retail market, with specific
measures being designed to grant energy consumers a number of rights, such as
the right to switch energy providers and receive clear energy bills. It is
exactly from the perspective of consumer empowerment that the 2009 Electricity
Directive
strongly promotes the use of intelligent metering systems for the
long-term benefit of consumers.
In line with the same spirit, the 2012 Energy
Efficiency Directive
(EED) includes a comprehensive set of measures on
metering and billing with a view to extending the scope and further clarifying
the provisions foreseen in the Third Package and in the ESD. In addition, for
the first time, the EED touches upon data privacy and security in the installation
of smart meters and foresees, among the obligations imposed on Member States, compliance
with relevant Union data protection and privacy legislation.

Finally, the 2016 Clean Energy Package, also known as the
“Winter Package”, further fits into this picture. The Commission acknowledged
that it was time to update the existing framework to make it compatible with
the higher levels of flexibility and decentralisation of today’s energy sector,
and to create the enabling environment to facilitate the “paradigm shift” to a
more competitive and consumer-centred market structure.

In particular, the proposal for a recast of the Electricity Directive
introduces new rights to empower and better protect end users, such as the
right to clearer billing information and certified comparisons tools, the
entitlement to a dynamic price contract, the possibility to engage in
demand-response and in self-generation of electricity. Smart meters are the
essential tools to allow for an effective exercise of these rights. In this context,
the recast Directive provides specific definitions for smart metering systems and
interoperability and devotes a specific section (Articles 19-24) to smart
meters’ functionalities, deployment, and data management issues.

Article 20 of the proposal sets out seven principles to be
applied when rolling out smart meters. Out of those seven principles, four relate
to the protection of personal data, including consumers-data subjects’ rights. In
particular, points b) and c) state that security of data communication and data
protection of final consumers shall be ensured in compliance with relevant
Union security and data protection legislation. On data subjects’ rights, point
e) stipulates that energy consumers are entitled to access metering data on
their electricity input and off-take in an easily understandable format, while
point f) requires Member States to ensure that consumers are duly informed at
the time of installation of smart meters of the collection and processing of
their personal data. 

Besides the abovementioned principles, a more specific set
of provisions (Articles 23 -24 and Annex III) focuses on energy data access and
management and reiterates the need to ensure the highest level of cyber-security
and data protection by applying the best available techniques in the field.

Key data protection
issues in smart metering systems under the GDPR and the Winter Package

A smart meter is supported by a communications network that
collects and processes an increasingly high quantity of personal data and makes
it available to entitled stakeholders and systems. These data are collected
everywhere in the smart electricity system, including consumers’ homes and,
possibly, electric vehicles. In this respect, final consumers’ trust and
confidence are crucial: without proper guarantees on data protection, consumers
are likely to be reluctant to take risks and might possibly dismiss innovation in
favour of conventional meters.

Being the development of standards for data protection and
security key to realising the full potential of smart metering in the EU, an
express reference to the recently adopted GDPR is included in the section on smart
meters (Article 23) of the recast Electricity Directive. Investments in smart
metering technology also depend on consumer’s trust in the utilities and
network operators. The draft Directive aims at stimulating consumer involvement
with attractive incentives, while at the same time creating an indissoluble
bond between smart meters’ technical implementation and compliance with EU data
privacy and security standards.

The specificities of smart meters raise some key specific
issues in relation to the application of the GDPR and the (future) recast
Electricity Directive, such as the qualification of “energy data”, the
allocation of responsibilities in energy data management and the rights of the
data subjects.

 Qualification of “Energy data”

Smart metering systems process huge amounts of data as part
of their routine technical operations. The first issue that arises is thus whether
all of those data shall be regarded as personal data.

Nulla questio for registration
data provided by the data subject when entering a contract for the roll-out of
a smart meter, i.e. name, address and information on consumer’s billing data
and payment methods, which are unquestionably “personal data”. The conclusion
is less undisputable when it comes to consumer’s “energy data”, which are
identified by the recast Electricity Directive as metering and consumption data,
and data required for consumer switching. While these data, at first sight,
might be considered as technical data and, as such, deemed to fall outside the
scope of the GDPR, they are actually – and inextricably – linked with the
natural person who is responsible for the metering account via a unique
identifier, such as a meter identification number. These data are therefore to
be regarded as personal data because they are associated with an identified or
identifiable user and disclose information on his/her energy usage, thereby
providing insights on the daily life of the data subject. When the data subject
is a “prosumer”, i.e. a small or medium-sized agent which both consumes and
produces electricity, the “energy data” refer to the amount of energy and power
injected into the grid, which in turn provide information on the amount of
available energy resources of the data subject.

The above reading of “energy data” as personal data would be
in accordance with the GDPR, whose definition of personal data includes information
revealing the economic situation of the data subject. That is all the more true,
if one considers that energy data may be more or less detailed based on the
consumer’s needs, as they can be designed and tailored accordingly. “Energy
data” represent therefore an increasingly valuable asset not only for final
consumers, who can adjust their behaviour to variable tariffs to reduce their
energy expenditure, but also and especially for policy makers who have a precious
instrument (consumers’ real-time feedback) at their disposal to effectively
target, monitor and evaluate measures and actions in the field.

However, data gathered from smart meters can also be used for
other purposes. Energy data allow for a better understanding of customer
segmentation, customer behaviour and how pricing influences usage. As such,
those data might be used for specific profiling exercises, e.g. to gather
sensitive information on the end-user’s energy-based footprint in his/her
private environment, his/her behavioural habits and preferences by analysing
the information collected through the meters. Smart meters will likely have an
impact on the competitive pressure within energy supply markets, as the provision
of accurate and reliable data flows by the smart metering infrastructure will
enable easier and quicker switching between suppliers. Accessing consumers’
data on energy preferences will therefore constitute a significant advantage
for energy utilities. That is why adequate levels of protection shall be
ensured during both the transmission and the processing phase, to avoid unauthorised
consumer profiling based on the detailed meter readings and other possible “further”
uses of those data.

In addition, the potential risks associated with the
collection of detailed consumption data are likely to increase in the context
of the so called “internet of things”, where energy data can be combined with
data from other sources, such as geo-location data, data available through
tracking and profiling on the internet, video surveillance systems and radio
frequency identification (RFID) systems. The critical issue is in fact that
smart meters could constitute the entrance gate to get a privileged access to
the digital domain of a household.

Data management and
allocation of responsibilities

As clearly established by Article 23 of the recast
Electricity Directive on data exchange and management in the context of smart
meters’ roll-out, any issues relating to energy data handling are to be tackled
at national level. It follows that Member States, or the competent authorities,
“shall organise the management of data in order to ensure efficient data access
and exchange” including specifying the eligible parties which may have access
to data of the final customer, provided that explicit consent is given in
accordance with GDPR provisions. Eligible parties shall include at least
customers, suppliers, Transmission system operators (TSOs) and Distribution
system operators (DSOs), aggregators, energy service companies, and other
parties which provide energy or other services to customers. This list is
understood to be purely indicative and non-exhaustive, considering the highly
dynamic environment of the energy sector.

The GDPR identifies characteristics and responsibilities of
data controllers, processors and third parties authorised by controllers and
processors to collect and process personal data. The controller is the sole
responsible, alone or jointly with others, for determining the purposes and
means of the processing of personal data while the processor performs the
processing of personal data on behalf of the controller. The third party processes
personal data under the direct authority of the controller or processor and
solely if authorised to do so by those. Finally, recipient is the party to
which the personal data are disclosed, whether a third party or not.

As the implementation of smart meters involves a number of
actors in the processing of personal data, it is crucial to identify who, in that
context, should be regarded as data controller, processor or simply an authorised
third party. The allocation of roles and responsibilities might not be
straightforward, since the arrangements for smart metering deployment – and
consequently the data management model – are a matter to be addressed at Member
States’ level and no clear guidance exists at EU level. Given the number and complexity
of relationships, it is likely that there will be difficulties in applying the
relevant definitions.

Nevertheless, based on the GDPR, the following set of roles
and responsibilities can be identified. The controller could be defined as the “metered
data responsible”, who handles metered, contractual and network data. Its
responsibilities are collecting, validating, analysing and archiving historical
data as well as ensuring that customers have at their disposal their
consumption data and giving, by explicit agreement and free of charge, any
registered supply undertaking access to its metering data. The role of the processor
can be associated with that of the “metered data collector” or of the “metered
data aggregator”, who are respectively responsible for meter reading and
quality control of the reading and for the establishment and qualification of
metered data from the metered data responsible or controller. The recast
Electricity Directive proposes that the parties which are managing data be authorised
and certified by the national competent authorities in order to ensure
compliance with the data protection requirements. This is in line with the GDPR,
which encourages Member States to establish certification mechanisms and codes
of conduct to demonstrate the existence of appropriate safeguards provided by
controllers or processor.

In most Member States, the DSO is the metering operator and,
as such, it is the data controller in the first phase of the metering data
process. The DSO´s process ends with creating a bill for network usage; in a
second step, the metering data are passed on to the electricity supplier, who
is responsible for billing and serving consumers, thus acting as the data
controller in this final phase of the processing operation. As a matter of
fact, DSOs are already involved in the processing of personal data because they
have detailed information on the status of network components, generators
connected to the network and energy flows throughout the network. In some
cases, the DSO outsources parts of its metering business to a metering operator
(MO), an entity which offers services to install, maintain and operate metering
equipment related to supply. This role might be further split into two entities,
one responsible for managing the meter and another responsible for managing the
metering data. In this case, the MO performs the role of the processor based on
a contractual arrangement with the DSO. However, in the majority of Member
States the metering sector is considered part of the distribution business,
with the DSO being both the owner and the responsible party for smart meters’
roll-out and granting accessing to metering data.

Notwithstanding the leading role of DSOs in smart meters’ data
management, some Member States have opted for a separate entity (central
communication hub), which shall provide third parties access to metering data,
decoupling the processing of data from the physical meter. In such a system, consumers’
data are stored on the smart meter installed at their premises and the central hub
entity is responsible for routing (but does not store) data, gathering those
from the equipment in the consumer’s premises and delivering the same to energy
suppliers, DSOs and other third parties. Such a transmission can occur,
pursuant to the GDPR, further to consent appropriately expressed by the data
subject.

A similar allocation could apply in those Member States, who
have instead adopted a communication structure based on a middleware (the “data
concentrator”, or “data aggregator”), located at medium voltage/low voltage
substations, which works as a communication gateway between the data management
system and the smart meters. The data concentrator collects information and data,
often from multiple meters, in a particular geographical area before communicating
the data to a central database for billing, troubleshooting and analysing.
Concentrators are heavily used in densely-populated areas.

Rights of the Data
Subject

The GDPR includes a wide range of rights for data subjects, some
brand new, some existing already under the Data Protection Directive but enhanced
by the reform.

Amongst the existing rights, the right to be informed when
personal data are being collected and processed, the right of access as well as
the right to object to certain processing activities (including profiling) and
to automated individual decision-making are relevant in the smart metering
systems’ context. Amongst the new rights, the right to data portability is also
likely to be of relevance when smart meters are fully operational.

Article 20 (1) f) of the recast Electricity Directive
reflects Article 14 of the GDPR listing the information to be provided by the
data controller where personal data are collected from the data subject. In
particular, appropriate information on the energy consumption and on the collection
and processing of personal data shall be given at the time of installation of
the smart meter. As regards the minimum details of the information notice, the
provision explicitly refers to applicable Union data protection legislation.

Article 20 (1) e) of the Directive establishes the right for
the customer to access his/her metering data on electricity input and off-take,
while Article 23 (4) specifies that such access should be free of charge for
final customers. Article 20 describes the minimum principles to be observed
when smart metering systems are designed and implemented. Data protection
measures enabling provision of information and availability of metering data
constitute therefore a set of minimum functionalities to be integrated in all
smart metering systems. That is a clear reference to the “data protection by
design” principle under the GDPR.

However, the right of access to consumer’s data shall be
also guaranteed to all eligible third parties under the Directive, in a
non-discriminatory manner and simultaneously, so as to ensure that the system
works properly. Eligible parties’ access finds its legal basis in Article 23
(2), which stipulates that, independently of the data management model chosen by
the Member State, the party or parties responsible for data management shall
provide any eligible party access to the data of the final customer, subject to
the latter’s explicit consent. Access to consumers’ data by eligible parties
may not be free of charge according to paragraph 4. Nevertheless, the Directive
places an obligation on Member States to set the relevant access costs in order
to ensure that regulated entities that provide data services do not profit from
that activity.

Finally, Article 20 (1) GDPR defines the right of data
portability as “the right to receive the personal data, which the data subject has
provided to a controller, in a structured, commonly used and machine-readable
format and to transmit those data to another controller without hindrance from
the controller to which the data have been provided”. Accordingly, data
portability is the right of the data subject to receive a subset of the
personal data processed by a data controller concerning him/her, and to store
those data for further personal use. In addition, that right allows data
subjects to transmit personal data from one data controller to another “without
hindrance”. As regards the type of personal data concerned, the first condition
for the exercise of this right is that the data pertain to the data subject, while
the second condition is that the data have been provided by the data subject to
the data controller.

The Article 29 Data Protection Working Party (WP29) has clarified
in its Guidelines
that data that fall within the definition of data “provided by” the data
subject are not only the “data actively and knowingly provided by the data
subject” but include also those personal data that are observed from the
activities of users such as raw data processed by smart meters. In the smart
meters’ context, the data subject is therefore entitled to exercise his/her
right to data portability only with respect to his/her usage data regularly generated
by the metering system and simply collected by the data controller, without
being processed or manipulated by the latter. As a result, data that are
created by the data controller using the data observed or directly provided as
input, such as a user profile designed by analysis of the raw smart metering
data collected, do not appear to fall within the definition of data “provided
by” the data subject.

The GDPR places some requirements on data controllers for
the format to be used in data transfers to other data controllers when the data
subject exercises his/her right of portability. More specifically, personal
data must be provided “in a structured, commonly used and machine-readable
format”. The terms “structured”, “commonly used” and “machine-readable” are a
set of minimal requirements that should facilitate the interoperability of the
data format provided by the data controller. Given the wide range of data types
that might be processed and the specificities of each sector, the GDPR does not
provide specific recommendations as to the data format, thus leaving it to each
industry to develop the common set of interoperable standards and patterns to
deliver the minimum requirements of the right to data portability.

Welcoming the industry-focus approach, the recast
Electricity Directive outlines the minimum features the format for metering data
transmission should have. Article 20 (1) e) stipulates that “metering data on
electricity input and off-take shall be made available via a local standardised
interface and/or remote access in an easily understandable format, allowing customers
to compare deals on a like-for-like basis”. Here the primary aim of data
portability seems to be price comparability, to facilitate service switching
and enhance competition between services. This provision closely mirrors
Article 24 of that Directive, which requires Member States to develop a common
data format and a transparent procedure for eligible parties to have access to
the consumers’ data. Here too, competition is the driver since the data format
is conceived to ensure that energy utilities active on the retail market get simultaneous
and non-discriminatory access to final costumers’ data. However, the Directive
does not establish a minimum set of specifications for eligible parties’ access
data format. That shall be defined by the Member States and then by the
Commission, who is explicitly called on to determine a common European Data
format that will replace the ones adopted at national level.

DPIA in Smart Meters’
roll-out

The Data Protection Impact Assessment (DPIA) is a tool
designed to describe the envisaged processing operations carried out by an
organisation during its activities in order to evaluate the origin, nature,
particularity and severity of risks of these operations to the rights and
freedoms of the data subjects. The outcome of the assessment helps to determine
the appropriate measures to be taken to mitigate the risks and demonstrate that
the processing of personal data complies with data protection requirements.

In its first Recommendation
on the roll-out of smart metering systems issued in 2012, the Commission called
on Member States to adopt and apply a template for DPIA that should be
developed by the Commission and submitted to the WP29 for its opinion. In 2013,
the Commission submitted to the WP29 the first version of the DPIA template
prepared by a dedicated expert group under the Smart Grid Task Force. In its opinion,
the WP29 welcomed the objectives identified by the template but expressed
concerns on various parts and invited the Commission to revise it. A new
version of the template was subsequently submitted to the WP29. The WP29’s
final opinion issued in December 2013 recognized the improvements with respect
to the previous version and recommended to organise a test case with some real
cases. After having taken into account these final comments of the WP29, the
Commission issued a Recommendation
to promote the adoption of the template.
While having been issued before the formal adoption of the
GDPR, both the Commission Recommendation and the Opinion of the WP29 are fully
in line with it. However, no obligation to ensure that a DPIA is carried out is
imposed on the Member States, given that the Data Protection Directive established
the discretional nature of performing a smart meter’s DPIA. On the contrary,
the GDPR renders the DPIA mandatory under certain conditions and calls on competent
supervisory authorities to impose fines in case of failure to carry out a DPIA
when required. According to the GDPR, a DPIA is only required when the
processing is “likely to result in a high risk to the rights and freedoms of
natural persons”. In order to ensure a consistent interpretation of the
circumstances in which a DPIA is mandatory, the WP29 Guidelines,
adopted in April 2017 and further revised in October 2017, clarify this notion
and provide criteria for the development of a common EU list of processing
operations for which a DPIA is obligatory.

The more criteria the processing meet, the more likely it is
to present a high risk to data subjects and therefore to require a DPIA. Of the
nine criteria identified by the 2017 Guidelines in this respect, at least three
seem applicable to the operation of smart meters. In particular, the evaluation
or scoring criterion, including profiling and predicting, is fully applicable
to smart meters insofar metering data help utility companies building behavioural
or marketing profiles based on consumers’ energy usage. Data processed on a large-scale
criterion is also likely to be relevant in the smart meters’ context. Smart meters
register consumption data at short, regular intervals and ensure their timely
transmission to the data controllers or concentrators which, in turn, organise
the huge volume of data received from users in a specific geographical area in
aggregated forms for the efficient maintenance of the grid and for allowing
energy utilities to adjust their energy production accordingly. Finally, the innovative
use/application of new technological or organisational solutions criterion is
undoubtedly of relevance in the deployment of smart metering systems, to the
extent that this can involve novel forms of data collection and usage that have
unknown, significant impacts on individuals’ daily lives, depending on the data
management model adopted at national level.   

In addition, still in the context of the new technology
product criterion, another privacy concern that might trigger the need to carry
out a DPIA may be the case of a piece of hardware or software, where this is
likely to be used by different data controllers to carry out various processing
operations. The data controller remains certainly obliged to carry out its own
DPIA with regard to the specific implementation of the new product, but this
can be informed by a DPIA prepared by the product provider. In smart meters,
the above applies to the relationship between manufacturers of smart meters and
DSOs or utility companies. Each product provider or processor should share
useful information with neither compromising secrets nor leading to security
risks by disclosing vulnerabilities.

Once the assessment of the criteria has been completed and
the existence of an obligation to carry out a DPIA has been ascertained, the
process can be initiated, possibly according to the procedure identified in the
DPIA template developed by the Smart Grid Task Force. The generic iterative process
consists of several procedural steps going from the identification of necessary
resources and constitution of the DPIA team, to the description of the smart
grid/metering systems and the identification and assessment of relevant and
residual risks to be concluded with the drafting of the DPIA report and the
development of measures for reviewing and maintenance.

Conclusions

Smart metering systems are becoming one of the primary tools
to promote participatory processes and decentralization which are at the heart
of the energy transition and the development of new energy services. A massive
deployment of smart meters is expected in the near future, after the Third
Energy Package made the roll-out compulsory, should the economic assessment be
positive, and the Winter Package put it at the centre of its reform as a key
instrument to empower energy consumers. The potential privacy risks posed by
their implementation need to be tackled with highest priority. It is in fact
essential that consumers have access to trusted mechanisms to manage their
energy data and create value with it, while being in complete control of their private
environment and behavioural habits.

For years, there was no specific binding legislation devoted
to data protection in smart metering systems, while a number of soft-law instruments
were adopted to balance energy policy goals with data protection concerns. In
recent years, the EU legislator has started paying special attention to personal
data protection in smart meters’ deployment, and some important progress has
been made as a result, starting with the development of the DPIA template.

Today, the development of standards and safeguards for data
protection and security in smart meters’ roll-out is a major objective in the
EU. Against the background of the recently adopted GDPR, a specific data
protection and security framework for smart meters has been proposed in the
recast Electricity Directive. The aim is to embed relevant GDPR provisions in
the new text and tailor those to the needs and specificities of smart meters’
implementation and functioning. It follows that a new, comprehensive legal
framework to ensure high level of personal data protection in smart metering
systems is being shaped, which is expected to lead to greater trust and
confidence of energy consumers and, in turn, to their increased participation
in the decentralisation process.

Photo credit: Utility Week



Source link

Related posts

Leave a Comment