Marie-Theres Holzleitner, a researcher from the University of Linz, laid down the basics of smart meters and grids. Building on her experience in the SPARKS project, she explained how information security risks associated with smart grids could be addressed. She noted that two major concerns for the energy stakeholders’ who are developing smart grids include compliance with legal obligations and protection against cyber threats. Raphaël Gellert, a researcher from the LSTS, delved further into the topic and introduced the relevant legislative framework, including recommendations from the European Commission (EC) and the European Data Protection Supervisor (EDPS). Massimo Mattoresi from (EDPS) described the practicalities of the Data Protection Impact Assessment template in greater detail. This template was developed in 2014 and is currently being revised by the EC. After presenters shared their knowledge and experience with regard to smart grid solutions, Dr. Hielke Hijmans opened the floor to questions. During the discussion between the panel members and the audience, the following issues were addressed:
Risks associated with the use smart grids: The wide-spread usage of smart grids facilitate mass collection of detailed consumer information. Smart meter data collection at 15-minute intervals can give a detailed insight into a person’s life. It can determine times when a user is at home or at work as well as eating, sleeping or watching television. This extensive user data allows establishing a link with a particular individual, and therefore, the processing of data within smart grids should be subjected to the EU data protection framework, as recently updated by the GDPR.
A collection of detailed users’ profiles may have an adverse impact on individuals’ privacy if abused or mishandled. Detailed profiles may also facilitate identify theft which can lead to fraud. Furthermore, determining behavioral patterns can lead to undesirable profiling by public authorities as well as private actors. For example, a smart meter can reveal that a user owns an older model refrigerator. This information could be sold to a refrigerator distributor, who, based on this knowledge, could suggest a newer energy saving model to a user. While this example may seem to benefit users, cases of discrimination cannot be dismissed. For example, a recent Belgian law requires smart meter data collection from people receiving welfare benefits to help combat fraud. Additional risks may arise because smart meters transmit and provide data through information communications systems (i.e., the Internet) between the meter and energy suppliers. Participants agreed that the use of smart grids should put consumers in control of their energy use and it should not impinge on individuals’ rights and security.
The applicable legislative framework: The applicable legislative framework, which aims at protecting individual users, imposes numerous requirements for the developers of smart grids. The two EU legislative measures that should be considered by smart meter developers include the GDPR and the Network and Information Security Directive (NIS). These measures require taking appropriate and proportionate technical and organisational measures to manage the risks posed to the processing of personal data (i.e., data about users) as well as to the security of network and information systems. The GDPR provides more protection for individual users (i.e., data subjects) whereas the NIS Directives focuses on responsibilities of operators of essential services.
Changes brought by the GDPR: The GDPR has introduced new principles and requirements for data controllers (and processors) that have to be considered in the context of smart grids. These include the principles of accountability (Article 24), data protection by design (Article 25) as well as the requirement to carry out data protection impact assessments when the processing of personal data may generate a high risk to the rights and freedoms of individuals.
Determining legitimate grounds for processing: Participants’ views over appropriate legislative grounds for the processing of smart grid data were divided. While most participants agreed that consent for the processing of users’ personal data is necessary, agreement was varied on the form of this consent. Some, following the EDPS’ Opinion on the Commission Recommendation on preparations for the roll-out of smart metering systems, suggested using opt-in consent for the use of smart meters. This form of consent would guarantee that consumers deliberately choose using privacy-intrusive technology. Whereas others insisted that opt-out consent might be a better solution for the sector as people are less likely to participate if directly given the choice. Opt-out consent would ensure that smart meters/grids are installed by default.
The next Brussels Privacy Hub workshop in the series on the implementation of the GDPR will address data protection issues arising from health and well-being apps. The workshop will take place on 24 April 2017. For more information, please visit the BPH website or contact us at firstname.lastname@example.org.
Copyright © Brussels Privacy Hub