WORKSHOP • 21 MARCH 2017
by Lina Jasmontaite, Brussels Privacy Hub, LSTS, VUB
On 21 March 2017, the Brussels Privacy Hub organized a workshop addressing data protection issues in the energy sector. The workshop was part of the GDPR Workshop Series which is providing guidance and information in preparation for the implementation of the General Data Protection Regulation (GDPR). It attracted 17 participants ranging from industry and civil society representatives to academics and data protection authorities.
The workshop focused on data protection issues arising from the use of smart grids which are essential for the rollout of smart metering systems in the energy sector in the EU. Smart grids allow the monitoring of energy consumption and adjustment to changes in energy supply and demand. Smart grids should enable meeting the target set by the 2009 Renewable Energy Directive, which requires Member States to ensure that at least 20% of energy is from renewable sources. Governments and individuals have invested in alternative energy sources (e.g., wind power) but these investments will only pay off if these new energy sources are integrated into the traditional energy supply architecture. Smart grids are seen as the key enabler of such integration. However, apart from their potential to save energy and integrate alternative energy sources, smart grids present challenges to the protection of personal data and privacy. Smart grids facilitate collection of user data that can reveal personal information, such as habits, life-patterns, and hours spent at home.
In light of these challenges, the invited speakers discussed different options on how to develop smart grids that would be friendly to both consumers and industry. Marie-Theres Holzleitner, a researcher from the University of Linz, laid down the basics of smart meters and grids. Building on her experience in the SPARKS project, she explained how information security risks associated with smart grids could be addressed. She noted that two major concerns for the energy stakeholders’ who are developing smart grids include compliance with legal obligations and protection against cyber threats. Raphaël Gellert, a researcher from the LSTS, delved further into the topic and introduced the relevant legislative framework, including recommendations from the European Commission (EC) and the European Data Protection Supervisor (EDPS). Massimo Mattoresi from (EDPS) described the practicalities of the Data Protection Impact Assessment template in greater detail. This template was developed in 2014 and is currently being revised by the EC. After presenters shared their knowledge and experience with regard to smart grid solutions, Dr. Hielke Hijmans opened the floor to questions. During the discussion between the panel members and the audience, the following issues were addressed:
Risks associated with the use smart grids: The wide-spread usage of smart grids facilitate mass collection of detailed consumer information. Smart meter data collection at 15-minute intervals can give a detailed insight into a person’s life. It can determine times when a user is at home or at work as well as eating, sleeping or watching television. This extensive user data allows establishing a link with a particular individual, and therefore, the processing of data within smart grids should be subjected to the EU data protection framework, as recently updated by the GDPR.
A collection of detailed users’ profiles may have an adverse impact on individuals’ privacy if abused or mishandled. Detailed profiles may also facilitate identify theft which can lead to fraud. Furthermore, determining behavioral patterns can lead to undesirable profiling by public authorities as well as private actors. For example, a smart meter can reveal that a user owns an older model refrigerator. This information could be sold to a refrigerator distributor, who, based on this knowledge, could suggest a newer energy saving model to a user. While this example may seem to benefit users, cases of discrimination cannot be dismissed. For example, a recent Belgian law requires smart meter data collection from people receiving welfare benefits to help combat fraud. Additional risks may arise because smart meters transmit and provide data through information communications systems (i.e., the Internet) between the meter and energy suppliers. Participants agreed that the use of smart grids should put consumers in control of their energy use and it should not impinge on individuals’ rights and security.
The applicable legislative framework: The applicable legislative framework, which aims at protecting individual users, imposes numerous requirements for the developers of smart grids. The two EU legislative measures that should be considered by smart meter developers include the GDPR and the Network and Information Security Directive (NIS). These measures require taking appropriate and proportionate technical and organisational measures to manage the risks posed to the processing of personal data (i.e., data about users) as well as to the security of network and information systems. The GDPR provides more protection for individual users (i.e., data subjects) whereas the NIS Directives focuses on responsibilities of operators of essential services.
Changes brought by the GDPR: The GDPR has introduced new principles and requirements for data controllers (and processors) that have to be considered in the context of smart grids. These include the principles of accountability (Article 24), data protection by design (Article 25) as well as the requirement to carry out data protection impact assessments when the processing of personal data may generate a high risk to the rights and freedoms of individuals.
Determining legitimate grounds for processing: Participants’ views over appropriate legislative grounds for the processing of smart grid data were divided. While most participants agreed that consent for the processing of users’ personal data is necessary, agreement was varied on the form of this consent. Some, following the EDPS’ Opinion on the Commission Recommendation on preparations for the roll-out of smart metering systems, suggested using opt-in consent for the use of smart meters. This form of consent would guarantee that consumers deliberately choose using privacy-intrusive technology. Whereas others insisted that opt-out consent might be a better solution for the sector as people are less likely to participate if directly given the choice. Opt-out consent would ensure that smart meters/grids are installed by default.
The next Brussels Privacy Hub workshop in the series on the implementation of the GDPR will address data protection issues arising from health and well-being apps. The workshop will take place on 24 April 2017. For more information, please visit the BPH website or contact us at email@example.com.
Keep up to date of our activities and developments. Sign up to our newsletter:
Copyright © Brussels Privacy Hub