3.4 Smart Grids and Smart Metering(1)Note that these issues stretch far beyond smart meters and grids in the energy sector, as discussions and implementation of smart(er) cities increase: see L. Edwards, ‘Privacy, Security and Data Protection in Smart Cities - A Critical EU Law Perspective’ (2016) 2(1) European Data Protection Law Review 28.
The development of smart metering and smart grids are often highlighted as an important technological development in the transition to a low-carbon energy sector.(2)See, e.g., C.W. Gellings, The Smart Grid: Enabling Energy Efficiency and Demand Response (Lilburn (GA), USA: Fairmont Press, 2009) for a helpful (if US-centric) overview; S. Pront-van Bommel, ‘Smart Energy Grids within the Framework of the Third Energy Package’ (2011) 20 EEELRev. 32; S. Vanwinsen, ‘Smart grids: Legal Growing Pains’ (2012) 21 EEELRev. 142; and P.M. Connor et al., ‘Policy and regulation for smart grids in the United Kingdom’ (2014) 40 Ren & Sust Energy Revs 269. See also M. Goulden et al., ‘Smart grids, smart users? The role of the user in demand side management’ (2014) 2 Energy & Soc Sci 21; D. Xenias et al., ‘UK smart grid development: An expert assessment of the benefits, pitfalls and functions’ (2015) 81 Ren Energy 89, esp. at 93 and 96; and N. Balta-Ozkan et al., European smart home market development: Public views on technical and economic aspects across the United Kingdom, Germany and Italy’ (2014) 3 Energy Research & Soc Sci 65, esp. at 67, 72 and 75. The Electricity Directive defines a "smart metering system" as "an electronic system that is capable of measuring electricity fed into the grid or electricity consumed from the grid, providing more information than a conventional meter, and that it is capable of transmitting and receiving data for information, monitoring and control purposes, using a form of electronic communication".(3)Art. 2(23), Electricity Directive (EU) 2019/944. Smart grids may more loosely be defined as grids that by their design encourage decentralised electricity generation and energy efficiency.(4)See para. 51 of the preamble to the Electricity Directive (EU) 2019/944. For an earlier piece on smart meters as a key part of developing the smart grid, see Pront-van Bommel, n. 107, supra.
An important aspect of smart metering (and to some extent smart grids) is that it facilitates real-time measurement of electricity consumption. This, in turn, opens up the possibility of incentivising consumption at times when the aggregate electricity consumption is low by facilitating hourly electricity market pricing for consumers. Customers will then, for example, have an incentive to charge their electric vehicles or to wash their clothes at times with the lowest electricity prices, contributing to evening out the periods of peak demand. Combined with other technology provided through app management and new service-based market actors, the need for building new electricity generation capacity to ensure electricity supply in peak load hours may then be reduced, contributing to reducing the impact on the environment and climate, and reduced costs for society.
At the same time, smart metering generates new customer data, raising questions concerning privacy and data protection. In this respect, the preamble of Electricity Directive (EU) 2019/944 sets out rather broadly that the Directive respects and shall be interpreted in accordance with the Charter, in particular with respect to data protection issues,(5)Para. 91 of the preamble to Electricity Directive (EU) 2019/944. and that 'the privacy of final customers and the protection of their data shall comply with relevant Union data protection and privacy rules',(6)Art. 20(c), Electricity Directive (EU) 2019/944. primarily the General Data Protection Regulation (GDPR).(7)Reg. 2016/679/EU [2016] O.J. L119/1. The issues of privacy and data protection raise a number of questions, which to some extent also involve fundamental rights aspects. Yet this new status of the protection of personal data as a fundamental right has implications that have not necessarily been clearly or carefully worked through.(8)See, for example, O. Lynskey: ‘Deconstructing Data Protection: The ‘Added-Value’ of a Right to Data Protection in the EU Legal Order’ (2014) 63 ICLQ 569, and The Foundations of EU Data Protection Law (OUP, 2015); and G. González-Fuster, The Emergence of Personal Data Protection as a Fundamental Rights of the EU (Heidelberg: Springer, 2014). This is not the place to pursue detailed analysis of the finer points of data privacy law and policy in general, or its sophisticated application to smart grid operation and the installation and use of smart meters. Nevertheless, it is important to highlight this area as one where the relatively newly-found status of data privacy as a free-standing EU law fundamental right could yet have implications for the energy sector and its customers.(9)Specifically with regard to smart metering and data protection/privacy issues, see R. Knyrim & G. Trieb, ‘Smart metering under EU data protection law’ (2011) 1(2) Int Data Priv L 121 and N.J. King & P.W. Jessen, ‘Smart Metering Systems and Data Sharing’ (2014) 22 Int J Law & Info Tech 215. As one smart meter company representative has commented:
When it comes to the protection of utility assets, our experience shows us that utilities are completely aware of the risks and that they are requesting adequate security for their end-to-end solutions. The real challenge for the utility, however, is the protection of the end-consumer and their personal data. ... [I]n addition to transmitting data securely, it is at least equally important for utilities to adopt secure organizational procedures governing the use of and access to their IT systems - and for them to ensure that the privacy of end-consumer data is ensured while it is being stored and processed.(10)‘Smart metering in Europe: The Challenges Are Greater’ (http://www.engerati.com/article/smart-metering-europe-challenges-are-greater, 16 September 2014), reporting the comments of Oliver Iltisberger (Executive V.P. for Europe, Middle East and Africa) of Landis+Gyr (http://www.landisgyr.co.uk/).
These concerns will no doubt be familiar to anyone who has worked in a large company or institution handling significant volumes of personal data, where the requirements of data protection and privacy legislation have brought new obligations and risks to data controllers, and have engendered far-reaching changes in practice concerning data storage, transfer and the like.(11)See, generally, C. Kuner: European Data Protection Law: Corporate Compliance and Regulation (2nd edn., Oxford: OUP, 2007); Transborder Data Flows and Data Privacy Law (Oxford; OUP, 2013); and C. Kuner. L.A. Bygrave, C. Docksey & L. Drechsler, The EU General Data Protection Regulation (GDPR): A Commentary (Oxford: OUP, 2020). These concerns at the consumer end are heightened by the far-reaching potential of smart metering to grant access to all kinds of data concerning their energy usage and, thereby, their daily behaviour and preferences. And that is before the prospect which is often raised that external actors might be able to intervene remotely in a consumer's energy usage to manage it for them, whether in response to emergencies or on a more general level. For some, if this were to promise cost savings and greater economic and environmental efficiency, this might be a welcome involvement in their lives; for others, it threatens unacceptable intrusion into their lives and their privacy at home.
There is insufficient space to provide a full analysis of the data privacy and fundamental rights concerns regarding smart meters here,(12)E.g. there are important practical questions under the GDPR (Arts. 4(7)-(10), and 24-30) concerning who is the data controller (very often the distribution system operator in the first instance), processor or authorised third party in relation to smart meter data; and the detailed rights of the data subject under the GDPR: to be informed when data is collected and processed, to have access to the data (Arts. 13-15); to object to certain processing activities (Art. 21); and to data portability (Art. 20). but it is important to outline some key issues and their possible implications. First, which data are covered? Some data are obviously personal in nature: name, address, billing data and payment methods. Others, however, must also be included, where they are linked to a natural person who can be identified via the meter's identification number, such as: metering and consumption data, and data required for customer switching. This is because they reveal the economic situation of the data subject(13)A. Fratini & G. Pizza, ‘Data protection and smart meters: the GDPR and the “winter package” of EU clean energy law’ (22 March 2018, http://eulawanalysis.blogspot.com/2018/03/data-protection-and-smart-meters-gdpr.html), a discussion which predated the final adoption of the 2019 Clean Energy Package. and are thus caught by the GDPR.(14)Art. 4(1), Reg. 2016/679/EU [2016] O.J. L119/1.
Further, 'data gathered from smart meters can also be used for other purposes. Energy data allow for a better understanding of customer segmentation, customer behaviour and how pricing influences usage. As such, those data might be used for specific profiling exercises, e.g. to gather sensitive information on the end-user's energy-based footprint in his/her private environment, his/her behavioural habits and preferences by analysing the information collected through the meters'.(15)Fratini & Pizza, n. 118, supra. Furthermore, 'the potential risks associated with the collection of detailed consumption data are likely to increase ... where energy data can be combined with data from other sources, such as geo-location data, data available through tracking and profiling on the internet, video surveillance systems and radio frequency identification (RFID) systems. The critical issue is in fact that smart meters could constitute the entrance gateway to get a privileged access to the digital domain of a household'.(16)Ibid. Indeed, this can even extend to being able to identify whether a person is at home, even which television programmes an individual watches, and other aspects of their habits, preferences and behaviours.(17)M.H. Murphy, ‘The Introduction of Smart Meters in Ireland: Privacy Implications and the Role of Privacy by Design’ (2015) 38(1) Dublin University LJ 191.
As a result, it has long been clear that the processing of such data must be subjected to analysis to ensure that it is conducted on lawful grounds. Already in 2011, the Article 29 Working Party, working under the old Data Protection Directive,(18)Directive 95/46/EC [1995] O.J. L281/31. identified five possible grounds for lawful processing in the smart metering con consent, contract, performance of a task carried out in the public interest or exercise of official authority, legal obligation, and legitimate interests, and these remain valid concerns today. Consent is likely to remain the crucial area as smart meters become ever more widespread, as the technology that they contain will continue to develop and may enable more wide-ranging uses to be made of the data which they gather. Thus, consent will need to be fully informed, with regular updates to end-users on what the data can and will be used for,(19)See, e.g., Energy UK, ‘Privacy Charter for Smart Metering’ (https://www.energy-uk.org.uk/publication.html?task=file.download&id=3190), where significant detail is provided on what the information collected will be used for, when and how it will be collected, who else may be given access to the information, how the end-user will be kept informed about the use of such information from smart meters, and the energy consumer’s rights in relation to these data. At the same time, it should be noted that the list of uses is specifically stated not to be exhaustive and that energy suppliers will inform the end-user of other such uses. and at a sufficiently granular scale to ensure that the range of uses is appreciated. Further, it must be possible to revoke consent in a workable manner and not to become locked into that consent, should an end-user's situation or opinion change.
As a matter of proportionality - a crucial issue in assessing the fundamental rights dimensions of data privacy in the smart metering context - serious questions should be asked as to whether the data collected is necessary or merely beneficial for the functioning of the system involving meters, grids, and the achievement of the benefits claimed for such smart metering. Thus, if the goal is to enable end-users to manage their own energy usage in a more timely, efficient and cost-effective fashion, then only minimal communication of energy data outside of the home is required, so as to allow billing to take place. If it is suggested that this fails to pass on information needed for, e.g., more responsive grid management, then information could be aggregated to provide data at a scale that is granular enough to serve that purpose, while not identifying individuals where this is not necessary to the systemic benefits to be gained.(20)Murphy, n. 122, supra, citing K. Kursawe, G. Danezis & M. Kohlweiss, ‘Privacy-Friendly Aggregation for the Smart-Grid’, in S. Fischer-Hübner and N. Hopper (eds.), Proceedings of the 11th Privacy Enhancing Technologies Symposium (Waterloo, July 2011; http://research.microsoft.com/pubs/140692/main.pdf); and A, Cavoukian, ‘Privacy by Design … Take the Challenge’ (Information and Privacy Commissioner of Ontario, 2009; http://www.prvacybydesign.ca/content/uploads/2010/03/PrivacybyDesignBook.pdf). Failure to consider these issues at early stages in the design and planning process has caused problems in various countries;(21)I. Brown, ‘Britain’s Smart Meter Programme: A Case Study in Privacy by Design’ (2014) 28 IRLCT 172, 180; C. Cuijpers and B.J. Koops, ‘Smart Metering and Privacy in Europe: Lessons from the Dutch Case’, in S. Gutwirth et al (eds.), European Data Protection: Coming of Age (Dordrecht: Springer Netherlands, 2013), 281. now that the issue is squarely on the agenda, there should be no excuses for failing to consider the data privacy questions, conducting impact assessments and keeping consumers fully informed of what information their meter will communicate about them and how it will be used.