Protecting data and smart meters: GDPR and the EU clean energy law's 'winter package'

Alessandra Fratini and Giulia Pizza, FratiniVergano, European Lawyers - a Brussels-based law firm specialising in European and international law

Introduction

In late 2016, the European Commission introduced the “Clean Energy for All Europeans” legislative package to modernize Europe’s electricity market and encourage cleaner energy solutions. This push for “decentralization” is seen as a way to drive innovation and shift the focus to a demand-driven energy policy. The goal is to give consumers the tools they need to actively participate in this change. Smart meters are a prime example of these tools, allowing users to make informed decisions about their energy use by responding to real-time pricing information.

Effective smart meter operation relies on collecting and processing significant amounts of data, which is then shared with authorized parties. This data collection presents data protection challenges and introduces new risks for individuals, potentially impacting areas like price discrimination, profiling, and household security. These concerns have not been traditionally present in the energy sector. While the General Data Protection Regulation (GDPR) establishes a general framework for safeguarding consumer privacy and data protection in the context of smart meter rollout, the Commission’s proposal to recast the Electricity Directive, part of the “Clean Energy for All Europeans” package, includes detailed provisions to specifically address data protection related to smart meters. Once adopted, these provisions would take precedence over the more general GDPR rules.

This article first provides an overview of how smart meters have been addressed in EU law. It then examines the challenges these systems pose to personal data protection and explores potential solutions within the framework of the GDPR, considering the specific data protection requirements outlined in the recast Electricity Directive.

Smart Metering Systems in EU Law

Smart meters are electronic devices that track electricity production and consumption in real time. This information is then relayed to the utility provider for billing and monitoring purposes. With this real-time data, consumers can adjust their energy use based on fluctuating prices, leading to more effective energy management and potential cost savings.

Widespread smart meter implementation is anticipated to enhance customer service through more precise billing and streamlined payment method switching. Additionally, it will create opportunities for consumers who generate their own energy to respond to price signals and sell any excess energy back to the grid.

The concept of empowering consumers with intelligent systems for managing energy consumption emerged in the 2006 Energy Service Directive (ESD) and was later incorporated into the 2009 Third Energy Package, which remains in effect today. This package marked a pivotal moment for EU energy market integration, shifting the emphasis toward a robust retail market. Crucially, it introduced measures to strengthen consumer rights in the energy sector, including the ability to switch providers and receive transparent energy bills. The 2009 Electricity Directive, with its strong emphasis on consumer empowerment, champions the adoption of intelligent metering systems for the long-term benefit of consumers.

Continuing this trend, the 2012 Energy Efficiency Directive (EED) features a comprehensive set of measures addressing metering and billing, expanding upon and clarifying provisions within the Third Package and the ESD. Significantly, the EED also marks the first instance of addressing data privacy and security concerns related to smart meter installation. It mandates that Member States comply with relevant Union data protection and privacy laws.

Finally, the 2016 Clean Energy Package, often referred to as the “Winter Package,” builds upon these foundations. Recognizing the need for modernization, the Commission aimed to align the existing framework with the increasing flexibility and decentralization of today’s energy sector. The goal was to foster a shift toward a more competitive and consumer-centric market structure.

The proposed recast of the Electricity Directive introduces new rights to empower and protect end-users. These include rights to clearer billing information, certified comparison tools, dynamic price contracts, and participation in demand-response and self-generation of electricity. Smart meters are crucial in enabling consumers to fully exercise these rights. The recast Directive defines smart metering systems and interoperability, dedicating a specific section (Articles 19-24) to their functionality, deployment, and data management.

Article 20 of the proposal lays out seven principles for smart meter implementation, four of which directly relate to personal data protection and the rights of consumers as data subjects. Notably, points b) and c) emphasize ensuring secure data communication and data protection for final consumers, aligning with relevant Union security and data protection regulations. Regarding data subject rights, point e) grants energy consumers access to their electricity input and off-take data in a readily understandable format, while point f) requires Member States to inform consumers about personal data collection and processing practices during smart meter installation.

Expanding upon these principles, Articles 23-24 and Annex III provide detailed guidance on energy data access and management. These provisions underscore the need for robust cybersecurity and data protection, employing the most effective techniques available.

Data Protection in Smart Metering: Challenges Under the GDPR and the Winter Package

Smart meters rely on communication networks to collect, process, and share increasing volumes of personal data with authorized entities and systems. This data originates from various points within the smart electricity ecosystem, including consumers’ homes and even electric vehicles. Trust and confidence among final consumers are paramount in this context. Without adequate data protection guarantees, consumers may hesitate to embrace these technologies, potentially hindering innovation in favor of traditional meters.

Recognizing the importance of data protection and security standards for unlocking the full potential of smart metering in the EU, the recast Electricity Directive directly references the recently adopted GDPR in its section on smart meters (Article 23). Consumer trust in utility providers and network operators is essential for investments in smart metering technology. The draft Directive aims to incentivize consumer participation through attractive incentives while establishing a clear link between the technical implementation of smart meters and compliance with EU data privacy and security regulations.

However, the unique characteristics of smart meters raise specific challenges when applying the GDPR and the future recast Electricity Directive. These include defining “energy data,” clarifying responsibilities in energy data management, and determining the rights of data subjects.

Defining “Energy Data”

Smart metering systems inherently process vast quantities of data as part of their routine operations. A key question arises: should all this data be classified as personal data?

Data provided by individuals when entering into a smart meter contract, such as name, address, billing information, and payment methods, clearly constitute “personal data.” The classification becomes less clear-cut when considering consumer “energy data,” defined in the recast Electricity Directive as metering, consumption, and data required for consumer switching. While this data might initially appear as technical and outside the GDPR’s scope, it is inherently linked to the individual responsible for the metering account through unique identifiers like meter identification numbers. Therefore, this data should be treated as personal data because it can be associated with an identified or identifiable user, revealing details about their energy consumption habits and offering insights into their daily life.

For “prosumers,” individuals or entities that both consume and generate electricity, “energy data” includes the amount of energy fed back into the grid. This information can reveal the data subject’s available energy resources.

Classifying “energy data” as personal data aligns with the GDPR, which defines personal data to include information revealing an individual’s economic situation. This holds even more weight considering that the level of detail in energy data can be tailored to individual consumer needs, making it increasingly valuable. Not only can consumers use this information to adjust their energy use and reduce costs, but policymakers can leverage real-time feedback from consumers to design, monitor, and evaluate energy-related initiatives effectively.

However, data from smart meters can be used for purposes beyond these initial applications. By providing insights into customer segmentation, behavior, and the influence of pricing on energy use, this data can be utilized for profiling purposes. For example, detailed meter readings could be analyzed to glean sensitive information about an individual’s energy footprint and habits within their private residence. As smart meters provide accurate and reliable data flows, they are likely to impact the competitive landscape of energy supply markets by facilitating quicker and easier switching between providers. Access to data on energy preferences will become a significant advantage for energy companies, highlighting the need for robust protection during both data transmission and processing to prevent unauthorized consumer profiling based on detailed meter readings and other potential misuses.

Furthermore, the potential risks associated with collecting detailed consumption data are amplified within the “Internet of Things” paradigm. Energy data, when combined with other sources like geolocation data, internet tracking and profiling information, video surveillance footage, and radio frequency identification (RFID) data, raises significant privacy concerns. A key concern is that smart meters could become gateways to accessing sensitive data within households.

Data Management and Responsibility Allocation

As stated in Article 23 of the recast Electricity Directive, Member States bear the responsibility for addressing energy data handling during smart meter deployment. This means that Member States, or designated authorities, must “organize data management to ensure efficient data access and exchange.” This includes specifying eligible parties granted access to final customer data, contingent on obtaining explicit consent under GDPR guidelines. Eligible parties should minimally include customers, suppliers, Transmission System Operators (TSOs), Distribution System Operators (DSOs), aggregators, energy service providers, and other entities involved in providing energy or related services to consumers. Given the dynamic nature of the energy sector, this list should be considered indicative and non-exhaustive.

The GDPR outlines roles and responsibilities for data controllers, processors, and third parties authorized to collect and process personal data. Controllers determine the purposes and means of processing personal data, while processors act on behalf of controllers. Third parties process data under the direct authority of controllers or processors, only with explicit authorization. Lastly, recipients are parties, whether third parties or not, to whom data is disclosed.

Given the numerous actors involved in processing personal data during smart meter implementation, clearly defining roles and responsibilities as data controllers, processors, or authorized third parties is critical. This task can be challenging as the specific data management models and deployment arrangements for smart metering are determined at the Member State level, lacking clear guidance at the EU level. The number and complexity of relationships involved may further complicate the application of these definitions.

Despite these challenges, we can use the GDPR to outline a potential framework for roles and responsibilities. The “metered data responsible” entity, handling metered, contractual, and network data, could be considered the controller. Responsibilities would include collecting, validating, analyzing, and archiving historical data, ensuring customer access to consumption data, and granting access to metering data to registered supply undertakings with explicit consent and free of charge. The processor role could be assigned to the “metered data collector” or “metered data aggregator.” These entities are responsible for meter reading and reading quality control and for establishing and qualifying metered data received from the “metered data responsible” or controller.

The recast Electricity Directive proposes that national competent authorities authorize and certify parties involved in data management to ensure compliance with data protection requirements. This aligns with the GDPR, which encourages Member States to establish certification mechanisms and codes of conduct as a way for controllers and processors to demonstrate the implementation of adequate safeguards.

In many Member States, the DSO acts as the metering operator and therefore assumes the role of data controller in the initial phase of metering data processing. The DSO’s role concludes with generating a network usage bill. Subsequently, the metering data is transferred to the electricity supplier, who assumes the data controller role for billing and customer service purposes in the final processing stage. DSOs already handle personal data as they possess detailed information on the status of network components, connected generators, and energy flows within the network. In some cases, DSOs may outsource parts of their metering operations to a Metering Operator (MO), an entity specializing in the installation, maintenance, and operation of metering equipment. This MO role can be further divided, with one entity managing the meter and another handling the metering data. In this scenario, the MO acts as the processor based on a contractual agreement with the DSO. However, in most Member States, the metering sector is considered integral to the distribution business, with the DSO assuming ownership and responsibility for smart meter rollout and granting access to metering data.

Despite the prominent role of DSOs in smart meter data management, some Member States have opted for a separate entity, a central communication hub, to decouple data processing from the physical meter. This hub provides third parties with access to metering data. In such systems, consumer data is stored on the smart meter at the customer’s premises, and the central hub entity routes data without storing it, collecting it from the consumer’s equipment, and delivering it to energy suppliers, DSOs, and other authorized third parties. According to GDPR, this transmission requires explicit consent from the data subject.

A similar allocation of responsibilities could apply in Member States that have implemented a communication structure based on a middleware, often referred to as a “data concentrator” or “data aggregator.” Positioned at medium voltage/low voltage substations, these concentrators act as communication gateways between the data management system and the smart meters. They collect information from multiple meters within a specific geographical area before transmitting the aggregated data to a central database for billing, troubleshooting, and analysis. Concentrators are particularly prevalent in densely populated areas.

Rights of the Data Subject

The GDPR introduces a comprehensive set of rights for data subjects, some entirely new and others strengthening existing rights from the Data Protection Directive.

Key rights in the context of smart metering systems include the right to be informed about the collection and processing of personal data, the right of access, the right to object to specific processing activities (including profiling) and automated individual decision-making, and the newly introduced right to data portability.

Article 20 (1) f) of the recast Electricity Directive aligns with Article 14 of the GDPR, specifying the information that data controllers must provide when collecting personal data from individuals. This includes clear communication about energy consumption, data collection, and processing practices during smart meter installation. The provision explicitly defers to applicable Union data protection legislation for the minimum required details in the information notice.

Article 20 (1) e) of the Directive establishes the customer’s right to access their electricity input and off-take data, with Article 23 (4) further specifying that this access should be provided free of charge to final consumers. Article 20 outlines the minimum principles for designing and implementing smart metering systems. This emphasizes that data protection measures enabling access to information and metering data are fundamental functionalities that must be integrated into all smart metering systems, clearly referencing the “data protection by design” principle enshrined in the GDPR.

However, the right to access consumer data must also be extended to all eligible third parties as defined by the Directive, ensuring non-discriminatory and simultaneous access for the proper functioning of the system. Article 23 (2) provides the legal basis for eligible party access, stating that regardless of the data management model chosen by a Member State, the party or parties responsible for data management must grant access to final customer data to any eligible party, contingent on obtaining explicit consent from the data subject. Unlike access for final customers, access to consumer data by eligible parties may not be free of charge, as per paragraph 4. However, the Directive mandates that Member States set these access costs to prevent regulated entities providing data services from profiting from this activity.

Article 20 (1) of the GDPR introduces the right to data portability, defined as “the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.” In essence, this right empowers data subjects to receive a subset of their personal data processed by a data controller and to store or reuse that data for their own purposes. It also allows for the seamless transfer of personal data between data controllers. The exercise of this right hinges on two conditions: the data must pertain to the data subject and must have been “provided by” the data subject to the data controller.

The Article 29 Data Protection Working Party (WP29) has clarified in its Guidelines that data “provided by” the data subject encompasses not only data actively and knowingly provided but also personal data observed from user activities, such as the raw data processed by smart meters. In the context of smart meters, the data subject can exercise their right to data portability for usage data generated by the metering system and collected by the data controller, provided it hasn’t been further processed or manipulated. Data generated by the data controller using observed or provided data as input, such as a user profile created by analyzing raw smart metering data, does not fall under the definition of data “provided by” the data subject.

The GDPR mandates that data controllers adhere to specific format requirements for data transfers when data subjects exercise their right to portability. Personal data must be provided in a “structured, commonly used and machine-readable format.” These terms set minimum requirements to ensure the interoperability of the provided data. Recognizing the diverse nature of data processed across industries and sectors, the GDPR refrains from recommending specific data formats, encouraging each industry to develop common interoperable standards and patterns that meet the requirements of the right to data portability.

Echoing this industry-focused approach, the recast Electricity Directive outlines minimum features for the metering data transmission format. Article 20 (1) e) states that “metering data on electricity input and off-take shall be made available via a local standardised interface and/or remote access in an easily understandable format, allowing customers to compare deals on a like-for-like basis.” In this instance, facilitating service switching and fostering competition between providers through price comparability appear to be primary motivations behind data portability. This provision closely mirrors Article 24 of the Directive, which tasks Member States with developing a common data format and a transparent procedure for eligible parties to access consumer data. Again, competition serves as the driving force, aiming for a data format that guarantees simultaneous and non-discriminatory access to final customer data for all energy retailers. However, the Directive stops short of defining specific requirements for the data format used by eligible parties for access. This responsibility falls on Member States, with the European Commission ultimately tasked with establishing a common European data format to supersede national standards.

DPIA in Smart Meter Rollout

The Data Protection Impact Assessment (DPIA) is a process designed to analyze the data processing operations of an organization. By evaluating the nature, scope, context, and purposes of processing, DPIAs identify and assess potential risks to the rights and freedoms of data subjects. The assessment findings guide the development of appropriate risk mitigation measures and demonstrate compliance with data protection requirements.

In its first Recommendation on smart metering systems, issued in 2012, the Commission urged Member States to adopt and implement a DPIA template developed by the Commission and submitted to the WP29 for review. In response, the Commission presented the first iteration of a DPIA template to the WP29 in 2013. Developed by a dedicated expert group within the Smart Grid Task Force, the template was generally well-received by the WP29, but the WP29 also raised concerns regarding specific aspects and requested revisions. Subsequently, a revised version was submitted, incorporating the WP29’s feedback. The WP29’s final opinion, published in December 2013, acknowledged the improvements and recommended real-world test cases. After incorporating these final comments, the Commission issued a Recommendation to promote the adoption of the template.

Although these developments predate the formal adoption of the GDPR, both the Commission’s Recommendation and the WP29’s Opinion are consistent with its principles. However, neither instrument imposes a strict obligation on Member States to conduct DPIAs. This is because, under the Data Protection Directive, performing a DPIA for smart meters remained discretionary. In contrast, the GDPR mandates DPIAs under specific conditions and empowers competent supervisory authorities to impose fines for non-compliance. According to the GDPR, a DPIA is only required when processing is “likely to result in a high risk to the rights and freedoms of natural persons.” To ensure consistent interpretation of these circumstances, the WP29 Guidelines, adopted in April 2017 and revised in October 2017, clarify this concept and provide criteria for developing a common EU list of processing activities necessitating a DPIA.

The likelihood of high risk to data subjects, and therefore the need for a DPIA, increases with the number of criteria met. Of the nine criteria outlined in the 2017 Guidelines, at least three appear applicable to smart meter operations. The evaluation or scoring criterion, which includes profiling and predicting, is particularly relevant as metering data can be used by utility companies to create behavioral or marketing profiles based on energy consumption patterns. The large-scale processing of data criterion is also pertinent to smart meters. Smart meters record consumption data at frequent intervals and transmit this data to data controllers or concentrators, who aggregate vast amounts of data from users in a specific geographical area for efficient grid maintenance and to inform energy production adjustments. Finally, the use of innovative technological or organizational solutions is undoubtedly relevant in the context of smart metering systems. New forms of data collection and usage, depending on the data management model adopted nationally, can significantly impact individuals’ daily lives in ways that are not yet fully understood.

Focusing on the new technology product criterion, another privacy concern that might necessitate a DPIA arises when a hardware or software product is likely to be used by multiple data controllers for various processing operations. While each data controller remains obligated to conduct its own DPIA for the specific implementation of the product, a DPIA prepared by the product provider can inform this process. In the context of smart meters, this applies to the relationship between smart meter manufacturers and DSOs or utility companies. Product providers or processors should share relevant information without compromising trade secrets or jeopardizing security by disclosing vulnerabilities.

Once the criteria assessment is complete and the obligation to conduct a DPIA has been established, the assessment process can begin, potentially following the procedure outlined in the DPIA template developed by the Smart Grid Task Force. This iterative process involves several steps: identifying necessary resources, forming the DPIA team, describing the smart grid/metering systems, identifying and assessing relevant and residual risks, drafting the DPIA report, and developing review and maintenance measures.

Conclusions

Smart metering systems are emerging as essential tools for driving participatory processes and decentralization, both central to the ongoing energy transition and the development of innovative energy services. The Third Energy Package’s mandate for rollout, contingent on positive economic assessment, and the Winter Package’s emphasis on smart meters as instruments for consumer empowerment are expected to lead to widespread adoption in the near future. However, addressing the potential privacy risks associated with their implementation is paramount. It is crucial that consumers have access to trustworthy mechanisms for managing their energy data and unlocking its value while maintaining control over their privacy and personal habits.

For many years, no specific legislation addressed data protection in smart metering systems. Instead, a patchwork of soft-law instruments attempted to balance energy policy objectives with data protection considerations. In recent years, the EU has begun prioritizing personal data protection in smart meter deployment, leading to advancements such as the development of the DPIA template.

Establishing robust standards and safeguards for data protection and security in smart meter deployment is now a major objective in the EU. Building upon the foundation of the GDPR, the proposed recast Electricity Directive aims to create a specific data protection and security framework for smart meters. The goal is to integrate relevant GDPR provisions and tailor them to the unique requirements of smart meter implementation and operation. This signifies the development of a new, comprehensive legal framework for ensuring high levels of personal data protection in smart metering systems. This framework is expected to foster greater trust and confidence among energy consumers, encouraging their active participation in the ongoing decentralization of the energy sector.

Photo credit: Utility Week

Licensed under CC BY-NC-SA 4.0