As the roll-out of smart metering programmes gathers pace, grid operators should consider the data protection implications arising from this new technology. In particular, the benefits associated with carrying out a privacy impact assessment to avoid potential data protection and privacy pitfalls should not be overlooked.
What is smart metering?
Smart meters are the next generation of energy meter, which will replace traditional electricity and gas meters and work by communicating meter readings and other information such as consumption habits to energy providers. This data will in turn be provided to consumers through digital in-home displays, mobile apps and online portals enabling consumers to better manage their energy use and costs.
What is the data protection concern?
While information collected will benefit consumers and energy providers alike, it also poses potential risks as much of the information collected will constitute personal data under data protection legislation. The Article 29 Working Party (Europe’s watchdog on data protection matters) has issued an opinion on smart metering highlighting risks such as identity theft, fraud and price discrimination.
What should energy companies do?
In light of this, energy providers should consider carrying out a privacy impact assessment before any roll-out of smart metering technology to ensure all risks are identified and addressed through the implementation of appropriate measures.
In carrying out this assessment energy providers should look beyond the requirements of the current EU data protection regime but also consider the proposed impact of the EU Data Protection Regulation as this will have a significant impact in this area once fully implemented.
Smart meters have the potential to revolutionise the energy market – both for consumers and energy providers. Like all smart technology however, it will need to be implemented and adopted in a manner consistent with the data protection regime and this is especially relevant given the dramatic recent increase in civil actions taken against organisations for a failure to protect the data protection rights of individuals.