The Article 29 Working Party (WP 29) recently published an opinion on the Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems (DPIA Template). The DPIA Template was produced by Expert Group 2 (EG2) of the Commission’s Smart Grid Task Force (SGTF). It was developed following the European Commission’s Recommendation of 9 March 2012 on the preparation for the rollout of smart metering systems (the Commission Recommendation).
The opinion contains the WP 29’s assessment of the proposed DPIA Template and sets forth detailed comments and suggestions to it.
- Importance of data protection in smart grid and smart metering
Smart grids and smart metering systems can read and record energy consumption very frequently, and these systems can enable recorded data to be communicated or transmitted regularly to energy suppliers, network operators, and other third parties.
The use of smart grid and smart metering systems would allow for a more intelligent and rationalised production, distribution, and use of energy. However, these systems would result in the massive collection and processing of personal data from individuals, and thus entail new risks on the privacy and data protection of individuals.
- . Objectives of the DPIA Template
The Commission Recommendation aims to provide guidance to the Member States for the rollout of smart metering systems in the electricity and gas markets. It states that Member States should adopt and apply a Template for a Data Protection Impact Assessment which has been developed by the Commission and submitted to the WP29 for its opinion.
According to the Commission Recommendation, the DPIA Template should describe the envisaged processing operations, an assessment of the risks to the rights and freedoms of the data subjects, and the measures envisaged to address those risks.
- WP29 analysis of the Proposed DPIA Template
The Proposed DPIA Template first explains the objective, scope, benefits, and stakeholders of the process. Then it develops an 8-step approach to conduct a DPIA, and finally it gives step-by-step guidance to the data controller on how to carry out the DPIA by itself.
The WP29 also identifies several critical concerns about the methodology and the content of the Proposed DPIA Template.
3.1 Lack of clarity on the nature and objectives of the DPIA
The WP29 is disappointed with the proposed DPIA Template’s failure to address directly the actual impacts of the risks on the data subjects. These risks are, for example, financial loss resulting from inaccurate billing, price discrimination, or criminal acts facilitated by unauthorised profiling.
3.2 Methodological flaws in the Proposed DPIA Template
The WP29 criticises that the DPIA Template confuses risks with threats, and that it fails to match the risks to be mitigated with the examples of possible controls. The WP29 also points out that the Template does not contain sufficient detail and guidance on the concept of vulnerability, on how to calculate and prioritise risks, and on choosing the appropriate controls. In addition, it finds that the DPIA Template does not provide sufficient advice on how to determine data protection roles and responsibilities of the different stakeholders.
3.3 Lack of sector-specific content
Finally, the WP29 recommends that the Template should include an analysis of industry-specific risks and relevant controls in addressing those risks.
Given the identified shortcomings of the DPIA Template, the WP29 concludes that the Template in its current form is not sufficiently mature and well-developed and does not provide sufficiently specific, useful, and clear, practical guidance to data controllers.
Therefore, the WP29 recommends that work on the DPIA Template be continued and that the final deliverable be submitted to the WP29 once again afterwards for its opinion.
The opinion can be found on http://ec.europa.eu/justice/ data-protection/article-29/