In its 2010 report on data access and privacy issues, the Department of Energy identified the issue of third party access to consumer-specific energy-usage data (CEUD) as “perhaps the most critical question in the context of Smart Grid technologies.”1 This White Paper briefly summarizes the DOE Privacy Report’s conclusions regarding third party access and reviews efforts by state commissions to address this question. It is intended to provide a background and a departure point for discussion of this critical topic by key stakeholders.

I. The DOE’s Conclusions Regarding Third Party Access

The DOE’s Privacy Report assessed numerous comments from parties interested in the development of innovative Smart Grid technologies based on the availability of highly granular energy consumption data. Although the parties represented different viewpoints, they reached broad consensus on a number of general privacy and access questions while remaining divided on important specific implementation measures. At the most fundamental level, the DOE concluded that “consumers should have rights to protect the privacy of their own CEUD and control access to it.”2 The DOE reported substantial consensus on the following data access issues:

  • Consumers should decide whether and for what purposes any third-party should be authorized to access or receive CEUD, and that empowering consumers in this way will promote innovation.
  • If a utility is to disclose CEUD to third parties, it must obtain affirmative, informed, opt-in consent from the consumer through a process that reflects and records such consent.
  • Informed consent should entail a valid, recorded authorization that identifies the CEUD to be disclosed and for what purpose.
  • Third parties authorized to obtain CEUD should be required to protect the privacy and security of the information and use it only for the purposes authorized.
  • States should enact laws or rules that define the circumstances, conditions, and data that utilities should disclose to third parties. According to the DOE, both third parties and utilities expressed concerns about the implications of systems where utilities decide whether and when third parties that could be potential competitors should be granted access to CEUD.

Beyond these general areas of “substantial consensus,” the DOE identified a number of questions that should be addressed but noted divergent views on the best answers.3 As to these questions, the DOE assessed the varying approaches described in the record and looked for evidence of trends or “potentially superior solutions.”4 Certain of these questions involved specific details such as how the authorization to disclose CEUD should be obtained, e.g., by a written Letter of Authorization or by some form of online authorization, or how best to educate consumers about complaint processes.

This paper will, however, focus on a more fundamental set of potentially contentious third-party access issues identified in the DOE report. Most fundamentally, if utilities are required to release CEUD to third parties upon authorization, what types of data should be made available, and should utilities be allowed to recover any costs they may incur in collecting and processing data for third parties beyond what they require for their own operations. The DOE noted disagreement, for example, regarding the extent to which utilities should have to collect and provide granular information, particularly real-time or near-real-time data, or to provide historical data (apart from that already provided for billing purposes) to consumers or third parties. Utilities “strongly objected” to having to disclose to third parties any CEUD other than that used for their own billing and operational purposes.5

A central issue is whether utilities could charge for collecting and processing data. The DOE noted that requiring utilities to enhance data for third parties, without charging for such access, could “distort the cost of electric power vis a vis that of third party services.”6 On the other hand, the DOE recognized that allowing utilities to charge excessive fees could undermine competition and innovation in the market for electricity management services.7 Nevertheless, the DOE encouraged states to adopt or require standardized, machine-readable formats for sending CEUD to third parties.8

Another fundamental problem involves concerns that third parties adequately protect the privacy and security of the information. One manifestation of this larger concern is whether states or local governments should limit the potential liability of utilities once they have released authorized data to the third party. The DOE suggested that third-party service providers should assume legal liability for protecting the information that they receive. Another related question is whether third party service providers should be required to obtain further informed consent from the consumer before they disclose CEUD to other parties, especially for marketing purposes.

Finally and perhaps most importantly, is the issue of how consumers will be assured that third party service providers will protect the security and privacy of the information, use it only for authorized purposes, and be held accountable for misuse. In this regard, the DOE asked whether states or localities should impose some sort of certification requirement on third party service providers, such as licensing, bonding, registration or approval by one or more independent third-party certifying bodies. Utilities and third party service providers differed sharply on this question as well. Utilities generally favored such requirements to help ensure the security of CEUD, while third party providers were concerned that such requirements could become a barrier to entry. The DOE recognized that third party providers could face serious entry barriers if states and localities raised a “maze of certification requirements” that varied widely and perhaps needlessly.9 The DOE identified this area as one that would benefit greatly from proactive coordination and the development of standard or “relatively consistent” criteria.10

Resolution of these fundamental issues will be of great importance to the development and efficacy of Smart Grid initiatives. They reflect the deep concerns of utilities, often charged by their state regulators with protecting consumer information, with releasing information to “unregulated” third parties. Third parties, on the other hand, worry that overly prescriptive and potentially significantly varying rules will stymie innovation. The DOE, in the first instance, assumes that states and localities will bear the lion share of the regulatory work in this area, given their historical role in regulating electric utilities. At the same time, it recognizes that a patchwork of rules outside of a common framework may in fact reduce innovation and undermine the efficacy of Smart Grid efforts. The remainder of this white paper assesses the different approaches that the states are beginning to take with respect to these difficult issues and looks at the potential for a national framework based on a set of uniform principles.

II. State Actions.

A number of states have or are moving to implement Smart Grid privacy and data access policies.  

California

On July 29, 2011, the California Public Utilities Commission (CPUC) adopted rules to protect the security and privacy of data generated by smart meters being deployed by several California investor-owned electric utilities.11 The order includes policies to govern access to customer usage data by consumers and authorized third parties. The order identifies the type of data that must be made available and calls on the utilities to adopt a common data format. The utilities must file tariff revisions that will provide customer-authorized third parties access to usage data via the utilities backhaul and utilities should propose a process, such as registration, by which the CPUC can exercise oversight of third parties that receive such information. The order implements a recently adopted California statute designed to protect consumer energy data12 and operationalizes the Fair Information Practice (FIP) Principles utilized by the U.S. Department of Homeland Security, which are adopted as California policy.13 The specific methods by which the CPUC addressed the key questions identified in the DOE Privacy Report are described below.

The California rules apply to three major electric utilities,14 third parties under direct contract with the utility to conduct a primary purpose (defined below), third parties that the CPUC authorizes or funds to perform a primary purpose, and customer-authorized third parties who acquire data directly from the utility via an internet connection (over the backhaul) pursuant to tariff. The CPUC does not regulate, nor take a position regarding its jurisdiction to regulate, third parties that receive data directly from the consumer.

The CPUC defined the data to be covered as “any usage information obtained through the use of the capabilities of Advanced Metering Infrastructure” when associated with information that can reasonably be used to identify individual customers or households.15 Primary purposes include the collection of information for billing; system, grid or operational needs; or demand response, energy management, or energy efficiency programs. A secondary purposes is anything that is not a primary purpose. The rules also provide consumers with rights to access and control the information being collected.

With respect to the key issue of disclosure and access by third parties, CPUC adopted a “chain of responsibility” approach by which the electric utilities must include in their contracts with third parties that receive covered energy data a requirement that the third party comply with the same privacy and security rules applicable to the utility. Specifically, an electric utility may disclose covered information to a third party without customer consent “for a primary purpose being carried out under contract with and on behalf of the electric corporation disclosing the data” provided that the contract requires the third party to operate under the same privacy rules that the electric utility operates under.16 A third party receiving such information may disclose it to another entity for a primary purpose without consent as long as the contract between them requires the receiving party to abide by the same privacy rules. The contract must further provide that it would be a material breach to fail to comply with privacy rules. The rules excuse the electric utility from liability once the data has been securely transferred to an authorized third-party. No utility or third party can disclose information for a secondary purpose without first obtaining the express written authorization (may be accomplished online) from the customer for each purpose that the information will be used. Customers have the right to revoke authorization at any time.

The order requires the utilities to submit an application with corresponding tariffs to provide data to third parties when authorized by consumers and that agree to follow privacy protections. The CPUC also ordered the utilities to file within 6 months, tariff revisions making price, usage and cost information available to consumers on line. The order does not direct realtime access. Instead, the information must be updated daily, with each day’s usage data, along with applicable price and cost details with hourly or 15-minute granularity, available by the next day.

Texas

Texas is another state with an ambitious advanced metering program. It has adopted a set of customer protection rules that, among other matters, prohibit retail electric providers (REP) from releasing proprietary customer information without first obtaining the customer’s verifiable authorization. The ban, however, does not apply to the release of information to agents, vendors, partners or affiliates engaged to perform services on behalf of the REP, including marketing the REP’s services, as long as the recipient agrees to be held to the same confidentiality standards as the REP. Before sharing such customer proprietary information to a third party, the REP must provide the customer a chance to opt out.

The Texas PUC is currently reviewing a host of questions regarding third party access to CEUD, including identifying appropriate third parties, assessing the level data accessibility, and overseeing the disclosure process.  

Colorado

On October 26, 2011, the Public Utilities Commission of the State of Colorado (Commission) released rules on privacy and disclosure of Smart Meter data.17 The rules establish a process by which consumers can authorize third parties to obtain energy consumption data generated by smart meters directly from the utility. The rules do not regulate the provision of data directly from the consumer to a third party. The Commission generally defines the class of covered data as that which is collected and actively maintained by the utility in the normal course of business, not necessarily whatever a Smart Meter might be capable of generating. The rules require utilities to submit tariffs that more specifically define covered data. Utilities that disclose data in conformity with the rules will be protected from liability.

The rules adopt a standardized form for obtaining customer consent that some technology companies worried are overly burdensome. The form would be completed by both the third party seeking the information as well as the consumer. The third party may not seek to induce a customer to provide information as part of the consent process. The form requires the third party to provide to the utility various information. Corporations would have to identify its registered agent, list directors and officers, and provide a certificate of good standing that was issued within the previous six months. Partnerships would have to provide names and addresses of general and limited partners and a copy of the partnership agreement with all subsequent amendments. The form must then be signed by the customer of record, although this can be done electronically. The customer may contact the utility at any time to terminate consent. Customer consent is not required for disclosure by the utility to “contracted agents,” entities that contract with the utility to provide regulated utility service and agree to protect the data at least to the same extent as the utility.

III. NAESB Recommendation

Various federal agencies and standard setting bodies have also been reviewing this important question. On August 8, 2011, the North American Energy Standards Board (NAESB) issued a voluntary Model Business Practices for Third Party access to Smart Meter-based information. The model contemplates that such information would be made available to authorized third parties in a timely manner and that they would be responsible for protecting the consumer’s privacy. The rules are intended to apply to utility disclosures to third parties, the use and retention of such information by the third party, and any discloser from the third party to another. The NAESB also encourages third parties that receive CEUD directly from the customer to adopt these “best practices.” These voluntary standards are intended to be applied with some flexibility and to be subject to directives of appropriate regulatory authorities.

The 17-page document is too detailed for comprehensive summary here, but the guidance generally adopts Fair Information Principle practices requiring informed consent, transparency and accountability. Among the most salient recommendations are the following:

  • The method of authorization should minimize time and effort;
  • Once released by the utility or the third party in compliance with these Model practices, the disclosing party is relieved of liability for subsequent misuse by the recipient.
  • Both utilities and third parties should have internal policies and practices, regular training and designated responsible personnel and maintain records of disclosures.
  • No disclosure without obtaining verifiable consent in compliance with the requirements of regulatory authorities and governing documents and a reasonable method to withdraw consent should be adopted.
  • Third parties should not use the information in a materially different manner than described in the authorization.
  • The collection of information should be limited to only that necessary to fulfill the purpose as set forth in the authorization.
  • Utilities and third parties should establish a process for consumers to access the information and to correct errors and establish procedures to address disputes.
  • Utilities and third parties should conduct and document initial and periodic risk assessments of their disclosure practices, including developing and reviewing a reasonably comprehensive set of Privacy Use Cases to track information flows.
  • Third parties that receive information directly from the Smart Meter or before the utility has had an opportunity to validate it should recognize the inherent limitations regarding the accuracy of such information.

These Model Best Practices still leave substantial room and flexibility for state or local regulators to adopt specific practices in the implementation process. Thus one question is whether this "best practice" guide is sufficiently detailed to avoid multiple, and potentially conflicting, local rules. Another issue is whether, despite their generality, some form of independently certified compliance with these “best practices” would be deemed sufficient by utilities, regulators, or consumers to warrant release of information.

Conclusion

Substantial progress has been made in developing rules governing third party access since the DOE Report last October. Thus far, states have avoided regulating third parties except to the extent they receive data directly from the utility, in which case utilities, by contract or tariff, may to some extent control the type of data being provided and the process and procedures for its protection. Whether continued state adoption of third party access rules remains the best approach to addressing privacy issues is an important question. The emergence of national best practices Model Rules may help bring some conformity to these rules, but they defer ultimately to state regulation and leave significant room for states to adopt specific procedures as they “operationalize” these general standards.

The debate regarding third party access is still in its initial stages and much work and refinement of processes and procedures lies ahead.