The rollout of smart metering in Ireland for the consumption of electricity, gas and water over the next few years is on the cards and may begin as soon as early in 2012. It is expected to result in energy efficiencies and environmental benefits, but it will also produce serious risks and challenges for energy suppliers and related businesses. Smart metering is a potentially significant intrusion into the private lives of consumers, the consumption data from the meters could reveal much more than was intended about customers and this information is protected by data protection legislation. Those operating in the energy sector need to audit their contracts, policies and practices to ensure that this information is protected and secure, and that its use and storage is in compliance with the law. Failure to comply with the obligations of data protection legislation can result in a wide range of practical and legal difficulties, both criminal and civil in nature.
BACKGROUND: SMART METERING IN IRELAND
There have been a number of significant developments in the area of smart metering in Ireland in recent months. The Commission for Energy Regulation (CER) published its report on the impact of a national rollout of electricity smart metering identifying greater energy efficiency and reduction in carbon emissions as the key benefits. The report also states the CER is hoping to publish a Decision Paper on a national smart metering rollout for Ireland (both electricity and gas) by October 2011, which it is hoped will lead to a national rollout of electricity and gas metering in the coming years. The Minister for the Environment has committed to water meters being installed in homes by early 2012 as part of a three year project to implement water metering throughout the country by 2015.
The implementation of smart metering will transform the way in which energy is provided and consumed in Ireland and will fundamentally change the role and responsibilities of organisations in the energy market. We can also expect to see greater fragmentation in the market with the emergence of many new players, such as network operators and technology providers, that up to now have been absent from this sector. Organisations hoping to thrive in this sector will need to be able to adapt and respond to the inevitable challenges and issues that will arise. Not least to the challenges posed by data protection and privacy laws.
WHAT IS SMART METERING?
An intelligent metering system or a ‘smart meter’ is an electronic device that can measure consumption of energy, adding more information than a conventional meter, and can transmit data using a form of electronic communication. Smart meters allow network operators (also known as Distribution Service Operators or DSOs), energy suppliers and other organisations to compile vast amounts of information relating to consumers’ energy consumption with relative ease. Smart meters will allow consumers to better manage their consumption and will allow energy suppliers to reduce operational costs and offer innovative and personalised tariffs to customers. However, smart metering also represents a potentially significant intrusion into the private lives of consumers, with up-to-date consumption information providing an insight into the daily routines and habits of consumers. It has been suggested that with the requisite expertise it would be possible to determine when a person wakes up in the morning and when they go to bed simply by analysing their consumption data.
WHY IS DATA PROTECTION RELEVANT?
The Data Protection Acts 1988 and 2003 (the DPA), set out the obligations for data controllers and data processors when they are processing personal data.
Personal data is defined in the DPA as information relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. The majority of the information collected by smart meters will be personal data and any person or organisation that will use, store or collect this data will be subject to data protection legislation.
In the context of smart metering, this may be consumers’ consumption data, unique identifiers associated with the smart meter, account numbers assigned to consumers by DSOs or energy suppliers, or messages or readouts transmitted by smart meters. Essentially, any data created, stored or transmitted by a smart meter which relates to an individual is personal data. Anyone using any of this information for any purpose needs to be aware of their obligations under the DPA.
A data controller means a person who, either alone or with others, controls the contents and use of personal data. In this context this will mean energy suppliers, DSOs, energy regulators and energy service companies. Data controllers are subject to a range of obligations under the DPA and the failure to comply with those obligations can lead to complaints by data subjects, investigation and possibly an audit by the Data Protection Commissioner (the Commissioner) and his staff, criminal sanctions for directors, managers, secretaries or other officers of the body corporate and serious damage to the goodwill.
A data processor means a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment. In terms of smart metering, this may relate to technology providers or other service providers, who process the data for specific purposes, without actually controlling it. While data processors are not subject to the same obligations as data controllers, data controllers are obliged to put in place stringent contracts before engaging a data processor to act on their behalf. Data processors need to ensure they comply with the provisions of these contracts, particularly in relation to security of the data.
Organisations that will be dealing with consumer data collected by smart meters, whether as a data controller or a data processor, need to be aware of and comply with the obligations imposed on them by the DPA and the data controller/data processor contracts which they have entered into.
ARTICLE 29 OPINION ON SMART METERING
In light of the significant data protection implications of the implementation of smart metering, the Article 29 Working Party (the Working Party) adopted Opinion 12/2011 (the Opinion) on 4 April 2011 which seeks to clarify the legal framework applicable to the operation of smart metering technology within the energy sector.
The Working Party is an independent European advisory body on data protection and privacy set up under Article 29 of Directive 95/46/EC.
The Opinion acknowledges the potential benefits to customers in terms of energy savings, but warns of the potential privacy risks to the private lives of citizens and the need for those involved in the market to ensure they are complying with the relevant law. The Opinion identifies the main obligations for data controllers and the key areas of concern as: ensuring the processing of data is fair and lawful; ensuring data is not retained for any longer than is necessary; and ensuring the security of data is appropriate, in terms of both technical security measures and contractual safeguards.
FAIR AND LAWFUL PROCESSING
The Working Party notes that in order to process data fairly, data controllers need to ensure:
- they have either obtained the fully-informed consent of individuals;
- the processing is necessary to complete a contract with the individual; or
- the processing is in the legitimate interests of the data controller.
There are difficulties with relying on all of these approaches. In terms of relying on consent, data controllers need to be able to demonstrate customers have been made aware of what data will be collected, how it will be used, and how long it will be held in order for any consent to be considered fully-informed. For example, the Working Party has proposed that control panels of household smart meters should include a consent button, which could be activated or deactivated. While this may not be necessary in every case, data controllers need to ensure they have the necessary procedures in place to be able to demonstrate the consent they are relying on is fully-informed and fairly obtained.
In relying on the necessity basis, data controllers need to be aware that the notion of necessity is one which the Commissioner interprets strictly. While it is clear that being able to provide an accurate bill to a customer is a necessity of supplying them with energy, the data controller would not then be able to use this basis for other purposes. For example, it would be difficult to argue that the building of customer profiles in order to market different services or new packages and tariffs to customers is a necessity.
In order to rely on their own legitimate interests, data controllers will need to be able to demonstrate that due weight and consideration has been given to the rights and interests of the customers. The Working Party has pointed out that while the reduction of energy consumption is no doubt a sensible public policy objective, it would be difficult to argue that this would outweigh the rights of consumers in every case. Data controllers would also need to be able to show that practical measures have been offered to customers to reduce the intrusion into their private lives whether through technological measures or internal privacy policies and procedures.
Data controllers need to ensure that whatever practices and procedures they have for legitimising the processing of their customers’ data, whether relying on consent, on necessity or on their legitimate interests, that they are in line with the DPA and will stand up to the scrutiny of the Commissioner and the courts, if necessary.
Smart metering means that greater amounts of customers’ personal data will be processed and stored than ever before and data controllers need to ensure they are complying with retention provisions of the DPA. The DPA provide that data should be kept for no longer than is necessary. Clearly therefore it will be up to data controllers to demonstrate compliance by having a clear purpose for retaining all their data. Retention policies and practices need to be revised and implemented to take account of the increased amount of data that will be available to data controllers.
Security breaches are occurring more frequently. The Commissioner reported a 350 per cent increase in 2010 from the figure in 2009. Cyber attacks on mass scales have also increased, as evident in the recent attacks on Sony's PlayStation Network customer database. Given the unprecedented levels of customer and financial data that will be held by those in the energy market, data controllers will be under added scrutiny. Data controllers need to vigilant and ensure the necessary security measures, in terms of technological measures and staff protocols, are in place to safeguard customer privacy. Data controllers also need to be aware of actions that should be taken to address security breaches if and when they happen to mitigate any loss to both customers and to their own goodwill and reputation.
Data controllers also need to review all contracts they put in place with data processors to ensure that the data processor provides sufficient guarantees in respect of the technical security measures, and organisational measures, governing the processing, and take reasonable steps to ensure compliance with those measures.
CONSEQUENCES OF FAILING TO COMPLY
Failure to comply with the obligations of the DPA can result in a wide range of practical and legal difficulties for data controllers, both criminal and civil in nature.
Data controllers that fail to comply with their data protection obligations may suffer serious erosion of goodwill and of their customer base where their failures come to light or are highlighted in the press or by the Commissioner. Even a perceived risk to personal data can drive customers away even where no breach of the law has taken place.
WHAT SHOULD ENERGY PROVIDERS AND RELATED COMPANIES DO TODAY?
The implementation of smart metering will begin in earnest in 2012 and now is the time that organisations need to take steps to ensure that they are both aware of and in compliance with their ongoing data protection obligations. This will be relevant when gearing up to service the emerging smart metering sector. These steps include taking appropriate steps to make available to customers up to date and comprehensive privacy policies and terms and conditions. They will also need to anticipate data protection in the agreements they reach with other participants in the energy industry, whether service provider agreements, outsourcing agreements or joint venture agreements.
Data controllers need to ensure appropriate practices and procedures are in place to ensure personal data is processed fairly and lawfully, whether on consent, necessity or a legitimate interest basis. Retention policies need to be kept up to data and where necessary amended to take account of the vast amount of easily stored data that will be available. Appropriate security measures need to put in place to reflect the greater level of exposure that comes with storage of large amounts of personal and financial data. Most importantly, organisations need to be aware of and ready to respond to the inevitable and emerging data protection and privacy issues that will arise out of smart metering.