The European Union’s (“EU”) independent advisory body on data protection, the Article 29 Working Party (“AWP”) recently issued Opinion 04/2013 (the “Opinion”) commenting on the Data Protection Impact Assessment Template (“Template”) prepared by the European Commission to assist data controllers that process personal data in connection with smart grid and smart metering systems to comply with their with data protection obligations.
Smart energy and data protection
Smart energy systems that actively monitor electricity and gas usage are being rolled out across the EU energy market. However, the use of these devices presents data protection concerns as smart metering systems involve the frequent communication of personal data which is processed by multiple parties. Smart energy monitoring, ostensibly aimed at enabling “intelligent and rationalised production, distribution and use of energy”, also generate unprecedented levels of data on personal energy usage.
A smart system has the ability to track energy usage and, based on inferences from usage statistics, build detailed profiles of energy users based on their domestic activities (e.g. regarding users’ use of specific goods or devices, daily routines, living arrangements, activities, lifestyles and behaviour). Smart energy is also one of the first examples of the emerging ‘internet of things’, whereby everyday objects and devices, from kettles to cars, become ‘smart’ and in the process generate vast amounts of data on the individuals who use them.
AWP analysis of the Template
In publishing its original Recommendation, the Commission aimed to encourage data controllers to carry out a Data Protection Impact Assessment to assess the data protection risks of smart energy monitoring and demonstrate how compliance has been achieved and published the Template to assist controllers with this task.
The AWP’s analysis of the Commission’s recommended Template, which was submitted to the AWP for comment on 8 January 2013, is however largely critical in nature. The Opinion states that the Template lacks clarity and, although the Template is designed to evaluate the impact of specific risks to the rights/freedoms of data subjects, it fails to meet its objectives.
Whilst the AWP supports the Template’s purpose, in its view the Template fails to directly address the impact of risks created by smart metering (such as price discrimination, inaccurate billing or criminal enterprises making use of unauthorised profiling), and because of this lack of clarity the Template does not provide adequate assistance to data controllers in identifying the necessary controls and safeguards required of them.
In a similar manner, the Template only contains generic risks and controls, and lacks industry sector-specific content. In the AWP’s view, such specific guidance would be of particular assistance to data controllers without expertise in, or experience of, data protection issues (such as SMEs).
The Opinion specifically identifies methodological flaws in the Template, in particular:
- the Template confuses data protection risks and threats (the latter being operationally defined as the ability to exploit vulnerabilities in protected assets);
- the risks which must be mitigated do not correspond with the examples of possible controls;
- there is insufficient detail and guidance on the concept of ‘vulnerability’, or on how to calculate and prioritise risks;
- references to external documents undermine the Template as a stand-alone document; and
- the Template does not provide enough advice on how to determine the roles and responsibilities of the different industry stakeholders.
The Opinion concludes that the Template represents progress from earlier versions but remains “not sufficiently mature and well-developed”. The AWP recommends that the Template should be amended to include more specific and practical guidance for data controllers, and that the use of impact assessment should move from being a recommended step to a mandatory obligation.
The Opinion can be found on the Europa website by clicking here.