With the recent opinion issued on latest developments on the Internet of Things, the Article 29 Working Party (WP29) outlined how home automation may raise specific data protection and privacy challenges, since an analysis of usage patterns, in such a context, it is likely to reveal the inhabitants’ lifestyle details, habits or choices or simply their presence at home. Such concerns might apply also to smart metering systems.
With specific regard to the latters, the EU has now provided the industry players with an helpful working tool. In deed, on October 10th the EU Commission issued a Recommendation (No.724-2014) aimed at encouraging Member States to adopt a Data Protection Impact Assessment (DPIA) framework for Smart Grid and Metering Systems, taking into account the advice of the WP29 and, in particular, its recent Opinion No.07/2013.
According to the DPIA template, privacy by design and privacy by default are among the privacy targets that shall have to be met. The anxiously awaited EU Data Protection Regulation has not been issued yet, but the EU institutions are already pushing for the adoption of key elements of the future data protection legal framework.
For a number of organizations such principles will soon become very familiar: in Italy, for example, the Authority for Energy and Gas, by means of a decision issued in 2013 (No.631/2013/R/gas), imposed to the gas providers the replacement of the traditional metering devices with the new smart systems according to a challenging timetable: by 2018, 60% of the new devices shall be operating (by the end of 2015, 3%).
The DPIA template can provide the data controllers with useful guidelines in order to drive such a change, balancing the benefits that the implementation of the new smart systems can grant, at different levels, to collectivity, industry operators and users with the interests of the data subjects.
The smart metering systems shall be implemented in accordance with the six steps outlined in the DPIA framework:
- Pre-assessment (is a DPIA necessary?);
- Initiation (which are the DPIA organizational requirements?);
- Description of Smart Metering Systems processing personal data, including data flows;
- Identification of relevant risks;
- Data protection risk assessment (severity and likelihood of the identified risks);
- Identification and recommendation of controls and residual risks.
A report shall be drafted in order to identify the different phases and the outcomes of the DPIA.
The WP29, in particular, stressed that there should always be two distinct and complementary goals to be achieved through the DPIA: (i) the management of the risks for the rights and freedoms of the data subjects and (ii) the compliance with the applicable data protection laws.
Accordingly, any data controller shall grant, at least, all the needed measures and controls to meet the privacy targets listed in Annex I of the DPIA template, including:
- Safeguarding quality of personal data;
- Compliance with the data subject’s rights;
- Safeguarding confidentiality and security of processing;
- Compliance with data retention requirement;
- Privacy by design;
- Privacy by default.
It is now up to the single Member States to decide how implementing such a framework. In particular, from a practical perspective, it will be interesting to see how the national Data Protection Authorities will be involved in the DPIA process: will a notification to the Authority of the DPIA report be sufficient? Will a prior checking proceeding be required?
The test phase regarding the DPIA template will last two years. Afterwards, Member States should provide the Commission with an assessment report highlighting the relevant conclusions stemming from the test phase.