9 January 2014

Article 29 Working Party remains critical of smart grids and smart metering systems

The Article 29 Working Party recently published its latest opinion on the Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems. Though some sector-specific content has been added in the new template, the Working Party called for more improvement and guidance, especially for the energy industry to meet its data privacy obligations when designing smart systems.

This article is available in English only.

Smart metering – background
The European Commission set up the Smart Grid Task Force in 2009 to provide regulatory recommendations regarding privacy, data protection and cyber security in the smart grid environment. The Article 29 Working Party (Working Party) on 4 April 2011 issued an opinion to clarify the legal framework for the use of smart metering technology. This opinion commented that the energy industry aims to supply energy more efficiently and to foster energy savings with the use of smart metering technology. But the analysis of the information acquired could violate consumers’ privacy since this information constitutes personal data.  

On 9 March 2012, the Commission adopted a recommendation to provide guidance to EU member states on several aspects of smart metering systems, including data protection and security considerations. Following this recommendation, the Task Force prepared a template for a data protection impact assessment (DPIA), and a second draft of this template was submitted by the Commission to the Working Party for review. 

Latest template
The Working Party issued its latest opinion  on the second draft template on 4 December 2013. The Working Party views this latest template as a significant improvement but further clarification is needed, especially to meet the privacy targets mentioned in the template. In addition, the most common privacy enhancing technologies and other “best available techniques” for data minimisation should be described in the template to provide the industry with measures that are ready to be implemented and to create more awareness of what privacy enhancing technologies are. 

The future
Once the template is agreed and the Commission has adopted the recommendation, the template will be used in the energy industry to perform DPIAs. Although the Commission’s recommendation is not legally binding, the Commission has proposed a General Data Protection Regulation that would make DPIAs mandatory under certain conditions. In that case, the template could be seen as a means to comply with a legal obligation. Thus, the importance of the template will probably increase significantly when the Regulation is adopted, which is expected in 2015. It is advisable that the energy industry use the template to become familiar with the template’s approach and to apply it when designing their systems (privacy by design).