Consumers should have control over all but the most basic smart meter data processing purposes, privacy watchdog says

Out-Law News | 11 Jun 2012 | 1:44 pm | 3 min. read

Smart meter data should not be processed by companies without consumers' "freely given, specific, informed and explicit consent" other than in select circumstances, an EU privacy watchdog has said.

The European Data Protection Supervisor (EDPS) said that only if data collected from smart metering is required to be processed in order to provide a supply of energy, bill consumers, detect consumer fraud or prepare "aggregated data" that is "necessary for energy-efficient maintenance of the grid" should organisations be allowed to process that information without consent.

Smart metering enables a two-way flow of electricity and information that allows real-time information about demand for energy to inform the level of supply needed to meet that demand in a near-instantaneous fashion.

The EDPS, which is the watchdog responsible for monitoring EU bodies' compliance with data protection laws, published a new opinion (18-page / 111KB PDF) which outlined consumer profiling concerns relating to smart metering. It said the "granularity" of the data that may be collected about consumers through smart metering "raises concerns with regard to security, the rights to privacy and the protection of personal data." The data could inform when homes are unoccupied, and reveal "patterns" about consumers' lives which could potentially be "tracked", the watchdog added.

However, the EDPS said that the Commission's guidance is too narrowly targeted and does not account for a number of organisations that may be 'data controllers' of smart meter information. The guidance also outlines lawful grounds for processing of smart meter data that organisations may not actually be able to rely upon, it added.

To address these concerns the EDPS said there should be clearer rules and guidance than currently proposed governing processing of information collected from smart metering.

"The EDPS recommends that a freely given, specific, informed and explicit consent must be required for all processing that goes beyond processing required for the provision of energy, the billing thereof, detection of fraud consisting of unpaid use of the energy provided, and preparation of aggregated data necessary for energy-efficient maintenance of the grid (forecasting and settlement)," the EDPS' opinion said.

"To ensure legal certainty and consistent application and interpretation of these provisions, the EDPS further recommends that [the European Commission's 'template' guidance] and/or applicable legislation also clearly specify that tracking energy use (for purposes other than the basic objectives set forth in paragraph immediately above), profiling of individuals (except for detection of fraud consisting of unpaid use of the energy provided), targeted advertisement, value-added services, and further transfer of the data for such purposes should each require specific, separate consent," it said.

Without consent individuals' smart meter data should not be read more frequently than once a month, the EDPS recommended. It also said that the Commission should evaluate new privacy-enhancing technologies (PETs) to see whether its guidance on keeping the data collected through smart metering at a minimum should account for the existence of the features.

Taking samples of data could also help energy companies with forecasting and would not require each householders' data to be processed, the watchdog said. In addition, meters located within the "distribution network" could be used to collect smart meter data that measures aggregated consumption of energy which would avoid having to process each households' "fine-grain data," it added.

The European Commission should also set out in more detail when companies involved in the smart-metering industry should be required to delete the information they collect, the EDPS said.

The European Commission has issued guidance on data protection aspects of smart metering, whilst draft changes to the EU's Energy Efficiency Directive are also currently before the European Parliament and Council of Ministers for consideration.

The EDPS said that organisations that will process smart meter data should be mandatorily required to conduct an impact assessment prior to that processing. Each risk to privacy identified should be 'matched' by providing consumers with an "adequate control" over that risk, it said.

All companies that process "granular smart metering data" should also be compulsorily required to own up to data breaches, the EDPS said. It recommended that the Energy Efficiency Directive should be amended in order to include both the impact assessment and data breach notification requirements.

Smart metering technology is due to be installed across the UK from 2014 with every UK household expected to have the technology by 2019. The Government has said smart metering will slash unnecessary energy use, reduce emissions and cut consumers' energy bills.

The Government has already proposed a number of privacy safeguards for the smart meter scheme. Amongst them it has said that third-party companies should not be able to gain access to data recorded in consumers' smart meters unless consumers choose to let them.