Amidst the energy crisis faced by many European countries, the rollout of smart meters is increasingly central to managing energy usage. Smart meters provide people with information about their energy consumption, whilst making more personal data available to help with innovation, demand forecasting and cost reductions.
However, accompanying this are privacy risks, including that large-scale usage of smart metering data can result in a loss of control over potential sensitive information on domestic activities access. Moreover, the potential for consumption data to be shared amongst multiple parties without their knowledge has the potential to disincentivise residents from installing smart meters altogether, which threatens to thwart the potential efficiency savings that such devices can bring.
In their November 2022 newsletter, the European Data Protection Supervisor (‘EDPS’) announced the publication of its opinion on the European Commission’s Implementing Regulation on the access to metering and electricity consumption data by energy suppliers and related services (‘the Draft Regulation’). The opinion outlines further requirements for transparency and legal bases before smart metering data can be accessed by energy industry parties.
This article analyses the EDPS’ opinion and clarifies what this brings for energy industry players.
What is the Draft Regulation?
Smart meters are electronic devices that allow energy companies to monitor consumption, enabling more accurate profiling and billing. Deploying smart meters provides value for many companies, including energy suppliers, network operators, home technology manufacturers and research organisations, to further analyse and understand energy consumers’ behaviours.
Throughout its Draft Regulation, the European Commission outlines rules specifying the conditions by which member states may permit electricity market participants access to consumption data. Treating smart metering infrastructure as a repository of sensitive consumer data, the Commission introduces several concepts for member states’ energy markets, including:
Legal basis
Allowing energy industry participants to access smart meter data either where “there is an active permission” from the energy consumer or an “other legal or contractual basis”.
Consumers
Facilitating consumer’s access to their own data, in a “structured, commonly used, machine-readable and interoperable format”, as well as to an “access log” of their data.
Access Log
Requirements on member states to maintain an access log of which industry party has accessed a consumers’ smart metering records, the type of data accessed and time of access, and make this available to consumers.
What were the privacy concerns raised?
The EDPS raised several concerns on the Draft Regulation, centred around the potential for consumers’ data to be used by energy industry participants without their knowledge and consent.
Firstly, the EDPS wants the Commission to restrict the legal bases for smart meter data access, strictly requiring energy consumers’ ‘permission’, or where it is necessary in the context of a contractual agreement with consumer-facing energy services. Interestingly, the EDPS considers smart meters to be regulated under the ePrivacy Directive, a law which requires the consent of the user prior to accessing information stored in a user’s ‘terminal equipment’ (such as a mobile device, internet browser, smart TV or apparently a smart meter), unless necessary for a contract with the user.
Secondly, in the interest of consumer transparency, the EDPS considers that the Draft Regulation should delineate the roles and responsibilities of the energy parties involved (ie as controller, joint controller or processor) and require this delineation to be made available to energy consumers.
Finally, the EDPS argues for establishing a maximum retention period for smart metering data, or for the Draft Regulation to identify criteria to allow energy market participants to determine such periods.
What impact will the recommendations have?
If implemented, the EDPS’ recommendations to the European Commission’s Draft Regulation will provide further welcome transparency around access to smart metering data. Consumer rights will be strengthened by the delineation of data sharing roles and retention periods for their consumption data, on top of the right to an Access Log and identity protection already offered in the Draft Regulation.
The EDPS’ proposals requiring either consent or contractual necessity will nevertheless limit access to smart metering data within the energy industry. Although most of the energy industry parties identified in the Draft Regulation (such as suppliers, network operators, aggregators) have a direct relationship with consumers, further consent will be needed to pass data on to other organisations, such as research or analytics partners. Additionally, as the Draft Regulation only covers energy industry participants, Member states will also need to introduce further rules for other companies (universities, technology companies) to directly access smart metering data.
Data sharing agreements are not yet commonplace in most energy markets. The EDPS’ requirement to outline roles and responsibilities will, in combination with the GDPR, naturally require energy industry players to implement such agreements with respect to smart metering information.
The Draft Regulation is still being discussed with various member states’ energy industry regulators and is unlikely to be in force until 2023 at the earliest. Outside the EU, the provisions on maintaining Access Logs and consumer access to data are likely to become best practice for in countries with advanced smart metering governance, such as the UK. Energy industry participants should expect more robust governance around data sharing to arrive, alongside the efficiency benefits of data-driven smart energy transition.