EDPS issues opinion on smart metering systems

On June 8th the European Data Protection Supervisor (EDPS) published an opinion commenting on the Commission’s ‘Recommendation on preparations for the roll out of smart metering systems’ (issued March 9th), and on smart energy metering systems in general. Providing that the economic assessment to be carried out by Member States by the end of the summer gives favourable results the rollout for electricity and gas markets should take place by 2020. The EDPS warned that the introduction of smart meters is likely to raise serious threats to privacy in terms of the right to respect of family life and home, data protection concerns and the security of the citizen. It could constitute unwarranted surveillance if appropriate safeguards are not adopted. As with traditional gas and electricity meters, the new devices could be installed in all households. What makes them ‘smart’ is the fact that they will enable the automatic transmission of consumption data from each household to energy suppliers. The reading, recording and transmission of such data would occur regularly – and could take place as frequently as every fifteen minutes. Smart meters will pave the way to a dynamic, ‘demand and response’ pricing system whereby energy consumption at peak times will be more expensive than consumption off-peak, or even change from customer to customer. As such, smart meters are a precondition for the modernisation of energy supply chains and deliver ‘smart grids’, which are supposed to provide considerable economic benefits. The collection of such fine-grained information on consumption, though, could allow for the extraction of personal information, which could impinge upon the privacy of the members of EU households. The EDPS notes, for instance, that “by analysing detailed electricity usage data it may be possible in the future to infer or predict – also on a basis of deductions about the way in which electronic tools work – when members of a household are away on holiday or at work, when they sleep and awake, whether they watch television or use certain tools or devices, or entertain guests in their free time, how often they do their laundry, if someone uses a specific medical device or a baby monitor, whether a kidney problem has suddenly appeared or developed over time, if anyone suffers from insomnia, or indeed whether individuals sleep in the same room.” (p. 5). Over time the collection of such massive information can amount to tracking and reveal very detailed behavioural patterns, or profiles, which could prove of benefit to both businesses (for targeted advertising and value-added services) and law enforcement agencies. Moreover, if data were not secured properly criminals could hack into the servers of the energy suppliers to obtain information on individuals, for instance, in order to commit burglary. The EDPS commented extensively on the content of the recommendation. Whilst the recommendation incorporates new concepts such as privacy by design, privacy impact assessments (PIAs) and notification of data breaches, the EDPS highlighted a number of shortcomings such as the omission of basic principles of, and practical guidance on, data protection. He then suggested to introduce specific guidance and a clear methodology in the Template which will be prepared by the Commission for the voluntary impact assessments to be carried out by Member States, and proposed the assessment of additional legislative measures at the EU level to guarantee homogeneity of applicable laws and data protection standards.