Brussels, Monday 11 June 2012
On Friday 8 June 2012, the European Data Protection Supervisor (EDPS) adopted his opinion on the Commission Recommendation on preparations for the roll-out of smart metering systems, which gives guidance to Member States to prepare for the roll-out of these systems.
While the Europe-wide rollout of smart metering systems may bring significant benefits, it will also enable massive collection of personal data which can track what members of a household do within the privacy of their own homes, whether they are away on holiday or at work, if someone uses a specific medical device or a baby-monitor, how they like to spend their free time and so on. These patterns can be useful for analysing our energy use for energy conservation but together with data from other sources, the potential for extensive data mining is very significant. Patterns and profiles can be used for many other purposes, including marketing, advertising and price discrimination by third parties.
In light of these risks, the EDPS welcomes the efforts by the Commission to provide guidance to Member States. In particular, the EDPS supports the plan to prepare a template for a data protection impact assessment and submit it to the Article 29 Data Protection Working Party for advice.
At the same time, the EDPS regrets that the Commission has not provided more specific, more comprehensive and practical guidance in the Recommendation itself. However, he considers that some guidance can still be given in the data protection impact assessment template. In addition, further legislative action should also be considered.
Giovanni Buttarelli, Assistant EDPS, says: "the EDPS calls on the Commission to assess whether further legislative action is necessary at EU level to ensure adequate protection of personal data for the roll-out of smart metering systems an - in his Opinion - provides pragmatic recommendations for such legislative action. Some of these recommendations can already be implemented via an amendment to the Energy Efficiency Directive, which is currently before the Council and Parliament. These should at least include a mandatory requirement for controllers to conduct a data protection impact assessment and an obligation to notify personal data breaches."
The EDPS recommends, among other things:
more guidance on the legal basis of the processing and the choices available to data subjects, including on frequency of meter readings;
mandatory application of privacy-enhancing technologies ('PET's) and other ‘best available techniques’ for data minimisation;
more guidance on retention periods;
direct access to consumers to their energy usage data, as well as disclosure to them of their individual profiles and the logic of any algorithms used for data mining and information on remote on/off functionality.
On 9 March 2012, the Commission adopted a Recommendation on preparations for the roll-out of smart metering systems. The rollout is foreseen by 2020 subject to an economic assessment of costs and benefits. This assessment is to be carried out by each Member State by 3 September 2012.
The European Data Protection Supervisor (EDPS) is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by:
monitoring the EU administration's processing of personal data;
advising on policies and legislation that affect privacy;
cooperating with similar authorities to ensure consistent data protection.
EDPS - The European guardian of data protection
Follow us on Twitter: @EU_EDPS