EU: EDPS Tech-Dispatch on smart meters in smart homes
On 16 October 2019, the European Data Protection Supervisor ('EDPS') published a Tech-Dispatch report focusing on smart meters in smart homes ('the Report')1. The Report, which is part of the wider EDPS activities on technology monitoring, provides a snapshot of data processing by electricity smart meters and its potential impact on privacy and the protection of personal data. Alessandra Fratini, Partner at FratiniVergano – European Lawyers, describes the interaction between smart meters and data protection, and provides insight into what data is collected by smart meters.
The EDPS notes that there are an increasing number of smart meters being used across the EU, as Directive 2009/72/EC of the European Parliament and of the Council of 13 July 2009 concerning common rules for the internal market in electricity and repealing Directive 2003/54/EC ('the Electricity Directive')2 requires Member States to roll-out electricity smart meters to 80% of consumers by 2020, unless the result of a cost-benefit analysis is negative. In contrast with conventional meters, which allow to manually collect and transfer one meter value per billing period, usually once per year, smart meters record real-time consumption and production of electricity, enable automated meter reading, and transfer the readings at regular intervals, by the hour or even more frequently, to the supplier. Smart meters that allow two-way communications can also receive instructions from the supplier, including time-based pricing information, demand-response actions, or remote supply disconnects. In addition, smart meters can be connected to smart home devices, such as energy monitors, to enable the tracking of individual appliances, improve control, and save energy.
Against this background, the Report provides a preliminary assessment of the data protection issues associated with smart meters. The main issue concerns potential risks due to conclusions drawn from consumption data. The EDPS acknowledges the benefits, in terms of increased efficiency and safety of electricity distribution, of monitoring energy consumption in short intervals. However, as noted already back in 2012 by both the EDPS3 and the former Article 29 Working Party4, such monitoring also allows those who have access to consumption data to draw conclusions about the behaviour of energy consumers. Power data usage patterns obtained from smart meters can in fact reveal much more than how much electricity is being used, allowing for the identification of individuals. As such, the operation of smart meters entails the processing of 'personal data' and needs to comply, as specifically required by Directive (EU) 2019/944 of the European Parliament and of the Council of 5 June 2019 on common rules for the internal market for electricity and amending Directive 2012/27/EU with the EU data protection rules.
Besides the traditional consumer registration data, such as names and addresses of data subjects, and their billing and payment method data, the processing of household consumption data, with demand information and time stamps, as well as the amount of energy provided, might provide insight in the daily life of the data subject, such as the amount of hours of use, how many occupants at what time, type of occupants, and the frequency of transmitting data. The European Commission Recommendation of 9 March 2012 on preparations for the roll-out of smart metering systems (2019/148/EU)5 advised to keep recording and transfer intervals under 15 minutes. As highlighted by the EDPS, in fact, 'the smaller the measurement intervals, the more detail is revealed about the consumption profile, allowing various conclusions to be drawn about the household and its members.' For example, the 15-minute interval smart meter data of residential households taken during a period of one year would allow to infer holiday periods of residents and religious practises, while intervals of under 60 seconds would allow to detect the use of household appliances such as refrigerators, lighting, and house-work activities.
Another issue is the lack of control and transparency, as most data subjects might be unaware of the nature of the data processing operations, of the entities using their data and of the potential impact that processing could have on their privacy. In addition, as the expected lifetime of electricity smart meters is 14 years on average, it is reasonable to assume that the processing of meter data may evolve throughout the meter's lifetime, with further accumulation of past, and future, meter data, which the data subjects have not necessarily consented to.
Next, the EDPS highlights the risks of profiling and mass surveillance. On the one hand, the use of smart metering may lead to tracking the everyday lives of people in their own homes and building commercially valuable profiles of individuals based on their domestic activities. These profiles, that could be enriched with further personal data drawn from other online and offline sources, may be of interest not only for marketing or advertising purposes, but also to other third parties such as law enforcement agencies, tax authorities, insurance companies, landlords, employers, and other. On the other hand, a 'network of smart meters with two-way communications enabled could also become part of an infrastructure of mass surveillance. This could technically be achieved with a mere firmware update to shorten the measurement and transfer intervals.'
Furthermore, in so far as they fall into the category of Internet of Things ('IoT') devices, smart meters share the risks originating from IoT devices or networks. Smart meters with network connectivity may be subject to unauthorised access and, where connected to smart home appliances or the internet, they could harm or infect other vulnerable or sensitive devices or services, such as mobile phones, computers, security cameras, smart locks, or public web-services. Equally, unauthorised access to smart meters via other devices in a smart home could not only extract consumption data or record false consumption values, but also compromise smart meter functionalities, including the provision of energy. In that respect, the EDPS notes that some EU countries demand comprehensive certifications for smart meters and related components, and recommends that smart meters and home appliances be regularly updated with security fixes and upgrades throughout their entire product lifecycle. In addition, the use of the Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems6 as an evaluation and decision-making tool may further support smart grid operators in addressing the above data protection issues.
The EDPS concludes by arguing that Privacy by Design and Privacy by Default, under Article 25 of the General Data Protection Regulation (Regulation (EU) 2016/679), may reduce the above risks. For example, the possibility for users to choose large measurement intervals could lower the accuracy of conclusions drawn from consumption data, as would the option to disable and enable certain smart features of the meter in some circumstances. In addition, the risks originating from drawing conclusions from the data may be lessened, without changing the measurement interval, by using some privacy-enhancing technologies, such as encryption of meter data, masking protocols, homomorphic encryption to aggregate the meter data of multiple households, mesh networks to aggregate encrypted meter data hierarchically, and privacy-preserving linkable anonymous credential protocols.
Alessandra Fratini Partner
FratiniVergano – European Lawyers, Brussels
1. Available at: https://edps.europa.eu/data-protection/our-work/publications/techdispatch/techdispatch-2-smart-meters-smart-homes_en
2. Annex 1 of Directive 2009/72/EC of the European Parliament and of the Council of 13 July 2009 concerning common rules for the internal market in electricity and repealing Directive 2003/54/EC.
3. Available at: https://edps.europa.eu/data-protection/our-work/publications/opinions/smart-metering-systems_en
4. Available at: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp183_en.pdf
5. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32012H0148&from=EN
6. Available at: https://ec.europa.eu/energy/sites/ener/files/documents/dpia_for_publication_2018.pdf