(1)

Smart grids are an enabler for implementing key energy policies. In the 2030 policy framework context, smart grids, as the backbone of the future decarbonised power system, are recognised as a facilitator for the energy infrastructure's transformation in order to accommodate higher shares of variable renewable energy, improve energy efficiency and ensure security of supply. Smart grids provide an opportunity to boost EU technology providers' competitiveness, as well as a platform for traditional energy companies and new market entrants to develop innovative energy services and products in grid infrastructure and related information and communications technology (ICT), home automation and appliances.

(2)

Smart metering systems are a stepping stone towards smart grids. They provide the tools to empower consumers' active participation in the energy market, and enable system flexibility through demand response schemes and other innovative services. In accordance with Directive 2009/72/EC of the European Parliament and of the Council (1) and Directive 2009/73/EC of the European Parliament and of the Council (2), Member States are required to ensure the implementation of smart metering systems that assist the active participation of consumers in the electricity and gas supply markets.

(3)

The operation of smart metering systems — and a fortiori any further developments of smart grids and appliances — hold the potential to process data relating to an individual, i.e. personal data as defined by Article 2 of Directive 95/46/EC of the European Parliament and of the Council (3).

(4)

Opinion 12/2011 (4) of the Working Party on the protection of individuals with regard to the processing of personal data set up in accordance with Article 29 of Directive 95/46/EC states that smart metering systems and smart grids hold the potential to process increasing amounts of personal data and to make that personal data available to a wider circle of recipients than at present, thus creating new risks for data subjects that were previously unknown to the energy sector.

(5)

Opinion 04/2013 (5) of the Working Party states that smart metering systems and smart grids foreshadow the impending ‘Internet of Things’, and that the potential risks associated with the collection of detailed consumption data are likely to increase in the future when combined with data from other sources, such as geo-location data, tracking and profiling on the internet, video surveillance systems, and radio frequency identification (RFID) systems (6).

(6)

Raising awareness about the features and substantial benefits of smart grids should help this technology fulfil its full potential, while at the same time mitigating the risks of it being used to the detriment of the public interest, thus enhancing its acceptability.

(7)

The rights and obligations provided for by Directive 95/46/EC and by Directive 2002/58/EC of the European Parliament and of the Council (7) are fully applicable to smart metering systems and smart grid environments when personal data are processed.

(8)

The package adopted by the Commission for reforming Directive 95/46/EC includes a ‘Proposed Data Protection Regulation’ (8), which, when adopted, would apply to smart metering systems and smart grid environments when personal data are processed.

(9)

The Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of 12 April 2011 on ‘Smart Grids: from innovation to deployment’ (9) highlighted data protection and security as one of the five challenges for smart grid deployment and identified a number of measures to accelerate this deployment, including the ‘privacy by design’ approach and assessment of network and information security and resilience.

(10)

The Digital Agenda for Europe lists a set of appropriate measures, in particular on data protection in the Union, on network and information security and on cyber-attacks. The ‘Cybersecurity Strategy for the European Union: An Open, Safe and Secure Cyberspace’ (10) and the Commission proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union of 7 February 2013 (11) put forward legal measures and set incentives to foster investments, transparency and user awareness, aiming at making the EU's online environment more secure. Member States, in collaboration with industry, the Commission and other stakeholders, should take appropriate measures to ensure a coherent approach in security and personal data protection.

(11)

The opinions of the Working Party on the protection of individuals with regard to the processing of personal data set up in accordance with Article 29 of Directive 95/46/EC, and the European Data Protection Supervisor's opinion of 8 June 2012 (12) provide guidance to safeguard personal data and guarantee data security when data are processed in smart metering systems and smart grids. Opinion 12/2011 of the Working Party on smart metering recommends Member States to proceed with implementation plans which require a Privacy Impact Assessment.

(12)

In order to leverage the benefits generated by smart metering systems, one of the key preconditions for the use of this technology is to find appropriate technical and legal solutions which safeguard privacy of the individual and protection of personal data as fundamental rights under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union. The Commission Recommendation 2012/148/EU (13) sets out specific guidance on data protection and security measures for smart metering systems and invites Member States and stakeholders to ensure that smart metering systems and smart grid applications are monitored and that fundamental rights and freedoms of individuals are respected.

(13)

The Recommendation 2012/148/EU states that data protection impact assessments should make it possible to identify data protection risks in smart grid developments from the start, following the principle of data protection by design. It announces the development by the Commission of a Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems, to be submitted for opinion to the Working Party on the protection of individuals with regard to the processing of personal data.

(14)

The Recommendation 2012/148/EU further indicates that the Data Protection Impact Assessment Template should guide data controllers in conducting a thorough data protection impact assessment which describes the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with Directive 95/46/EC, taking into account the rights and legitimate interests of data subjects concerned.

(15)

The ‘Proposed Data Protection Regulation’ replacing Directive 95/46/EC would render Data Protection Impact Assessments mandatory under certain conditions, as a key instrument to enhance data controllers' accountability. In this respect, the Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems, albeit itself non-compulsory, will serve the purpose, as an evaluation and decision-making tool, of supporting data controllers in the smart grids sector to comply with a future legal obligation under the ‘Proposed Data Protection Regulation’.

(16)

A Template developed at Union level for conducting data protection impact assessments aims at ensuring that the provisions of Directive 95/46/EC and Recommendation 2012/148/EU are followed coherently across Member States and that a common methodology for data controllers guaranteeing adequate and harmonized processing of personal data throughout the EU is promoted.

(17)

Such a Template should facilitate the application of the principle of data protection by design by encouraging data controllers to carry out an impact assessment of data protection as soon as possible, hence allowing them to anticipate potential impacts on the rights and freedoms of data subjects and implement stringent safeguards. Such measures should be monitored and reviewed by the data controller throughout the lifecycle of the application or system.

(18)

The report produced from the Template's implementation should also contribute to national Data Protection Authorities activities regarding the monitoring and oversight of the compliance of processing and, in particular, the risks for the protection of personal data.

(19)

The Template should not only facilitate the resolution of emerging data protection, privacy and security issues in the smart grid environment, but also contribute to addressing data handling challenges linked to the development of the retail energy market. Indeed, an important part of value in the future retail market will stem from data and wider integration of ICT into the energy system. The collection and organisation of access to this data are key to the creation of business opportunities for newcomers, especially aggregators, energy service companies or the ICT branch. Data protection, privacy and security will therefore become increasingly important issues for utilities to handle. The Template will help ensure, especially in the initial phase of the roll-out of smart meters, that smart metering system applications are monitored and that fundamental rights and freedoms of individuals are respected, by identifying data protection risks in smart grid developments from the start.

(20)

Following submission of the Template — as formulated by the smart grid sector's main stakeholders through a process monitored by the Commission — to the Working Party for formal consultation, Opinion 04/2013 was issued. Subsequent to the submission of a revised Template based on Opinion 04/2013, the Working Party issued Opinion 07/2013 of 4 December 2013 (14). The recommendations formulated in these two opinions were taken into account by the stakeholders.

(21)

Opinion 07/2013 of the Working Party recommends the organisation of a test phase for the implementation of the Template, in which individual Data Protection Authorities may consider offering support. This test phase should contribute to ensure that the Template provides improved data protection to individuals in the context of the deployment of smart grids.

(22)

In light of the benefits generated by the Template for industry, consumers and for national Data Protection Authorities, Member States should cooperate with industry, civil society stakeholders and national data protection authorities to stimulate and support the use and deployment of the Data Protection Impact Assessment Template at an early stage in the deployment of smart grids and the roll-out of smart metering systems.

(23)

The Commission should contribute to the implementation of this Recommendation directly and indirectly by facilitating dialogue and cooperation amongst stakeholders, in particular through the centralisation and dissemination of information feedback during the test phase between industry and national data protection authorities.

(24)

In light of the test phase's conclusions and subsequent to the revision of Directive 95/46/EC, the Commission should assess the need to review and refine the methodology promoted in the Template.

(25)

This Recommendation respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the EU. In particular, this Recommendation seeks to ensure full respect for private and family life (Article 7 of the Charter) and the protection of personal data (Article 8 of the Charter).

(26)

After consulting the European Data Protection Supervisor,