Back to EUR-Lex homepage

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search
You are here

Document 52012XX1101(06)

Executive summary of the Opinion of the European Data Protection Supervisor on the Commission Recommendation on preparations for the roll-out of smart metering systems

OJ C 335, 1.11.2012, p. 13–15 (BG, ES, CS, DA, DE, ET, EL, EN, FR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

1.11.2012   

EN

Official Journal of the European Union

C 335/13

Executive summary of the Opinion of the European Data Protection Supervisor on the Commission Recommendation on preparations for the roll-out of smart metering systems

(The full text of this Opinion can be found in English, French and German on the EDPS website: http://www.edps.europa.eu)

2012/C 335/08

1.   Introduction

1.1.   Consultation of the EDPS

1.

On 9 March 2012, the Commission adopted a Recommendation on preparations for the roll-out of smart metering systems (1) (‘the Recommendation’). The Recommendation was sent to the EDPS for consultation on 19 March 2012.

2.

Before the adoption of the Recommendation, the EDPS was given the opportunity to provide informal comments. Some of these comments have been taken into account in the Recommendation. As a result, the data protections safeguards in the Recommendation have been strengthened.

3.

The EDPS welcomes the fact that the Commission also consulted him formally and that this Opinion is referred to in the preamble of the Recommendation.

1.2.   Objectives and background of the Recommendation

4.

The objective of the Recommendation is to give guidance to Member States on preparation for the roll-out of smart metering systems (2) in Europe. The roll-out is foreseen by 2020 for both the electricity and the gas markets and is subject to an economic assessment of costs and benefits. This assessment is to be carried out by each Member State by 3 September 2012 (3).

5.

A significant part of the Recommendation (Section I) is dedicated to data protection. Importantly, the Recommendation calls for the preparation of a template for a data protection impact assessment (4) (‘the Template’) and its submission to the Article 29 Data Protection Working Party (‘the WP29’) for advice within 12 months of the publication of the Recommendation (5).

6.

The first draft of the Template is currently under preparation by Expert Group 2 of the Commission's Task Force on Smart Grids. The Task Force has been established by the Commission prior to the adoption of the Recommendation, to give advice on smart grid issues. One of the subgroups of the Task Force, Expert Group 2, focuses on security and data protection aspects. The group comprises mainly industry representatives (with some representation of civil society and consumer groups) (6).

7.

The Commission pursues a ‘soft law’ approach combining (i) a Commission Recommendation covering data protection among other issues and (ii) further guidance to Member States in the form of a template for a data protection impact assessment, which is to be applied voluntarily by industry participants. The approach is based on the experience gained from the development and revision, following WP29 comments, of the ‘Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications’ (7). However, the Commission has not excluded the need for legislative action at national and/or at the European level (8).

1.3.   Objectives, main messages and structure of the EDPS Opinion

8.

While this EDPS Opinion is adopted in response to the Commission Recommendation, it is not strictly limited to the content of this Recommendation, as there are important data protection aspects of the roll-out of smart metering which are not fully addressed in the Recommendation itself. The EDPS also recalls in this context his formal comments on the Energy Efficiency Proposal (9).

9.

The EDPS Opinion has three main objectives and messages:

First, the Opinion evaluates the Recommendation: it welcomes the Recommendation as a first step, highlights its achievements, but also criticises its shortcomings, including its insufficient specificity.

Second, while the EDPS regrets that the Recommendation has not provided more specific and more practical guidance on data protection, he considers that some guidance can still be given in the data protection impact assessment Template, which is currently under preparation. Therefore, the Opinion provides a number of targeted recommendations on the Template.

Third, the Opinion calls on the Commission to assess whether, beyond the adoption of the Recommendation and the Template, further legislative action is necessary at the EU level and provides a number of targeted recommendations for possible legislative action.

10.

In light of these objectives, the Opinion is structured as follows:

Section 2 provides a brief introduction to the concepts of smart meters and smart grids and explains the data protection concerns they raise.

Section 3 provides general comments on the Commission’s approach followed in the Recommendation, discusses the need for further legislative action, and gives recommendations for a possible legislative action.

Section 4 outlines some of the key issues that — in the view of the EDPS — should have been addressed more specifically in the Recommendation. Some of these recommendations may also serve to guide national or European legislators when considering further regulatory or legislative action. Others may be addressed in the data protection impact assessment Template to be developed.

Section 5 provides a few targeted recommendations on the data protection impact assessment methodology and on the content of the Template to be developed. These should be read in conjunction with Section 4.

6.   Conclusions

68.

The Europe-wide roll-out of smart metering systems may bring significant benefits, but also entails considerable risks to the protection of personal data. It enables massive collection of personal data from European households and may lead to tracking what members of a household do within the privacy of their own homes. In light of these risks, the EDPS welcomes the Commission's efforts made in the Recommendation to provide guidance to Member States on the measures that should be taken in order to ensure that smart metering and smart grid systems are designed and operated subject to adequate data protection safeguards.

69.

The EDPS appreciates the efforts of the Commission to make use of newly proposed concepts such as data protection by design and practical tools such as data protection impact assessments and security breach notifications. The EDPS, in particular, supports the Commission's plan to prepare a Template for data protection impact assessment and submit it to the WP29 for advice.

70.

The EDPS regrets that the Recommendation has not provided more specific and more practical guidance on data protection. However, he considers that some guidance can still be given in Template currently under preparation. Therefore, the Opinion provides recommendations on the Template and emphasizes that the Template must offer specific and practical guidance: a collection of best practice and ‘best available techniques’. It is also crucial for the Template to follow a sound methodology and, among others, clearly match each risk with an adequate control.

71.

In addition, the Opinion calls on the Commission to assess whether further legislative action is necessary at the EU level and provides recommendations for such possible legislative action. Some of these recommendations can already be implemented via an amendment to the Energy Efficiency Directive, which is currently before the Council and Parliament. These should include at least a mandatory requirement for controllers to conduct a data protection impact assessment and an obligation to notify personal data breaches (Section 4.7).

72.

Further, the EDPS also recommends:

more guidance on the legal basis of the processing and the choice available to data subjects: in particular, a clear distinction between objectives for which energy usage data can be processed without customer consent, and those for which customer consent is required (Section 4.2),

mandatory application of ‘PETS’ and other ‘best available techniques’ for data minimisation (Section 4.3),

clarification of roles and responsibilities of the different actors from a data protection point of view (Section 4.4),

more guidance on retention periods; in principle, storage of fine-grain consumption data of individual households should be permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued and only to the level of granularity required for billing purposes (without prejudice to the consumer's right for longer retention based on consent, for example, to obtain targeted energy advice) (Section 4.5),

direct access to consumers to their energy usage data; and effective methods to inform data subjects about the processing of their data; this should include, in case of data mining, disclosure of individual profiles and the logic of any algorithms used for data mining; comprehensive information regarding the existence of any remote on/off functionality should also be provided (Section 4.6).

Done at Brussels, 8 June 2012.

Giovanni BUTTARELLI

Assistant European Data Protection Supervisor

(1)  C(2012) 1342 final.

(2)  For a brief introduction to smart meters and smart grids, please see Section 2.1 below.

(3)  The roll-out and the cost-benefit analysis are required under (i) Directive 2009/72/EC concerning common rules for the internal market in electricity and repealing Directive 2003/54/EC (OJ L 211, 14.8.2009, p. 55), and (ii) Directive 2009/73/EC concerning common rules for the internal market in natural gas (OJ L 211, 14.8.2009, p. 94). The Commission proposal for a directive on energy efficiency (COM(2011) 370 final) (‘Energy Efficiency Proposal’), currently before the legislators, includes additional provisions on smart metering.

(4)  With regard to data protection impact assessments, it is to be noted that the Commission proposal for a revised general data protection framework plans to make data protection impact assessments mandatory in some situations and provide further guidance on how such an impact assessment should be carried out. See Article 33 of the Commission proposal for a regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (COM(2012) 11 final). See also paragraphs 200-205 of the EDPS Opinion of 7 March 2012 on the data protection reform package, available at: http://www.edps.europa.eu/EDPSWEB/edps/Consultation/Reform_package;jsessionid=46ACCFDB9005EB950DF9C7D58BDE5377

(5)  See: paragraph 5 of the Recommendation.

(6)  More information on the work of the Task Force and of Expert Group 2 is available on the website of the Task Force at: http://ec.europa.eu/energy/gas_electricity/smartgrids/taskforce_en.htm

(7)  See: http://ec.europa.eu/information_society/policy/rfid/documents/infso-2011-00068.pdf and http://cordis.europa.eu/fp7/ict/enet/documents/rfid-pia-framework-a29wp-opinion-11-02-2011_en.pdf

(8)  It is noted that at the present stage no evaluation of the effectiveness of this soft law approach for the field of RFID has been provided, nor is there any generally available information indicating effectiveness of the approach.

(9)  EDPS Letter of 27 October 2011 to Mr Günther H. Oettinger, Commissioner for Energy on a proposal for a directive of the European Parliament and of the Council on energy efficiency and repealing Directives 2004/8/EC and 2006/32/EC, available at: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2011/11-10-27_Letter_Oettinger_EN.pdf

Top