Smart Grids, Smart Meters, Privacy

and Data ProtectionRónán Kennedy, School of Law, NUI Galway

Image from https://www.flickr.com/photos/traftery/

Overview

1. Privacy issues in Smart Grids2. Legal responses3. Questions for discussion

Legal Problems with Smart GridsEnergy usage patterns reveal lifestyle patterns – for example:

Health issues, particularly sleep, diet, exercise, alcohol use

Relationship issues and child care arrangements

Religion

Enables discrimination and bias

Smart grids and meters may not be secure

Consumers may not be able to make informed decisions about privacy

Design ResponsesPrivacy by Design:

“Data Protection Impact Assessment”Security by Design:

end-to-end encryptionseparate streams for core and value-added services

Data Protection by Design and by DefaultOptions:

Include metadata on consent (default is off), processing, sharing

Keep data in a personal data store with intelligent agent as safeguard

Provide consumers with open source software

Right for consumers to access, move and erase data

Prohibition on automated profiling without knowledge or consent

Technical OptionsSecure, distinct data streams with authenticationPersonal data storagePrivacy-preserving data mining and aggregationDiscrimination-aware data miningConsumer control of granular data accessSemantic metadata in interactive systems

Article 29 Working PartyOpinion 04/2013

criticised DPIA for lack of clarity, confusing risks and threats, and not linking risks and controls

Opinion 07/2013:DPIA improved but needs improvement and testing

EU CommissionRecommendation 724/2014:

use of the “Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems”

Data Protection by Design and Data Protection by Default solutions

test phase “with deployment of real cases”

Review within two years (before October 2016)

EU Data Protection Regulation - 2015?Expected early 2015Likely changes:

need for explicit and freely given consentmore significant fines

EU Data Protection Regulation - 2015?

Requirements:appropriate technical measuresdata portabilityinterconnection between competitorsData Protection Impact Assessments

Concluding QuestionsIs it possible to introduce privacy concerns into technologies that are designed to share data?

Do consumers have the motivation, time and patience to learn to manage their privacy in such detail?

How to ensure a uniform approach without stifling innovation?

How to manage law enforcement requests for energy use data?

How to manage the exporting of data from the EEA?

Further InformationIra S. Rubinstein, “Regulating Privacy by Design” 26(3) Berkeley Technology Law Journal (2011), http://scholarship.law.berkeley.edu/btlj/vol26/iss3/6/

Mireille Hildebrandt, “Legal Protection by Design in the Smart Grid”, http://works.bepress.com/mireille_hildebrandt/42

Ian Brown, “Britain’s smart meter programme: A case study in privacy by design” 28(2) International Review of Law, Computers & Technology 172 (2014)