In the field of smart metering, the CNPD is assisting the GIE Luxmetering with the implementation of their operating processes and procedures as part of a Privacy Impact Assessment (PIA). The aim of this approach is to assess the likelihood of privacy risks and to document the actions taken to address them.
In a first step, the CNPD has already given a formal opinion concerning the draft Grand Ducal regulation on smart metering in December 2013. In the context of the PIA that began in early 2014, the CNPD is not only responsible for reviewing it, but also has a unifying role and contributes to the transfer of existing international experiences.
"Intelligent measurement systems" or "Smart Meters" are a new generation of energy meters. With their advanced technologies, they can identify the energy consumption of a house in detailed manner and in real time. The EU's aim is to equip 80% of households with such smart meters by 2020. In Luxembourg, 95% of all customers will be equipped with smart meters for electricity at the end of 2018 and gas at the end of 2020.
The economic interest group (GIE - "groupe d'intérêt économique") Luxmetering is responsible for the implementation of the infrastructure and national deployment of approximately 350.000 energy meters. The GIE was created on 28 November 2012 by 7 Luxembourgish electricity and gas network operators: Creos Luxembourg, the City of Ettelbruck, the City of Diekirch, Hoffmann Frères (Electris), the City of Dudelange, Sudstroum and Sudgaz. Its activity is based on the Act of 7 August 2012 amending the Act of 1 August 2007 on the organization of the electricity and gas markets.
The CNPD has agreed with the Ministry of Health to also use the method of the PIA in collaboration with the eHealth agency to evaluate the risks and protective measures provided by the future "eHealth"-platform ("eSanté") and the respect of the individual rights in the context of the implementation of the electronic health records in Luxembourg.
Advantages of smart meters
Smart metering offers new features such as the production of detailed information on energy consumption, the ability to perform remote readings, the development of new rates and services based on energy profiles, the possibility to interrupt the supply remotely, establishing invoices in real time and identifying what is the most expensive to the customer.
Through the intelligent use of energy, consumers can reduce their bills by changing their habits, such as using energy at different times of the day to take advantage of lower rates. There are also opportunities for the industry. For example, they can predict the demand more accurately and thus avoid the high costs of electricity storage.
Privacy risks
Smart meters offer many benefits, but they also allow for the generation, transmission and analysis of data relating to consumers, much more than is possible with a 'traditional' meter. The risk of invasion of privacy is greater as the suppliers compile detailed information about energy consumption and patterns of use.
This issue was addressed by the Article 29 Working Party which advocated that the data controller must be clearly identified, and be clear about obligations arising from data protection legislation including Privacy by Design, security and the rights of the data subject. The Berlin Group also drew attention to the potential threats to privacy that smart meters allow. By collecting information every 10 to 30 minutes, they generate large amounts of data from which very personal information can be deduced on the habits of users. In addition, if the consumption of electricity of a home is known, it's possible to find out what room the people are in, when they are present and when they sleep.
Privacy by Design
The Berlin Group also noted that Privacy by Design is providing organizations with a means to, by considering privacy from the outset, achieve a positive-sum scenario – meeting both privacy and functionality requirements. The movement towards the Smart Grid and, in particular, smart metering, in its current nascent state, is at an ideal stage for the application of Privacy by Design. The idea is to integrate data protection tools directly into the product or service, rather than add them later in form of supplements.
Smart meters should ideally protect privacy by default, with no action required on the part of the consumer (Privacy by default). In addition, only data strictly necessary for the purpose of the smart meters should get out of the consumer's home (principle of data minimization). Finally, the Group stressed that consumers should not be forced to choose between protecting their privacy and energy efficiency.