The Department of Energy and Climate Change (DECC) carried out numerous studies and soundings in preparation for the rollout of smart energy meters to over 30 million UK homes between 2014 and 2019, but the most polemical press coverage was elicited by the consultation in Spring 2012 on the data access and privacy issues raised by the valuable energy consumption data (Consumption Data) generated by these new metering devices. Some newspapers cited warnings of “cyber attacks by foreign hackers” and “a spy in every home”, and there was much interest in the concerns highlighted in a report published in June by the European Data Protection Supervisor that the most granular real-time Consumption Data could reveal details such as the daily habits of household members or even tell burglars when a house was unoccupied.
The UK government’s response to this consultation, published on 12th December 2012, sheds considerable light on the data protection compliance measures that must be put in place by energy companies, network operators and others who access Consumption Data such as ‘switching’ websites and energy services suppliers. These requirements will apply alongside (and in addition to) those already set out in the Data Protection Act 1998. The measures will be implemented via amendments to the licence conditions adhered to by energy suppliers (enforced by Ofgem) and a new Smart Energy Code overseen by a dedicated Smart Energy Code Panel. A central information hub controlled by a body known as the Data and Communications Company (DCC) will enable remote access to Consumption Data for suppliers and third parties that have agreed to be bound by the Code.
Background: The aim of the UK government’s smart meters programme is to give consumers real-time information about their energy consumption in the hope that this will help to control costs and eliminate estimated energy bills, on top of the environmental and cost-saving side effects of the behavioural changes such information may encourage. In the long term, it is hoped that smart energy data will lead to fluctuating, real-time energy pricing, enabling consumers to see how expensive it will be to use gas or electricity at any given time of day.
Key rules: There are some key elements to the new framework which apply differently to energy suppliers (such as British Gas and EDF Energy), network operators (companies that own and lease the infrastructure for delivering gas and electricity to premises) and “third parties” such as switching websites and energy companies when they are not acting in the capacity as a supplier to the relevant household.
A crucial aspect of the rules that applies to all parties is the requirement to obtain explicit, opt-in consent before using Consumption Data for any marketing purposes. For other uses, third parties will always need opt-in consent to remotely access Consumption Data of any level of granularity, whereas in order to remotely access the most detailed level of Consumption Data (relating to a period of less than one day), energy suppliers will also be required to obtain opt-in consent.
From a consumer protection perspective, perhaps the most important safeguards introduced by the Stage 1 draft of the Smart Energy Code published in November 2012 are the requirements on third parties requesting Consumption Data from the DCC to:
(a) take measures to verify that the relevant household member has solicited the services connected with the third party’s data request;
(b) self certify that the necessary consent has been obtained; and
(c) provide reminders to consumers about the Consumption Data being collected at appropriate, regular intervals.
Privacy Impact Assessments: In line with Privacy by Design principles promoted by data protection authorities globally, the UK government has developed its own Privacy Impact Assessment to assess and anticipate the potential privacy risks of the smart metering programme as a whole. The idea is that the government’s PIA will be an “umbrella document” and every data controller wishing to access Consumption Data is expected to carry out its own PIA before the new framework comes into force (likely to be this summer). The European Commission is also developing a template PIA for this purpose.
Apart from helping to identify risks to customers and potential company liabilities, PIAs are lauded by the UK Information Commissioner as the best way to protect brand reputation, shape communication strategies and avoid expensive “bolt-on” solutions.
Conclusions: Research carried out as part of the UK government’s Data Access and Privacy consultation showed that the overwhelming concern of consumers questioned was that smart meter data would lead to an increase in direct marketing communications. Many participants did not identify the potential for misuse of Consumption Data until it was explained to them. The less obvious nature of the potential for privacy intrusion of this new data underlines the fact that consent is not a panacea in the case of smart meters (despite the considerable focus on this in the consultation responses).
So, clear and comprehensive information is key. As part of preparing for compliance, companies planning to access Consumption Data should build clear messaging into all customer-facing procedures, including those in respect of all in-person, online and call centre interaction. And whilst some of the finer details of the new rules are yet to be ironed out, it’s clear that every organisation concerned will be expected to digest the details of the new framework now and be fully prepared – including by completing Privacy Impact Assessments – in time for when the regulatory framework comes into force, expected to be June 2013.
A longer version of this article was first published in Data Protection Law & Policy in February 2013.