Beruflich Dokumente
Kultur Dokumente
doi: 10.1093/ijlit/eau001
Advance Access Publication Date: 18 March 2014
Article
ABSTRACT
Smart meters are being installed in consumers’ homes as the world moves to the smart
grid of intelligent energy networks. Smart meters are near real-time communication de-
vices that can collect and communicate a vast amount of personal data about each cus-
tomer’s energy use. Questions about who should have access to such data and for what
purposes raise significant consumer privacy concerns about data sharing. Because data
sharing facilitates secondary uses of energy use data and is essential for third party ac-
cess to the data, data sharing is a critical activity that needs to be analysed from an in-
formation privacy perspective. This article makes three important contributions. First,
it identifies the key privacy and data protection concerns for both the EU and USA
consumers related to data sharing in smart metering systems. Second, it provides a
comparison of EU and US privacy and data protection law as it applies to smart meter-
ing systems, revealing gaps in coverage in both systems. Third, it explains how import-
ant privacy concerns related to data sharing are being addressed in the EU and the
USA, including specific examples of legislation and self-regulatory mechanisms that
have been adopted to protect privacy in smart metering systems. From this compara-
tive analysis, potential privacy-enhancing solutions can be identified. Ultimately it will
be up to government regulators and industry to adopt local solutions, but the goal of
this article is to encourage adoption of regulatory solutions and industry best practices
that are consistent with privacy rights and information privacy principles.
K E Y W O R D S : smart meters, data sharing, privacy, data protection, EU, USA
†
College of Business, Oregon State University, Corvallis, Oregon, USA
‡
School of Business and Social Sciences, Aarhus University, Denmark
*Corresponding author. E-mail: pwj@asb.dk
215
216 Smart metering systems and data sharing
1. INTRODUCTION
1 Stephan Renner and others, European Smart Metering Landscape Report, Deliverable D2.1 of the project
‘SmartRegions – Promoting best practices of innovative smart metering services to European regions’ funded by
Intelligent Energy – Europe (Contract N: IEE/09/775/S12.558252, Vienna (February 2011) (European
Smart Metering Landscape Report), available in PDF through Google search (accessed 18 October 2013);
‘Advanced Electric Meter Installations Rising in Homes and Businesses,’ US Energy Information
Administration (EIA), (15 March 2011) 1 (EIA Report) (reporting that 39% of all US electrical customers
had advanced meters as of 2009), <http://www.eia.gov/todayinenergy/detail.cfm?id¼510> accessed 18
October 2013.
2 Commission’s Recommendation of 9 March 2012 on preparation for the roll-out of smart metering sys-
tems (2012/148/EU), Official Journal of the European Union, L 73/11, note 1 (9 March 2012)
(Commission’s Recommendation on Smart Metering Systems); Article 29 Data Protection Working
Party’s Opinion 12/2011 on smart metering, p 2, 00671/11/EN/WP 183 (4 April 2011) (Art 29 Opinion
12/2011) (discussing milestones in the EU’s Third Energy Package adopted in 2009); Opinion of the
European Data Protection Supervisor (EDPS) on the Commission Recommendation on preparations for
the roll-out of smart metering systems, EDPS, p 2 (8 June 2012) (commenting that the roll-out of smart
metering systems for the electricity and gas markets is required under Directive 2009/72/EC concerning
common rules for the internal market in electricity and Directive 2009/73/EC concerning common rules
for the internal market in natural gas (OJ L 211, 14.08.2009, p 95) (EDPS Opinion on Smart Metering
Systems).
3 The USA has also made commitments to improve energy efficiency and update the electric grid, although
it has not set national numerical adoption goals for smart metering systems. A Policy Framework for the
21st Century Grid: Enabling Our Secure Energy Future, Executive Office of the President of the United
States, p 1 (June 2011) (US Energy Framework for the 21st Century) <http://www.whitehouse.gov/
sites/default/files/microsites/ostp/nstc-smart-grid-june2011.pdf> accessed 18 October 2013. Since
Congress adopted the Energy Independence and Security Act of 2007 (EISA), Pub L 110-140, 121 Stat
1492 (2007) (EISA, codified at 42 USC s 17381 et seq.) and the American Recovery and Reinvestment
Act of 2009, Pub L No 111-5, div A, title IV, 123 Stat 115 (2009), the US Department of Energy has
awarded billions of dollars in federal funding for smart grid projects that include support for smart meter
installation to enable conversion to the smart electrical grid. US Energy Framework for the 21st Century,
p 2 (reporting that recipients of the federal funding to upgrade the smart electrical grid include private
companies, service providers, manufacturers and cities and that total public–private investment exceeds $8
billion). See also, Russell Frisby and Jonathan Trotta, ‘The Smart Grid: The Complexities and Importance
of Data Privacy and Security’ (2011) 19 Comm Law Conspectus 297–341, 297 and 305–10 (providing an
overview of US legislation that addresses the smart grid and federal agencies with regulatory responsibil-
ities related to the smart grid).
4 Mark Chediak, ‘Smart-Meter Defiance Slows $29 Billion U.S. Grid Upgrade’ Bloomberg (May 2012)
<http://www.bloomberg.com/news/2012-05-08/smart-meter-defiance-slows-adoption-of-29-billion-grid.
html> accessed 18 October 2013 (reporting statistics for smart meter implementation in the USA, accord-
ing to the Institute for Electric Efficiency, a Washington-based research group financed by investor-owned
utilities) (Chediak). As of September 2011, about 27 million smart meters had been installed in the USA,
ibid.
Smart metering systems and data sharing 217
Smart meters are near real-time communication devices that can collect and com-
municate a vast amount of personal data5 about each customer’s energy use.6 It is
5 The term personal data is used in this article consistent with its definition under the Data Protection
Directive (95/46/EC) and includes the concept of personally identifying information (PII). See Data
Protection Directive, Directive 95/46/EC of the European Parliament and of the Council of 24 October
1995 on the protection of individuals with regard to the processing of personal data and on the free move-
ment of such data, OJ L 281/31, 23.11.95, Art 2 (Data Protection Directive) (providing, ‘personal data’
shall mean any information relating to an identified or identifiable natural person (‘data subject’); an iden-
tifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifica-
tion number or to one or more factors specific to his physical, physiological, mental, economic, cultural or
social identity). The US analysis of privacy concerns may skip the issue of defining personal data in favour
of defining a class of data that is sensitive (eg defining consumer-specific energy usage data or CEUD) and
providing enhanced privacy protections for the data. This approach is likely in the USA due to the lack of
an agreed definition for personal data under US law, which, in turn, is likely due to lack of a generally ap-
plicable federal data protection law that defines personal data. Data Access and Privacy Issues Related to
Smart Grid Technologies, US Department of Energy, 3, 9, 29-30 (5 October 2010) (DOE Data Access
and Privacy Report) <http://www.smartgrid.gov/sites/default/files/Broadband_Report_Data_Privacy_
10_5.pdf> accessed 18 October 2013. Even so, the DOE provides definitions of privacy related terms
used in its report, including definitions for: personal information, PII, composite personal information and
private information. DOE Data Access and Privacy Report, (fn 5) Appendix E. See also discussion of the
US regulatory framework for privacy and data protection in Section 3 of this article.
6 EDPS Opinion on Smart Metering Systems, (n 3) 4–6 (commenting that smart metering systems enable
massive collection of personal information from European households with the potential intrusiveness
increased by the ability to infer information from the data about what members of a household do within
the privacy of their own homes); Guidelines for Smart Grid Cyber Security: Vol 2, Privacy and the Smart
Grid, National Institute of Standards and Technology Interagency Report, NISTIR 7628 (August 2010).
<http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol2.pdf> accessed 18 October 2013
(NISTIR 7628).
7 Simone Pront-van Bommel, ‘Smart Energy Grids within the Framework of the Third Energy Package’
[April 2011] European Energy & Environ L Rev 32–44, 33 ; Paul Lewis Joskow, ‘Creating a Smarter U.S.
Electricity Grid’ (2012) 26(1) J Eco Perspectives 29–48, 30.
8 Pront-van Bommel ibid 36; Stephanie M Stern, ‘Smart-Grid: Technology and the Psychology of
Environmental Behavior Change’ (2011) 86 Chicago-Kent L Rev 139–60, 148–60 (commenting on the
difficulty of changing consumer energy consumption habits and arguing that technology and automation
are an effective tool to achieve this result).
9 EDPS Opinion on Smart Metering Systems (n 2) 4–6; David Wright and others, ‘Sorting out Smart
Surveillance’ (2010) 26 Computer L & Security Rev 343–54, 349 (Table 2) (discussing privacy and data
protection concerns related to power meters).
218 Smart metering systems and data sharing
because smart grids may transcend national borders, as illustrated by the fact that
‘the U.S. electrical grid is connected to other nation’s grids across borders’.10
10 The International Smart Grid Action Network (ISGAN) is an international partnership that was created
to focus on aspects of the smart grid where governments have regulatory authority including policy,
standards and regulation, finance and business models, technology and systems development, user and
consumer engagement and workforce skills and nowledge. US Energy Framework for the 21st Century
(n 3) 60. ISGAN is covered by an Implementing Agreement under the International Energy Agency’s
Framework for International Technology Co-Operation. At least 19 countries including the USA and the
European Commission participate in ISGAN. ibid.
11 US Energy Framework for the 21st Century (n 3) 60 (commenting that ‘the interoperable networked na-
ture of smart technologies may enable certain applications to connect across the Internet’).
12 The scope of this article’s analysis is limited to privacy impacts for energy end-users and it focuses on
consumers who have smart meters installed in their homes to facilitate smart grids. While smart meters
may be installed for electricity, gas and other household energy sources, for simplicity, this article will
focus on smart meters for electricity. It is recognized that end-users/energy users with smart meters con-
nected to smart grids may be households, small or medium sized business enterprises and even large cor-
porations and conglomerates. This article focuses on information privacy concerns of households,
referred to in this article as consumers or customers. Further, in the smart grids of the future, consumers
may become home energy producers as well as end-users, for example, when they acquire electric vehicles
or solar power producing equipment that may produce excess power that could be sold on the smart
grid. Pront-van Bommel (n 7) 36.
13 The scope of the article addresses data protection concerns as well as traditional privacy rights, including
potential impairment of the individual’s right to ‘respect for his or her private and family life, home and
communications,’ as provided by art 8 of the European Convention on Human Rights (ECHR). See gen-
erally, Joseph Savirimuthu, ‘Smart Meters and the Information Panopticon: Beyond the Rhetoric of
Compliance’ (2013) 27(1–2) Intl Rev L, Computers & Technol 161–86, (analysing application of data
protection and privacy rights to smart meters in the context of the UK’s Smart Meter Implementation
Programme (Programme) and proposing a policy framework to address how innovation and privacy
issues can be better addressed in this Programme).
Smart metering systems and data sharing 219
consumer privacy in the context of smart metering systems and data sharing. Section
4 describes the types of consumer data produced by smart metering systems. Section
2 . O VE RV I EW OF S M A RT GR ID S A N D SM A R T M ET ER IN G S Y ST EM S
Generally speaking, smart grids are ‘energy networks that can efficiently integrate the
behaviour and actions of all users connected to them in order to ensure an econom-
ically efficient, sustainable power system with low losses and high quality and security
of supply and safety’.14 Smart grids enable dynamic pricing and more complex tariff
structures that allow customers to buy energy at constantly changing prices, thereby
cutting demand at peak times.15 In addition to facilitating overall better management
of the energy supply, dynamic pricing is considered essential to integrate renewable
energy sources and electrical vehicles into the power grid.16 There is not just one
smart grid, but many, and they ‘exist on various scales, ranging from a [small project
to create a] highly self-sustained network to facilitate a small generated energy supply
to [large projects] that turn the existing local grid into a cross border super grid sim-
ply by making use of the available ICT [information and data communication tech-
nology] infra-structure’.17
14 Commission’s Recommendation on smart metering systems (n 2) para 3(b), n 1 (referencing the defin-
ition of smart grids used by the EU Smart Grid Task Force). In EISA, Congress described 10 characteris-
tics of smart grids. 42 USC s 17381.
15 EDPS Opinion on Smart Metering Systems (n 2) 4.
16 ibid; Frisby and Trotta (n 3) 302–03.
17 Ann-Sofie Vanwinsen, ‘Smart Grids: Legal Growing Pains’ [2012] European Energy & Environ L Rev
142–50, 142 (characterizing smart meters as an indispensable part of smart grids); Pront-van Bommel
(n 7) 36 (commenting that ‘smart grids cannot be developed without the underlying support of highly
advanced innovative information and data communication technologies (ICT)’); Art 29 Opinion 12/
2011, (n 2) 6. ‘Smart grids thus encompass a much wider area than mart metering, but smart metering is
an important first step towards the smart grid: smart meters bring intelligence to the “last mile” between
the grid and the final customer; without this key element, the full potential of the smart grid will not be
realized.’ Final Deliverable of the EU Commission’s Smart Grid Task Force, ‘Expert Group 1:
Functionalities of smart grids and smart meters’, 16 (December 2010) (Final Deliverable EU Smart Grid
Task Force) <http://ec.europa.eu/energy/gas_electricity/smartgrids/doc/expert_group1.pdf> accessed
18 October 2013.
220 Smart metering systems and data sharing
18 Smart metering systems typically include household-level smart energy meters and related information
technology support systems. See generally, ‘Smart Meters and Smart Meter Systems: A Metering
Industry Perspective’ EEI-AEIC-UTC White Paper, Edison Electric Institute, (March 2011) 7–8 (com-
menting that the combination of electricity meters with two-way communications technology for infor-
mation, monitor and control is commonly referred to as AMI, while the previous systems utilizing
one-way communications to collect meter data were referred to as AMR (Automated Meter Reading)
Systems, but it was not until the Smart Grid initiatives were established that these meters and systems
were referred to as Smart Meters and Smart Meter Systems) <http://www.aeic.org/meter_service/
smartmetersfinal032511.pdf> accessed 18 October 2013.
19 Stern (n 8) 139.
20 Office of Elec & Energy Reliability, US Dep’t of Energy, Demand Response (Demand Response)
<http://energy.gov/oe/technology-development/smart-grid/demand-response> accessed 18 October
2013.
21 Art 29 Opinion 12/2011, (n 2) 9 (discussing smart grid models that include a network operator/DSO,
which owns the grid and is responsible for the installation and running of a smart metering system). For
simplicity, reference to energy supplier will be assumed to include network operators and other interme-
diaries in this article, unless a distinction between the entities is necessary for the privacy analysis herein.
22 Communications Requirements of Smart Grid Technologies, Department of Energy, 12 (5 October
2012) <http://energy.gov/sites/prod/files/gcprod/documents/Smart_Grid_Communications_Require
ments_Report_10-05-2010.pdf>. The US Federal Energy Regulatory Commission (FERC) defines AMI
as ‘meters that measure and record usage data at hourly intervals or more frequently, and provide usage
data to both consumers and energy companies at least once daily’. Instructions and Glossary, Demand
Response & Advance Metering, FERC <http://www.ferc.gov/industries/electric/indus-act/demand-
response/2012/survey.asp> accessed 18 October 2013.
23 DOE Data Access and Privacy Report (n 5) 6, 9 (commenting that ‘the current state of the art, in terms
of the granularity of data collected by utilities [energy suppliers] using advanced metering, cannot yet
identify individual appliances and devices in the home in detail, but this will certainly be within the capa-
bilities of subsequent generations of Smart Grid technologies’).
24 Commission’s Recommendation on Smart Metering Systems (n 2) para 3(b); Art 29 Opinion 12/2011
(n 2) 6; EDPS Opinion on Smart Metering Systems (n 2) 4.
Smart metering systems and data sharing 221
different forms: an in home display on a smart meter; a home area network accessed
using customer’s smart phone; or an individual web-based account on a website pro-
25 ‘Smart Metering Implementation Programme, Data Access and Privacy, Consultation Document’
Department of Energy & Climate Change, United Kingdom, 21-23 (April 2012) (U.K. Smart Meter
Consultation Document) <http://www.decc.gov.uk/assets/decc/11/consultation/smart-metering-imp-
prog/4933-data-access-privacy-con-doc-smart-meter.pdf>; DOE Data Access and Privacy Report (n 5) 7.
The UK Smart Meter Consultation Document proposes to require energy service providers to provide
smart meters that include an in home display that will enable customers to view their energy use data in
near real time. UK Smart Meter Consultation Document, p 21. Home Area Networks (HANS) enable a
consumer to access the data stored on a smart meter in their home through a secure connection. UK
Smart Meter Consultation Document, p 21. In the future, home energy management systems (EMS)
promise to give homeowners the ability to access and operate networked appliances remotely, providing
them with the ability to turn lights, air conditioners, and other appliances and equipment on or off from
other locations, such as their jobs. US Energy Framework for the 21st Century (n 3) 37.
26 See ‘Smart Metering’, Echelon’s Smart Metering Solution, Echelon<http://www.echelon.com/applica
tions/smart-metering/> accessed 18 October 2013, and ‘Echelon Secures $ 16 Million Smart Grid
Project for NRGi in Denmark’, Echelon <http://www.echelon.com/company/news-room/2011/nrgi
project.htm> accessed 18 October 2013. See also, ‘What is Opower?’<http://opower.com/what-is-
opower> (describing Opower as a new customer engagement platform for the utility industry (energy
supplier), with tools to help consumers use energy more efficiently that are available only through con-
sumers’ utility providers including electricity and gas (accessed 18 October 2013). Utilities throughout
the US are participating in Opower. ibid.
27 Kevin Doran, ‘Climate Change And The Future Of Energy: Privacy and Smart Grid: When Progress And
Privacy Collide’ (2010) 41 The University of Toledo L Rev 909–23, 910.
28 Frisby and Trotta (n 3) 302 (discussing who will benefit from the smart grid and the concept of ‘cus-
tomer disintermediation’, an occurrence in which vendors offer attractive energy products and services to
customers that will allow customers to bypass their local utility); Andreas SV Wokutch, ‘Energy
Regulation: The Role of Non-Utility Service Providers in Smart Grid Development: Should They Be
Regulated, And if So, Who Can Regulate Them?’ (2011) 9 J Telecommunications & High Technol L
532–71, 535–38 (describing the role of non-utility service providers).
29 Denmark has established the so called ‘DataHub’ which by its full implementation is supposed to admin-
ister all transactions and communications between all the players in the Danish electricity market, includ-
ing the possibility for customers to easily access their consumption data, change supplier and the
possibility of consenting to third party access to their data. Regarding the DataHub <http://energinet.
dk/EN/El/Datahub2/Sider/DataHub.aspx> accessed 18 October 2013.
222 Smart metering systems and data sharing
and energy management services that are designed to help consumers control house-
hold energy uses and energy bills.30
30 Wokutch (n 28) 535–37 (describing types of non-utility services and examples of companies that offer
these services).
31 EDPS Opinion on Smart Metering Systems (n 2) 4.
32 Art 13 of the Directive 2006/32 of 5 April 2006 on the energy end-use efficiency and energy services and
repealing council Directive 93/76, OJ L 114/64, 27.04.2006 (Energy Services Directive). See also,
Commission’s Recommendation on Smart Metering Systems (n 2) preamble para 2 (referencing the two
directives that require this action by Member States for electricity and natural gas markets); Vanwinsen
(n 17) 142 (commenting that the Energy Services Directive requires Member States to ensure final cus-
tomers are provided with affordable individual meters, but stating that installation of meters is not manda-
tory in all circumstances as Member States have three justifications for not requiring installation of smart
meters: technical impossibility, financial unreasonability and disproportionate benefit in relation to the
potential energy savings). Vanwinsen also discusses the role of soft law and the possible need for new EU
legislation. Vanwinsen (n 17) 142, 149.
33 Over 25 US states have already adopted policies regarding smart grid technology, resulting in different
smart grids at the state level. US Energy Framework for the 21st Century (n 3) 2.
34 The National Science and Technology Council (NSTC) Subcommittee on Smart Grid has taken the lead
to outline the federal policy framework on the smart grid. ibid. See also, Frisby and Trotta (n 3) 305–11
(providing an overview of the many federal agencies involved in regulating the smart grid in the USA). It
is not clear whether the federal government, particularly the Federal Energy Regulatory Commission
(FERC), has the legislative authority to direct the states to implement any particular retail customer poli-
cies or programmes regarding smart meters and consumer privacy. Frisby and Trotta (n 3) 310.
35 See generally, Data Protection Directive (n 5). See also, Proposal of the European Parliament and of the
Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free
Movement of Such Data (General Data Protection Regulation), COM (2012) 11 final (25 January 2012)
(Draft Data Protection Regulation).
Smart metering systems and data sharing 223
protects an individual’s ‘right to respect for his or her private and family life, home
and communications’.36 This comprehensive legislative and regulatory framework
36 See Article 8 of the European Convention for the Protection of Human Rights and Fundamental
Freedoms (ECHR). In addition to privacy rights articulated in the ECHR, most Member States in the
EU have agreed to an international treaty on data protection known as Convention 108. See Convention
for the Protection of Individuals with regard to Automatic Processing of Personal Data including its add-
itional protocol (CETS 108, 1981 and CETS 181, 2001, hereinafter Convention 108. The scope of the in-
dividual right of privacy under art 8 of the ECHR goes beyond data protection, ‘covering all activities
regarded as constituting private and family life’, and providing an ‘extra layer of safeguards for physical,
personal and psychological development’. Savirimuthu (n 13) 172. In contrast, the scope of data protec-
tion law is generally limited to ‘biographical information of a data subject’. ibid.
37 See generally, Commission’s Recommendation on Smart Metering Systems (n 2); EDPS Opinion on
Smart Metering Systems (n 2); Art 29 Opinion 12/2011 (n 2).
38 See generally, European Smart Metering Landscape Report 2012 (n 1) (summarizing legislation and pro-
posed legislation in EU Member States regarding smart meter implementation programmes). ‘Due to EU
legislation, such as the Energy Services Directive and the 3rd Energy Package, a majority of the countries
in Europe already have or are about to implement some form of legal framework for the installation of
smart meters.’ European Landscape Report 2012 <www.smartregions.net/default.asp?SivuID¼26927>
accessed 2 March 2014. See also, the proposed regulatory guidance on data access and privacy for smart
metering programmes in the UK. UK Smart Metering Implementation Programme, Data Access and
Privacy, Consultation Document’ Department of Energy & Climate Change, United Kingdom, pp 21–23
(April 2012) (UK Smart Meter Consultation Document) <https://www.gov.uk/government/uploads/
system/uploads/attachment_data/file/43043/4933-data-access-privacy-con-doc-smart-meter.pdf>
accessed 2 March 2014.
39 It is important to note that there are typically more primary sources of law in common law countries
such as the USA than found in the many EU Member States (with the exception of the UK) that typically
follow civil law legal traditions. In the USA, legislation, court opinions, administrative law (rules, deci-
sions, orders, etc) and constitutions may all be primary sources of law. However, when there is a conflict,
legislation will typically be superior to administrative law and court opinions and, based on the supremacy
clause of the US Constitution, federal sources of law will be superior to state sources of law. The US
Constitution may create consumer privacy rights that limit government intrusions into consumer privacy,
but it does not restrain private business activities, so the federal constitution is not a source of informa-
tion privacy rights for consumers with regard to business uses of consumer data. See generally, Nancy
King, ‘Fundamental Human Right Principle Inspires U.S. Data Privacy Law, But Protection Are Less
Than Fundamental’ in Challenges of Privacy and Data Protection Law (Cahiers Du Centre De Recherches
Informatique Et Droit 2008) 71–98. However, state constitutions, including California’s constitution,
may include an individual right of privacy that applies in governmental and private business contexts. See,
eg California Constitution, Art I, s 1; Hill v NCAA, 865 P.2d 638 (California, 1994).
224 Smart metering systems and data sharing
(decisions and orders adopted under state administrative law procedures by state
public utility commissions). In states such as California that have adopted legislation
40 California Public Utility Code, s 8380 (2012) (CPUC s 8380) (defining electrical or gas consumption
data and establishing information privacy requirements for such data including limitations on data sharing
in state legislation applicable to privately owned and publicly owned public utilities); Decision Adopting
Rules to Protect Privacy and Security of the Electricity Usage Data of the Customers of Pacific Gas and
Electric Company, Southern California Edison Company, and San Diego Gas & Electric Company,
Rulemaking 08-12-009, California Public Utilities Commission (29 July 2011) (CUPC Rulemaking 08-
12-009).
41 See a more detailed discussion and comparison of EU and US information privacy law in Nancy King
and Pernille W Jessen, ‘Profiling the Mobile Customer – Privacy Concerns when Behavioural Advertisers
Target Mobile Phones – Part I’ (2010) 26 Computer Law & Security Rev 455–78.
42 Federal Trade Commission Act, 15 USC s 45 (2012). Unfair practices involve substantial harm to con-
sumers where the harm is not reasonably avoidable by consumers and the benefits of the practices to con-
sumers do not outweigh the harm. Deceptive practices include material misrepresentations or omissions
that are likely to mislead reasonable consumers.
43 Health Insurance Portability and Accountability Act of 1996, Pub L No 104-191, 110 Stat 1936 (codified,
as amended, in 42 USC s 1320d-2 (2012) (HIPAA) (HIPAA and regulations adopted under HIPAA set
the standards for protecting the privacy of personally identifiable health information (PHI)); Gramm-
Leach-Bliley Act of 1999, 15 USC ss 6801–6809 (2012) (requires financial institutions to provide infor-
mation privacy protections for non-public personal information including financial data); Fair Credit
Reporting Act of 1970, 15 USC s 1681 et seq. (requires credit reporting companies and parties that use
credit reports to follow fair information practices principles regarding consumers’ data); Children’s
Online Privacy Protection Act of 1998, 15 USC ss 6501–6506 (2012) (requires online businesses that
target children to protect the personal data of children under 13).
Smart metering systems and data sharing 225
44 Electronic Communications Privacy Act, 18 USC s 2510 et seq (2012); Computer Fraud and Abuse Act,
18 USC s 1030 et seq (2012).
45 DOE Data Access and Privacy Report (n 5); ‘Protecting Consumer Privacy in an Era of Rapid Change:
Recommendations for Businesses and Policymakers’ Federal Trade Commission, (2012), 1-112, 15-
71(FTC’s 2012 Report) <http://www.ftc.gov/os/2012/03/120326privacyreport.pdf> accessed 2 March
2014; ‘Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and
Promoting Innovation in the Global Digital Economy’ The White House, Washington, DC, 1-52, 47-48
(2012) (Obama’s Consumer Privacy Bill of Rights) <http://www.whitehouse.gov/sites/default/files/
privacy-final.pdf> accessed 2 March 2014. See also, Michael Pryor, ‘The White House Consumer Privacy
Bill of Rights: Implication for Smart Grid Privacy Regulation’ Smart Grid Update, DowLohnes, PLLC
(24 February 2012).
46 Angelique Carson, ‘Stakeholders Aim to Craft Smart Grid Privacy Code of Conduct’ The Privacy Advisor
(27 February 2013).
47 See Privacy Smart, Powered by TRUSTe <http://www.futureofprivacy.org/issues/smart-grid/>
accessed 2 March 2014. This privacy seal covers companies that seek to access consumer energy data,
including data from a device like a smart appliance, thermostat or smart meter and for companies that
seek access to energy data from a utility. The privacy seal does not cover collection or use of data by en-
ergy suppliers for billing, operations, demand response, etc. To display the privacy seal, a company must
agree TRUSTe’s Smart Grid Privacy Guidelines. ibid.
48 Unless Congress takes the legislative step of enacting a statute that adopts the National Institute of
Standards and Technology’s guidelines for privacy and the smart grid or it enacts other legislation that
establishes other federal consumer privacy rules applicable to smart metering systems or consumer data,
it is likely that there will be no federal information privacy law that protects consumers’ privacy in this
context. Leaving regulation of the smart grid to the states is consistent with the view that state public util-
ity commissions, as opposed to federal regulatory agencies, should have regulatory authority over public
utilities including energy suppliers. John R Forbush, ‘Regulating the Use and Sharing of Energy
Consumption Data: Assessing California’s SB 1476 Smart Meter Privacy Statute’ Albany Law Review
(2011/2012) 75, 341–77, 341; NISTIR 7628, (n 6). Alternatively, Congress could give a federal adminis-
trative agency, such as the Department of Commerce, authority to adopt administrative rules to protect
consumers’ privacy with regard to their smart meter data, but it is not clear whether Department of
Commerce or the NIST currently has this authority. Further, some commentators argue that state public
utility commissions only have regulatory authority over energy suppliers in their states, and that they do
not have authority to regulate third party energy service companies’ or other third parties’ use of smart
metering data. In situations where no other federal or state laws provide information privacy protections
for consumers’ in smart metering systems, this leaves consumer privacy regarding smart metering data to
weak consumer protection laws and industry self-regulation. See Frisby and Trotta (n 3) 339; DOE
Access and Privacy Report (n 5)15.
226 Smart metering systems and data sharing
4 . T YP E S OF C ON S UM ER D A TA P R OD U C ED
B Y S M A R T ME T E R I N G S YS T E M S
‘Meter register read. This could be a single reading or a group of readings for a
more complex tariff;
Alerts. The meter may transmit a message informing that an event has trig-
gered the meter’s alarm;
Network level information such as voltages, power outages and power quality;
[and]
Load graphics with various levels of detail.’52
The Article 29 Working Party also lists other types of data processed by smart
metering systems, which this article will refer to as ‘identification and transmittal
data’, including:
This rich source of data will be very useful to energy suppliers or network oper-
ators for primary uses that include managing the efficiency of the energy grid, provid-
ing energy to customers, billing customers and monitoring whether some customers
may be receiving energy without paying. Furthermore, secondary uses for the data
are likely to be found and third parties are likely to seek access to smart metering
data.
53 ibid.
54 Doran (n 27) 910 (commenting that ‘The essential innovation behind the smart grid is information –
highly detailed [energy] usage data communicated by and between the [energy supplier], the consumer,
and in many instances, third-party vendors…. This information – and the extrapolations that can be
made from it – is what enables the smart grid to be “smart,” [and] it is also what makes the smart grid so
potentially invasive of individual privacy.’). Further,‘the Smart grid data is a double-edged sword. The
sharper the blade in terms of informational granularity, the more it can be wielded to achieve both soci-
etal benefits such as grid reliability and energy efficiency and invasions of privacy’. ibid.
55 See generally, Council of Europe, recommendation on the protection of individuals with regard to auto-
matic processing of personal data in the context of profiling, the Committee of ministers to member
states (Adopted by the Committee of Ministers on 23 November 2010 at the 1099th meeting of the
Ministers’ Deputies <https://wcd.coe.int/ViewDoc.jsp?id¼1710949&Site¼CM&BackColorInternet
¼C3C3C3&BackColorIntranet¼EDB021&BackColorLogged¼F5D383> accessed 2 March 2014;
Mireille Hildebrandt, ‘Defining Profiling: A New Type of Knowledge’ in Mireille Hildebrandt and Serge
Gutwirth (eds), Profiling the European Citizen, Cross-Disciplinary Perspectives (Springer 2008) 17–45
(Profiling the European Citizen). See also, Luiz Costa and Yves Poullet, ‘Privacy and Regulation of 2012’
(2012) 28(3) Computer L & Security Rev 254–62 (discussing profiling and the application of the Data
Protective Directive and Proposed Regulation on Data Protections to consumer profiling); King and
Jessen (n 41) 455–78 (providing background on consumer profiling and analysing the privacy and data
protection concerns in the context of profiling mobile customers).
56 Ana Canhoto and James Backhouse, ‘General Description of the Process of Behavioural Profiling’ in
Mireille Hildebrandt and Serge Gurwirth (eds), Profiling the European Citizen (Springer 2008) 47–63, 55
(discussing the use of internal and external sources of data by an organization that can be considered in
the profile building process).
228 Smart metering systems and data sharing
living in the household, their sex, race, age, income levels, and appliances owned) or
online tracking data about consumers’ search and shopping behaviour would facili-
57 EDPS Opinion on Smart Metering Systems (n 2) 5 (commenting that ‘with the sheer amount of informa-
tion that is being amassed by these smart meters, ubiquitous availability of data from other sources, and
advances in data mining technology, the potential for extensive data mining is very significant. Patterns
can be tracked at the level of individual households but also for many households, taken together, aggre-
gated, and sorted by area, demographics, and so on. Profiles can thus be developed, and then applied
back to individual households and individual members of those households.’).
58 EDPS Opinion on Smart Metering Systems (n 2) 5. See also, DOE Data Access and Privacy Report
(n 5) Appendix E (commenting that energy use patterns that identify specific appliances or devices ‘may
indicate a medical problem of a household member or visitor; the inappropriate use of an employer
issued device to an employee that is a household member or visitor; the use of a forbidden appliance in a
rented household’).
59 Profiling has the potential to interfere with fundamental human rights including the right to privacy. For
example, ‘profiling may…increase the informational imbalance between consumers, on the one hand, and
energy suppliers or other third parties who wish to market goods and services to consumers; the more in-
formation a consumer discloses about himself, the easier it will be for any party who wishes to sell him a
product or service to turn such informational advantage to its own benefit, for example, to engage in price
discrimination’. EDPS Opinion on Smart Metering Systems (n 2) 5–6.
60 Art 29 Opinion 12/2011 (n 2) 8–11 (discussing the concept of data controller as it applies to smart
meters).
Smart metering systems and data sharing 229
energy use data also relates to them.61 Third parties may include energy service man-
agement companies with whom the consumer’s energy use data has been shared,
61 DOE Data Access and Privacy Report (n 5) Appendix E-1 (commenting that ‘personal information
within the Smart Grid…. is expanded beyond the normal “individual” component because there could be
negative privacy impacts for all individuals within one dwelling…; the energy use pattern could be con-
sidered unique to a household…similar to how a fingerprint or DNA is unique to an individual’).
62 UK Smart Meter Consultation Document (n 25) 54 (commenting that ‘the term “third party” generally
refers to non-licensed parties, such as energy services companies and switching sites. However, suppliers
wishing to provide services to a customer for whom they are not currently the registered supplier (for ex-
ample, in order to provide a tariff quote to a potential customer) should also be considered to be a “third
party” ’).
63 EDPS Opinion on Smart Metering Systems (n 2) 5–6. The US experience has shown that third-party re-
quests to utilities for data about their customers’ energy usage have come from many sources, including:
energy services providers, law enforcement, regulators, attorneys, researchers, municipalities and real es-
tate agents. Angelique Carson, ‘Consumer Data Privacy Concerns Persist in Smart Grid Plans’ The
Privacy Advisor (21 November 2011); Seminar, ‘Smart-Grid Privacy: Managing Electricity’s Digital
Signature’ International Association of Privacy Professionals (8 December 2011) (IAPP Programme).
64 EDPS Opinion on Smart Metering Systems (n 2) 5–6.
65 See n 28 and accompanying text for a discussion of NUSPs and related sources.
230 Smart metering systems and data sharing
Service Providers (ESPs).66 These new companies are being formed to provide
value-added services to consumers or to other parties, such as energy suppliers (util-
66 These new types of third party energy service companies may be called by different names including
Energy Service Providers (ESPs) or Energy Service Companies (ESCs). Commission’s Recommendation
on Smart Metering Systems (n 2) para 20; Art 29 Opinion 12/2011 (n 2) 12. When personal energy use
data is disclosed to a third party energy service provider, it becomes a data controller under the Data
Protection Directive (95/46/EC). ibid. See discussion of Opower n 26, for examples of third party energy
service providers operating in the EU and the USA. See IAPP program: 3rd parties: Energy Services
Providers. In this article the term Non-utility Service Providers (NUSPs) will be used, distinguishing
them from energy suppliers, which are often referred to as utilities in the USA.
67 NISTIR 7628 (n 6) 35.
68 Jaikumar Vijayan, ‘Researcher Releases Smart Meter Hacking Tool’ Computerworld (20 July 2012)
<http://www.computerworld.com/s/article/9229384/Researcher_releases_smart_meter_hacking_
tool> accessed 18 October 2013.
69 EDPS Opinion on Smart Metering Systems (n 2) 11.
70 The distinction between primary and secondary purposes for using smart meter data is also reflected in
the findings of the US Department of Energy in its study of data access and privacy issues related to smart
meter technologies. For example, the DOE say energy suppliers (utilities) ‘should continue to have access
to CEUD [consumer-specific-energy-usage data] and be able to use that data for utility-related business
purposes like managing their networks, coordinating with transmission and distribution-system operators,
billing for services, and compiling it into anonymized and aggregated energy-usage data for purposes like
reporting jurisdictional load profiles’. DOE Data Access and Privacy Report (n 5) 10 (italics added for
emphasis).
Smart metering systems and data sharing 231
To illustrate, consistent with the EDPS opinion, a primary purpose for using
smart meter data is to enable the energy supplier (and/or the network operator) to
71 Froehlich and others, ‘Disaggregated End-Use Energy Sensing for the Smart Grid’ IEEE Pervasive
Computing, (January-March 2011)10-1, 28-39.
72 Art 29 Opinion 12/201 (n 2) 8–12 (discussing the role of data processor following instructions of the
data controller).
73 EDPS Opinion on Smart Metering Systems (n 2) 14 (discussing the rights of data subjects to meter read-
ings, profiles, etc). Consumers could choose to share their smart meter data with third parties in exchange
for something of value to be gained. See Commission’s Recommendation on smart metering systems
(n 2) para 20.
74 DOE Data Access and Privacy Report (n 5) 11.
75 ibid 11–12.
76 ibid.
232 Smart metering systems and data sharing
and energy use data produced by smart metering systems may have high commercial
value. For example, energy-use patterns and profiles based on smart meter data can
(v) Access and Accuracy, (vi) Limits on Collection, further processing and retention
and (vii) Accountability.85 Additionally, privacy notions encompassing personal au-
85 Comparison of the data protection principles outlined in the FTC’s 2012 Report, Obama’s Consumer
Privacy Bill of Rights and the EU Data Protection Directive reveals that they describe essentially the same
basic principles. The one exception to this apparent consensus on applicable data protection principles is
the EU’s principle regarding restrictions on data export. The principle of restriction on data export to
countries that lack adequate data protection laws is included as a guiding principle in the Data Protection
Directive, but such a principle is not discussed in the FTC’s 2012 Report or in Obama’s Consumer
Privacy Bill of Rights. See generally, FTC’s 2012 Report (n 45); Obama’s Consumer Privacy Bill of
Rights (n 45); Data Protection Directive (n 5); Nancy King and VT Raja, ‘What Do They Really Know
About Me In The Cloud? A Comparative Law Perspective on Protecting Privacy And Security of
Sensitive Customer Data’ (2013) 50(2) American Business L J 413–82, Exhibit A (providing a compari-
son of the privacy and data protection principles from the FTC’s 2012 Report, Obama’s Consumer
Privacy Bill of Rights and the Data Protection Directive).
86 See Treaty of Lisbon amending the Treaty on European Union, the Treaty establishing the European
Community, OJ C 306/1, 17.12.2007 (recognizing Article 8 of the European Convention for the
Protection of Human Rights and Fundamental Freedoms (ECHR) and requiring Members of the
European Union to respect the fundamental rights guaranteed by the Convention), consolidated version
<http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri¼OJ:C:2007:306:0001:0010:EN:PDF> ac-
cessed 18 October 2013. The Charter of Fundamental Rights of the European Union provides:
‘Everyone has the right to the protection of personal data concerning him or her.’ Charter of
Fundamental Rights of the European Union, art 8, 2000 OJ C 364/1 (hereinafter EU Charter) <http://
www.europarl.europa.eu/charter/pdf/text_en.pdf> accessed 18 October 2013. Costa and Poullet (n 55)
255. US law has long recognized privacy as a general notion and as an individual right. US scholars have
been instrumental in developing arguments that personhood, or the right to define one’s self, is a core
privacy value to be protected by law. Samuel Warren and Louis Brandeis, ‘The Right to Privacy’ (1890) 4
Harvard L Rev 193–95 (arguing individuals have a ‘right to be let alone’); Nancy King, ‘Fundamental
Human Right Principle Inspires U.S. Data Privacy Law, But Protection Are Less Than Fundamental’ in (n
39) 71–98, 76 (CRID treatise) (discussing the evolution of privacy law in the USA and concluding US
privacy law falls short of protections data privacy as a fundamental human right).
87 According to Ann Cavoukian, Information and Privacy Commissioner of Ontario, Canada, ‘Privacy by
Design advances the view that the future of privacy cannot be assured solely by compliance with regula-
tory frameworks; rather, privacy assurance must ideally become an organization’s default mode of oper-
ation.’ Comments to Federal Trade Commission’s Privacy Roundtable (24 February 2010) <http://ftc.gov/
os/comments/privacyroundtable/544506-00096.pdf> accessed 2 March 2014. See also, ‘Privacy by
Design: Achieving the Gold Standard in Data Protection for the Smart Grid’ Information & Privacy
Commissioner of Ontario and Toronto Hydro Corporation (June 2010) (Ontario Study on Privacy by
Design); ‘Applying Privacy by Design Best Practices to SDG&G’s Dynamic Pricing Project,’ Information
and Privacy Commissioner, Ontario, Canada and San Diego Gas & Electric, San Diego, California,
(March 2012) 5-6 (SDG&G’s Dynamic Pricing Project & Privacy By Design).
88 Data protection by design is a concept discussed in the EU Commission’s Recommendation on the Roll-
Out of Smart Metering Systems. Commission’s Recommendation on Smart Metering Systems (n 2) para
3(d) (defining data protection by design as ‘data protection by design requires to implement, having re-
gard to the state of the art and the cost of implementation, both at the time of determination of the
234 Smart metering systems and data sharing
With the above guiding principles regarding data protection and privacy in mind,
we identify the following consumer privacy and data protection concerns about the
6.1 Who is the data subject when there is a smart meter in a home?
Most data protection and privacy regulation focuses on individual natural persons.90
However, in the context of smart metering systems, possible answers to the question
of ‘who is the data subject’ include: (i) just the subscriber on the account with the
energy supplier, (ii) all family members residing in the home serviced by the energy
supplier, (iii) all family and other residents in the home serviced by the energy sup-
plier, including guests, (iv) all residents and entities in the home serviced by the en-
ergy supplier, including natural persons and legal persons such as home-based
businesses. The risks and possible negative consequences associated with sharing
household energy use data produced by a smart metering system are common con-
cerns for individuals residing together. This is also true whether the individuals are
residing together on a longer-term basis or temporarily while visiting the household,
although the privacy impact related to sharing data that has been collected over a
longer period would likely be greater for longer-term residents. Given the shared
risks and possible negative consequences of sharing smart meter data, a more inclu-
sive definition of data subject that includes a group of natural persons living together
in a residence should be adopted to guide data protection and privacy protections
for smart meter data.91 Additionally, guests of the home should be included in the
privacy protections along with other residents of the home, such that temporary as
well as more permanent residents in the home will have their privacy protected.92
means for processing and at the time of the processing itself, appropriate technical and organizational
measures and procedures in such a way that the processing will meet the requirements of the Directive
95/46/EC and ensure the protection of the rights of the data subject’). Further, the Commission’s
Recommendation on Smart Metering Systems says ‘data protection by default’ requires to implement
mechanisms for ensuring that, by default, only those personal data are processed which are necessary for
each specific purposed of the processing and are especially not collected or retained beyond the minimum
necessary for those purposes, both in terms of the amount of the data and the time of their storage’.
Commission’s Recommendation on Smart Metering Systems (n 2) para 3(e). In the context of the UK’s
proposed framework, see further: Ian Brown, ‘Britain’s Smart Meter Programme: A Case Study in Privacy
by Design’ (2013) Intl Revf L Computers & Technol.
89 For discussion of the distinction between data protection and broader personal privacy notions that in-
clude personal liberty and autonomy, see Costa and Poullet (n 55) 255 (discussing the fundamental
human rights which include privacy and the relation of privacy rights to personal data protection and stat-
ing privacy is not limited to data protection; rather data protection is a ‘simple tool for conserving the dif-
ferent human liberties rather than as an end per se’).
90 See, eg Data Protection Directive (n 5) art 2(a) (data subject refers to an identified or identifiable natural
person).
91 NISTIR 7628 (n 6) Appendix E.2 (supporting privacy protections for households).
92 ibid. (recognizing that smart meter data may reveal presence of a visitor with a medical problem).
Smart metering systems and data sharing 235
A possible weakness of defining the data subject for purposes of smart metering
systems to include all residents of a home and guests is that disputes may arise be-
93 UK Smart Meter Consultation Document (n 25) 55 (commenting that ideally the verification of consent
by the third party to access smart meter data should be that the person giving consent is a named party
on the energy supply contract for the home, but this may not be practical for third parties that are not
involved in the consumer’s energy supply contract).
94 US regulators are more likely to favour privacy protections for businesses as well as individuals, while EU
data protection regulation has historically only protected individuals. DOE Data Access and Privacy
Report (n 5) 12 (finding all classes of electric utility customers including businesses should be entitled to
the privacy of their own energy-use data, not just residential consumers); Data Protection Directive,
(fn 5) Art. 2(a) (providing data protection only for identifiable natural persons and not for legal entities).
However, the UK government is also considering what protection should be applied to small companies
as well as individuals. See also Brown (n 88).
236 Smart metering systems and data sharing
person (or, as discussed above, a group of natural persons), thus giving rise to argu-
ments that it may be freely collected and shared without compliance with data pro-
95 Art 29 Opinion 12/2011 (n 2) 8 (concluding that smart metering data is personal data for several reasons
including the fact that most smart metering data is associated with unique identifiers, such as a meter
identification number, that is inextricably linked with the individual who is responsible for the account,
thus enabling that individual to be singled out from other consumers). See also Data Protection Directive
(n 5), recital 26; Draft Data Protection Regulation (n 81) recital 23 and 24, and Art 29 Data Protection
Working Party, Opinion 08/21012 providing further input on the data protection reform discussions
(01574/12/EN, WP 199, 5 October 2012) 5-6 (suggesting that the notion of identifiability also includes
the possibility of singling out and treat differently a natural person).
96 Decision 11-07-056, California Public Utilities Commission of 28 July 2011, in Rulemaking 08-12-009,
p. 50 (CUPC Rulemaking 08-12-009). These rules require certain regulated electrical energy suppliers in
California and third parties that are under contract with these companies or that acquire or access con-
sumer energy usage data from those utilities to provide privacy and data protection for smart meter data
that is defined as covered information as outlined in the Decision. CUPC Rulemaking 08-12-009,
pp 49–50. The rules do not apply to third parties that obtain consumer energy usage data directly from
consumers. CUPC Rulemaking 08-12-009, p 48.
97 Data Protection Directive 95/46/EC (n 5) art 6; FTC’s 2012 Report (n 45) 20. See also, Peter Maass
and Megha Rajagopalan, ‘That’s No Phone. That’s my tracker’ The New York Times (13 July 2012).
Smart metering systems and data sharing 237
98 This is similar to the FTC’s guidance on when its recommended privacy framework should be applic-
able, with the exception that this paper expands the FTC’s definition of covered information to include
‘household’. FTC’s 2012 Report (n 45) 20.
99 Art 29 Opinion 12/2011 (n 2) 8 (commenting that most smart metering data is associated with unique
identifiers, such as a meter identification number, that is inextricably linked with the individual who is re-
sponsible for the account, thus enabling that individual to be singled out from other consumers).
100 FTC’s 2012 Report (n 45) 20 (commenting that ‘there is significant evidence demonstrating that
technological advances and the ability to combine disparate pieces of data can lead to identification of a
consumer, computer, or device even if the individual pieces of data do not constitute PII’).
101 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on Certain Legal
Aspects of Information Society Services, in Particular e-Commerce, in the Internal Market, 2000 OJ L
(L 178) 1 (2002), as amended by Directive 20090/136/EC (18.12.2009), OJ L 337 to, among other
things, require member states to implement the revisions in their national laws by 25 May 2011 to re-
quire obtaining consent and giving notice regarding the use of cookies for online tracking and the pro-
cessing of cookie data) (E-Privacy Directive, as amended); Article 29 Data Protection Working Party,
Opinion 2/2010 on online behavioural advertising, p 9 (00909/10/EN, WP 171, 22 June 2010) (Art 29
Opinion 2/2010).
238 Smart metering systems and data sharing
regard to what data are covered by existing privacy and data protection regulation
and whether new legislation or other information privacy protections are needed in
102 DOE Data Access and Privacy Report (n 5) 9. See also, EDPS Opinion on Smart Metering Systems
(n 2) 5.
103 ‘Researchers claim smart meters can reveal TV viewing habits’ Metering.com (21 September 2011)
(Metering.com) <http://www.metering.com/node/20028> accessed 18 October 2013.
104 Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms
(ECHR) (providing that ‘everyone has the right to respect for his private and family life, his home and
his correspondence’). Data Protection Directive (n 5) art 4 (preamble para 10) (providing that ‘the ob-
ject of the national laws on the processing of personal data is to protect fundamental rights and free-
doms, notably the right to privacy, which is recognized both in Article 8 of the European Convention
for the Protection of Human Rights and Fundamental Freedoms and in the general principles of
Community law’). Privacy as a fundamental right is also recognized in international law. See, eg,
International Covenant on Civil and Political Rights and Optional Protocol to the International
Covenant on Civil and Political Rights, GA Res 2200 (XXI), UN GAOR, 21st Sess, Supp No 16, UN
Doc A/6316 (1966) (ICCPR). Likewise the privacy of the home is respected under US law. See US
Constitution amend. IV (guaranteeing the right of the people to be secure in their person, houses,
papers and effects, against unreasonable searches and seizures under authority of law).
105 Data Protection Directive (n 5) art 8(1).
Smart metering systems and data sharing 239
unless they have obtained express (opt in) consent to do this.106 Furthermore, some
personal data is not categorized as ‘special’ under the Data Protection Directive, yet
sharing may constitute a use of data that is materially different from the use claimed
when the smart meter data was collected, thus triggering the requirement to obtain
data to the energy supplier and others.117 More work needs to be done on defining
sensitive data in the context of smart metering systems and designing smart metering
for the level of data protection will differ. Also, whether the data sharing is to facili-
tate a primary purpose or a secondary purpose will also be important from a privacy
121 See generally, UK Smart Metering Consultation Document (n 25) (UK’s Proposed Framework).
122 ibid 6–7. The government in the UK is proposing a framework for smart meter data access and privacy
that would be imposed through license conditions for energy suppliers. UK Smart Metering
Consultation Document p 45, Annex A (Draft License Conditions).
123 ibid 24.
124 ibid 6–7. There are some exceptions to the proposed consent rules that may justify access by the energy
supplier to deal with situations involving suspicions of energy theft by the customer, etc. UK Smart
Metering Consultation Document (n 25) 37. ‘The key factor in determining whether an activity consti-
tutes marketing should be whether it involves information about branded products and services, or spe-
cific customer propositions’, and does not include generic energy efficiency advice or information about
products and services for which there is no direct charge to the individual consumer. UK Smart
Metering Consultation Document (n 25) 40.
Smart metering systems and data sharing 243
including more rigorous consent mechanisms. However, the UK’s proposed frame-
work fails to consider anticipated advances in smart metering systems that will enable
125 See, eg Commission’s Recommendation on Smart Metering Systems (n 2) para 42(a) (stating that the
common minimum functional requirements of every smart metering system for electricity should ‘pro-
vide readings directly to the customer and any third party designated by the consumer’); DOE Data
Access and Privacy Report (n 5) 11 (finding ‘consumers should be able to access CEUD and decide
whether third-parties are entitled to access CEUD for purposes other than providing electrical power’);
UK Smart Metering Consultation Document (n 25) 54 (commenting that from a competition point of
view, it will be important for consumers to be able to authorize third party access to their smart meter
data without their energy suppliers’ involvement).
126 DOE Data Access and Privacy Report (n 5) 11. See Art 29 Opinion 12/2011 (n 2) 20–21.
127 See Art. 29 Opinion 12/2011 (n 2) 20–21 (providing its opinion that the data subjects’ rights of access
to information held about them under the Data Protection Directive means that there is an opportunity
to ensure that data subjects are able to exercise their rights easily using tools that enable direct access to
data).
128 See, eg California Public Utilities Code s 8380 (2012) (prohibiting companies from sharing, disclosing
or otherwise making accessible to any third party a customer’s electrical or gas consumption data with-
out the consent of the customer, with certain exceptions); CUPC Rulemaking 08-12-009 (n 40) 135
(California Public Utility Commission Rule 4(a) requires ‘covered entities shall provide to customers
244 Smart metering systems and data sharing
However, even in the EU, concerns about access to smart meter data have
emerged because smart metering systems are being installed that may not actually
upon request convenient and secure access to their covered information…in an easily readable format
that is at a level no less detailed than that at which the covered entity discloses the data to third
parties’).
129 See Art 29 Opinion 12/2011 (n 2) 20–21 (noting that some smart meters may not facilitate direct ac-
cess because they provide only a small text-only display on the meter and do not allow the customer to
access the information already transmitted by the meter, not the display graphics, which are stored in-
side the meter).
130 UK Smart Metering Consultation Document (n 25) 21–22.
131 ibid 21–22.
132 See, eg California Public Utilities Code s 8380 (2012) (prohibiting companies from sharing, disclosing
or otherwise making accessible to any third party a customer’s electrical or gas consumption data with-
out the consent of the customer, with certain exceptions); CUPC Rulemaking 08-12-009 (n 40) 135
(California Public Utility Commission Rule 4(a) requires ‘covered entities shall provide to customers
upon request convenient and secure access to their covered information…in an easily readable format
that is at a level no less detailed than that at which the covered entity discloses the data to third
parties’).
133 NISTIR 7628 (n 6) 21 (finding that smart meter data may be stored in multiple locations to which con-
sumers may not have ready access and recommending that any organization possessing energy use data
about consumers be required to provide access to consumers to their energy use data).
Smart metering systems and data sharing 245
provide, perhaps because it is proprietary in nature and providing the data would
undermine the energy supplier’s competitive advantage.
marketing purposes and it is not sensitive data under the special categories of data
defined in the Data Protection Directive, the energy service provider would be per-
139 ibid. But see discussion of the opt in requirements for downloading cookies to track consumers’ online
behaviour and accessing and using cookie data to produce direct marketing solicitations. E-Privacy
Directive (n 101) art 5(3). See also, DIRECTIVE 2009/136/EC OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL of 25 November 2009, amending Directive 2002/22/EC
on universal service and users’ rights relating to electronic communications networks and services,
Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the
electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between na-
tional authorities responsible for the enforcement of consumer protection laws, O J (L 337/11), para 66
(25 November 2009) (EU Cookie Directive).
140 CPUC s 8380(b)(1-2).
141 CPUC s 8380(e)(1-3).
142 Obama’s Consumer Privacy Bill of Rights (n 45) 47–48.
Smart metering systems and data sharing 247
6.7 Should consumers have the legal right to opt out of having a smart
meter or otherwise choose not to share smart meter data?
143 See European Smart Metering Landscape Report 2012 (n 1) 59 (commenting that ‘the main beneficial
items (in order of positive contribution) are energy savings, savings on call centre costs, a lower cost
level as a result of the market mechanism (increased switching) and savings in meter reading costs’.
144 See, eg Angela Beniwal, ‘Utilities Are Getting Ahead Of Smart Meter Opt-Out Demands’ Renew Grid
(28 February 2012) (reporting on the California Public Utility Commission’s vote to create an opt-out
program and the resulting programs put in place by electrical and gas utilities in California) <http://
www.renew-grid.com/e107_plugins/content/content.php?content.8097> accessed 18 October 2013. In
the Netherlands, consumer privacy concerns led to a significant delay in the roll-out for smart meters
after the Dutch Senate, in April 2009, rejected a proposal for mandatory smart metering deployment.
European Smart Metering Landscape Report 2012, SmartRegions Deliverable 2.1, Vienna, p 58–60
(October 2012) (European Smart Metering Landscape Report 2012) <www.smartregions.net> ac-
cessed 18 October 2013.
145 Order Dismissing Complaint, State of Maine Public Utilities Commission, regarding Ed Friedman, and
others, Request for Commission Investigation into Smart Meters and Smart Meter Opt-Out, Docket No
2011-262 (31 August 2011) (providing background details regarding complaints filed by customers re-
garding smart meter installation and opt-out alternatives that lead to a previous Order by the State of
Maine’s Public Utility Commission directing a local utility to include opt out alternatives as part of its
smart meter initiative).
248 Smart metering systems and data sharing
of the first states to pursue widespread implementation of smart meters. The Maine
Supreme Judicial Court issued the first reported court decision involving challenges
146 Friedman and others v Public Utilities Commission, 2012 ME 90, 2-3 (Maine Supreme Judicial Court, 12
July 2012) (Friedman v. PUC).
147 Order Approving Installation of AMI Technology, No. 2007-215(II), Order (Maine PUC, 25 February
2010); N Shah, ‘Maine Supreme Court Affirms Validity of Smart Meter Opt-Out Program’
InformationLawGroup (1 August 2012) (InformationLawGroup) <http://www.infolawgroup.com/
2012/08/articles/smart-grid-1/maine-supreme-court-affirms-validity-of-smart-meter-optout-program/>
accessed 18 October 2013.
148 Order (Part I), Nos 2010-345, 2010-389, 2010-398, 2010-400, 2011-085, Order (Maine PUC, 19 May
2011); Katherine Tweed, Court: Maine PUC Must Revisit Smart Meter Safety Issue,’ greentechgrid: (18
July 2012) <http://www.greentechmedia.com/articles/read/maine-puc-told-to-revisit-smart-meter-
safety-issue/> accessed 18 October 2013.
149 Friedman v. PUC, (fn 147) 4-5. They also asked the court to order the Maine PUC to reopen its investi-
gation to consider new evidence about the health and safety risks of radiation emitted by smart meters
that had been published since the PUC issued its Order imposing the opt out program.
150 Consumers had more success with their arguments about the health risks of smart meters. The Maine
Supreme Court found Maine’s PUC erred in dismissing consumers’ complaints raising concerns about
the health and safety of smart-meter technology associated with CMP’s smart metering project because
the PUC has a statutory duty to regulate public utilities in Maine to ‘ensure safe, reasonable, and ad-
equate service and to ensure that the rates of public utilities are just and reasonable to customers and
public utilities’. Friedman v PUC (n 147) 6.
151 The Maine PUC concluded incremental costs to the utility justified the fees to be charged by CMC for
the two options for consumers to opt out of its smart metering program. These incremental costs
included ‘1) longer repair times for power restoration after storms; and 2) continued inefficient energy
allocation to those customers using analog meters. InformationLawGroup (n 148) 1.
Smart metering systems and data sharing 249
metering systems.152 Across the USA, consumers continue to challenge smart meter-
ing implementation programmes for a variety of privacy, health and other reasons,
152 Although Friedman v PUC (n 147) concluded that consumers’ privacy claims had been resolved by the
Maine PUC, the appellate court did not specifically discuss information privacy or data protection rights.
Instead, the appellate court’s discussion of privacy focuses on concerns about physical privacy intrusions
by utilities including the utilities access to customers’ property and premises for purposes of installation,
repair or replacement of its meters. Friedman v PUC (n 147) 12–14.
153 See, eg Walter Delacruz, ‘Smart Grid Technology: Privacy and Data Security Issues’ The Privacy Advisor,
p 1 (26 June 2012); Jeff Evans, ‘The Opt-Out Challenge’ Black & Veatch (published in the March/April
2012 issue of Electric Light & Power) <http://bv.com/docs/articles/the-opt-out-challenge.pdf> ac-
cessed 18 October 2013.
154 European Smart Metering Landscape Report 2012 (n 1) 59–60.
155 ibid 59. In the case of new construction and renovations, it is required that a smart meter be installed
and there is no obligation for the energy supplier to replace it with a traditional meter at the request of a
customer. ibid. However, the customer can have the smart meter treated like a traditional meter by regis-
tering it as ‘administrative off’. ibid.
156 EDPS Opinion on Smart Metering (n 2) 11.
157 Evans (n 154) 5–6.
158 ibid. (commenting that there is additional cost to the energy supplier that would result if too few cus-
tomers opt out; in this case the per-customer cost to opt out increases significantly and utilities would
need to recover non-covered opt out costs from the entire rate base, which would result in passing the
cost of opt outs onto all customers, not just those who choose to opt out).
159 See generally, CRID treatise (n 86).
250 Smart metering systems and data sharing
in smart metering systems and promoting the societal goals of smart grids and smart
metering systems. If the fees imposed for opting out are too onerous, consumers
6.8 Are there special concerns about consumer profiling and data sharing?
Profiling related to smart meters in the home will produce energy use profiles that
may be a source of detailed, behavioural information about the occupants of the
home. With a smart metering communication infrastructure, information about spe-
cific electric devices in a customer’s home will reveal not only the amount of electri-
city used, but rather, when and how long the device is used. Significant privacy
concerns arise when there is a possibility of revealing PII such as the personal life-
style habits and behaviours of customers, especially if this information is mishandled
or used for secondary purposes other than providing electricity.162
Consumer energy-use profiles differ from the data that are directly produced by
smart meters because they are consumer information that is derived or ‘mined’ from
consumer bases using automated profiling technologies.163 If consumer energy-use
profiles are produced and used by others, but are not known to the consumer, there
is informational asymmetry, meaning that the profiler knows information about the
consumer that the consumer does not know about themselves, so that the resulting
application of the profile to the consumer may induce the consumer to act in ways
he or she would not have chosen to do. Assume a profile is created by an energy sup-
plier based on smart meter data indicating that the consumer wastes energy as com-
pared to other households in her neighbourhood (‘energy hog’ profile). If that
160 Nicola Jentzsch and others, ‘Study on Monetising Privacy, An Economic Model for Pricing Personal
Information’ European Network and Information Security Agency, Deliverable 2012-02-27, (2012)
34–37, 39, 41 (ENISA Report).
161 ibid.
162 SDG&G’s Dynamic Pricing Project & Privacy by Design (n 87) (Forward).
163 See the work of Mireille Hildebrandt on profiling, arguing the focus of information privacy should be on
information rather than data because a consumer profile may be generated that has significant privacy
concerns, yet it is not based on PII. M Hildebrandt, ‘Profiling into the Future: An Assessment of
Profiling Technologies in the Context of Ambient Intelligence’ (2007) 1 FIDIS J Identity in the
Information Society 13 (Hildebrandt, FIDIS) <http://www.fidis.net/fileadmin/journal/issues/1-2007/
Profiling_into_the_future.pdf> accessed 2 March 2014. Automated profiling technologies use data min-
ing technologies build knowledge profiles and apply them, often without human intervention.
Hildebrandt, FIDIS, 5. One of the key privacy concerns related to profiling is information asymmetry,
wherein the data subject lacks access to information about themselves that is needed to exercise personal
autonomy. Hildebrandt, FIDIS, 9.
Smart metering systems and data sharing 251
profile is shared with a network advertising company and used to select consumers
to receive special offers to buy autos, will that consumer receive special offers related
6.9 Are there special concerns about data security and data sharing?
There are significant security concerns associated with smart grids and smart meter-
ing systems, such as preventing unauthorized data sharing with hackers and other un-
intended third parties. Researchers have demonstrated that it is possible to intercept
unencrypted smart meter data and to use it to discover details that invade users’ priv-
acy.166 Accordingly, the EU Commission advises that energy suppliers or network
operators that operate smart metering systems have security obligations to take ne-
cessary steps to protect personal data.167 Further, it is important to recognize that
encrypting smart meter data does not render data anonymous in order to make data
protection laws inapplicable because it is generally possible to decrypt the data and
re-identify the data subject.168 Even so encryption is important to discussions about
7. CONCLUSIONS
Consumer data sharing is a predominant feature of smart metering systems—indeed
at least some consumer data sharing may be essential in order for smart metering sys-
tems to live up to their potential to achieve energy conservation goals. Society bene-
fits from achieving energy conservation, but it should not come at the expense of
undue sacrifice of consumers’ privacy and data protection. In many cases, existing
laws in both the EU and the USA that regulate smart metering systems do not ad-
equately protect consumers’ data or privacy rights, including the right to be free of
unwarranted and intrusive surveillance in the home.
As demonstrated by this article, both the EU and US energy consumers have sig-
nificant privacy concerns about the implementation of smart metering systems and
sharing of their energy-use data. Further, finding solutions to address these privacy
concerns is challenging because it will require balancing individual and family privacy
interests with broader societal interests, including the need to better manage the en-
ergy supply. Although smart metering systems are being implemented on a global
basis and they raise similar privacy concerns for consumers around the world, they
are being addressed locally by regional, national or even state governments. Given
the large number of regulatory bodies involved in this effort (including 28 Member
States in the EU and over 50 state public utility commissions in the USA and thou-
sands of energy suppliers and industry associations), achieving consistent global data
protection and privacy protection for consumers is a daunting task. As this article ex-
plains, it is further complicated by the fact that there are several different approaches
that could be taken to ensure privacy in smart metering systems, including legisla-
tion, self-regulatory codes of conduct and technical design solutions.
Initially, the possibility of finding global solutions to protect consumers’ privacy
in smart metering systems appears brighter when approached from an industry
168 According to the FTC, fair information practices recommended for consumer data should be provided
for consumer data when it is reasonably linkable to a specific consumer, computer or device and this is
so even when the data is otherwise anonymous. However, the FTC limits the reach of its reasonably
linkable standard requiring recommended fair information practices: ‘As long as (1) a given data set is
not reasonably identifiable, (2) the company publicly commits not to re-identify it, and (3) the company
requires any downstream users of the data to keep it in de-identified form’ the data falls outside the
scope of the FTC’s recommended privacy protections and the data does not need to be given the rec-
ommended privacy protections. FTC’s 2012 Report (n 45) 22.
169 SDG&G’s Dynamic Pricing Project & Privacy by Design (n 87) 16.
Smart metering systems and data sharing 253
self-regulation standpoint. Global privacy standards for smart metering systems could
be implemented by industry leaders who are designing, manufacturing and installing
170 See, for example, application of foundational principles of privacy by design to smart grid systems (see
Privacy by Design, Ontario (n 87) 16–17, 28).