To view this page ensure that Adobe Flash Player version 11.1.0 or greater is installed.

POLICY COMMISSION RECOMMENDATION ON THE DATA PROTECTION IMPACT ASSESSMENT TEMPLATE FOR SMART GRID AND SMART METERING SYSTEMS By Valérie Lorgé, Directorate General for Energy, European Commission Under the 2030 policy framework, smart grids alongside interconnectors and storage will facilitate the transformation of energy infrastructure in order to accommodate higher shares of variable renewable energy and ensure security of energy supply. Indeed, smart grids enable instant responsiveness, support flexibility, and can cost-effectively help to integrate variable generation and storage to improve grid control and security of supply, and modulate consumption according to changing situations and market signals. Smarter grids will also be able to integrate new loads such as electric vehicles. This is cardinal as Europe now aims at the electrification of transport. Our networks should therefore be ready to cope with increasing demand and provide a technology platform for the development of novel services and smart solutions in grid infrastructure and related ICT, but also in home automation and appliances. However, to achieve all of these benefits, due attention must be paid to the corollary that is inherent to smart grid’s wide integration of ICT into energy systems and to the enhanced personal data processing 1 they entail: guarantees for data protection, privacy and security are vital for smart grids’ uptake, their proper functioning and for consumers’ acceptance. The European Commission (DG ENER) has therefore initiated action on security, data protection and privacy in the smart grids field. The Commission Recommendation of March 2012 2 on preparations for smart 1 According to the Article 29 Data Protection Working Party’s Opinion on Smart Metering, the operation of smart meters – and by extension any further developments of smart grids and appliances – entails the processing of personal data as defined by Article 2 of Directive 95/46/EC 2 Commission Recommendation of 9 March 2012 on preparations for the roll-out of smart metering systems (2012/148/EU, OJEU of 13.04.2012, L 73/9) 18 The Template therefore facilitates the application of the principle of Data Protection by Design, allowing data controllers to anticipate a potential impact on data protection and privacy, avoid costly redeployment, and implement adequate safeguards metering rollout included guidance to Member States with respect to data protection and security requirements. The Recommendation called for the creation of a Data Protection Impact Assessment (DPIA) Template for smart grid and smart metering systems, and its submission for opinion to the Article 29 Data Protection Working Party. The DPIA Template constitutes an evaluation and decision-making tool for entities planning or executing investments in the smart grid sector. It guides them through the process of the identification of data protection and security risks according to concrete circumstances but also describes the most suitable safeguards and control measures in proportion to the identified risks. The Template therefore facilitates the application of the principle of Data Protection by Design, allowing data controllers to anticipate a potential impact on data protection and privacy, avoid costly redeployment, and implement adequate safeguards. This development is fully in line with DG JUST General Data Protection Regulation currently undergoing co-decision 3 . Article 33 of the General Data Protection Regulation seeks to render impact assessments 3 The Commission (DG JUST) issued two legislative proposals for a comprehensive reform of Directive 95/46/EC on Data Protection in order to strengthen trust and innovation in the digital market. The proposal for a Regulation setting out a general EU framework for data protection is of particular interest for the smart metering and smart grid contexts. It is still under discussion in the European Parliament and Council. mandatory under certain conditions. The General Data Protection Regulation considers DPIAs as a key instrument to help ensure data controllers’ accountability. Steered by the Commission (DG ENER and DG JRC), the main representatives of the smart grid sector (stakeholders from the energy and ICT sectors, consumer associations and energy regulators) drafted the Template through a dedicated Expert Group (EG2) under the umbrella of the Smart Grids Task Force (SGTF). The experience gained from the ‘Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications’ was taken as a starting point. Furthermore, and most importantly, CNIL 4 , EDPS 5 and ICO 6 attended the workshops as observers on behalf of Article 29 Data Protection Working Party. This translated into the issuance of two WP29 opinions 7 on 4 La Commission Nationale de l’Informatique et des Libertés, French national supervisory authority for the protection of personal data. 5 European Data Protection Supervisor, supervisory authority for the protection of personal data by EU Institutions and Bodies. 6 Information Commissioner’s Office, national supervisory authority for the protection of personal data of the United Kingdom 7 Opinion 04/2013 on the Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems (‘DPIA Template’) prepared by Expert Group 2 of the Commission’s Smart Grid Task Force, 00678/13/EN, WP205, 22 April 2013; Opinion 07/2013 on the Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems (‘DPIA Template’) prepared by Expert Group 2 of the Commission’s Smart Grid Task Force, 2064/13/EN, WP209, 4 December 2013; METERING INTERNATIONAL ISSUE - 5 | 2014