To view this page ensure that Adobe Flash Player version 11.1.0 or greater is installed.
POLICY
COMMISSION RECOMMENDATION ON THE
DATA PROTECTION IMPACT ASSESSMENT
TEMPLATE FOR SMART GRID AND SMART
METERING SYSTEMS
By Valérie Lorgé, Directorate General for Energy, European Commission
Under the 2030 policy framework, smart
grids alongside interconnectors and storage
will facilitate the transformation of energy
infrastructure in order to accommodate
higher shares of variable renewable energy
and ensure security of energy supply.
Indeed, smart grids enable instant
responsiveness, support flexibility, and
can cost-effectively help to integrate
variable generation and storage to improve
grid control and security of supply, and
modulate consumption according to
changing situations and market signals.
Smarter grids will also be able to integrate
new loads such as electric vehicles. This
is cardinal as Europe now aims at the
electrification of transport.
Our networks should therefore be ready to
cope with increasing demand and provide
a technology platform for the development
of novel services and smart solutions in grid
infrastructure and related ICT, but also in
home automation and appliances.
However, to achieve all of these benefits,
due attention must be paid to the corollary
that is inherent to smart grid’s wide
integration of ICT into energy systems and
to the enhanced personal data processing 1
they entail: guarantees for data protection,
privacy and security are vital for smart grids’
uptake, their proper functioning and for
consumers’ acceptance.
The European Commission (DG ENER) has
therefore initiated action on security, data
protection and privacy in the smart grids
field. The Commission Recommendation
of March 2012 2 on preparations for smart
1 According to the Article 29 Data Protection Working Party’s
Opinion on Smart Metering, the operation of smart meters – and by
extension any further developments of smart grids and appliances
– entails the processing of personal data as defined by Article 2 of
Directive 95/46/EC
2 Commission Recommendation of 9 March 2012 on preparations
for the roll-out of smart metering systems (2012/148/EU, OJEU of
13.04.2012, L 73/9)
18 The Template therefore facilitates the
application of the principle of Data Protection by
Design, allowing data controllers to anticipate a
potential impact on data protection and privacy,
avoid costly redeployment, and implement
adequate safeguards
metering rollout included guidance
to Member States with respect to data
protection and security requirements. The
Recommendation called for the creation of
a Data Protection Impact Assessment (DPIA)
Template for smart grid and smart metering
systems, and its submission for opinion to
the Article 29 Data Protection Working Party.
The DPIA Template constitutes an evaluation
and decision-making tool for entities planning
or executing investments in the smart grid
sector. It guides them through the process
of the identification of data protection
and security risks according to concrete
circumstances but also describes the most
suitable safeguards and control measures
in proportion to the identified risks. The
Template therefore facilitates the application
of the principle of Data Protection by Design,
allowing data controllers to anticipate a
potential impact on data protection and
privacy, avoid costly redeployment, and
implement adequate safeguards.
This development is fully in line with DG
JUST General Data Protection Regulation
currently undergoing co-decision 3 . Article 33
of the General Data Protection Regulation
seeks to render impact assessments
3 The Commission (DG JUST) issued two legislative proposals for a
comprehensive reform of Directive 95/46/EC on Data Protection in order
to strengthen trust and innovation in the digital market. The proposal
for a Regulation setting out a general EU framework for data protection
is of particular interest for the smart metering and smart grid contexts. It
is still under discussion in the European Parliament and Council.
mandatory under certain conditions.
The General Data Protection Regulation
considers DPIAs as a key instrument to help
ensure data controllers’ accountability.
Steered by the Commission (DG ENER
and DG JRC), the main representatives of
the smart grid sector (stakeholders from
the energy and ICT sectors, consumer
associations and energy regulators)
drafted the Template through a dedicated
Expert Group (EG2) under the umbrella
of the Smart Grids Task Force (SGTF). The
experience gained from the ‘Industry
Proposal for a Privacy and Data Protection
Impact Assessment Framework for RFID
Applications’ was taken as a starting point.
Furthermore, and most importantly, CNIL 4 ,
EDPS 5 and ICO 6 attended the workshops
as observers on behalf of Article 29 Data
Protection Working Party. This translated
into the issuance of two WP29 opinions 7 on
4 La Commission Nationale de l’Informatique et des Libertés, French
national supervisory authority for the protection of personal data.
5 European Data Protection Supervisor, supervisory authority for the
protection of personal data by EU Institutions and Bodies.
6 Information Commissioner’s Office, national supervisory authority for
the protection of personal data of the United Kingdom
7 Opinion 04/2013 on the Data Protection Impact Assessment
Template for Smart Grid and Smart Metering Systems (‘DPIA
Template’) prepared by Expert Group 2 of the Commission’s Smart
Grid Task Force, 00678/13/EN, WP205, 22 April 2013; Opinion 07/2013
on the Data Protection Impact Assessment Template for Smart Grid
and Smart Metering Systems (‘DPIA Template’) prepared by Expert
Group 2 of the Commission’s Smart Grid Task Force, 2064/13/EN,
WP209, 4 December 2013;
METERING INTERNATIONAL ISSUE - 5 | 2014