Editor’s Note:
Chris Pahl,
CIPP/US,
CIPP/G, works at
, but his comments here do not necessarily represent the company.
As smart grid technology continues to emerge and utilities worldwide increasingly deploy smart meters to households, data protection and privacy concerns continue to proliferate.
The smart grid—which has seen major investments from governments including the U.S., UK, Canada, Australia, New Zealand, parts of Asia, Denmark and the Netherlands, among others—will communicate with smart meters on a household’s electrical use down to the appliance-level. Consumers will be able to fine-tune their energy consumption to get the best rates, and utilities will be able to more effectively manage power distribution and identify and resolve problems remotely.
But the information collected on a smart grid will “form a library of personal information, the mishandling of which could be highly invasive of consumer privacy,”
the Future of Privacy Forum’s Chris Wolf in an earlier edition of
The
Privacy Advisor
. It’s this concern that has governments and privacy advocates actively collaborating to work toward best practices, privacy frameworks and, in some jurisdictions, legislation.
IAPP Publications Advisory Board Member Chris Pahl, CIPP/US, CIPP/G, offers the following advice on how utilities can prevent customer backlash and ensure adequate data protections.
- Smart meters are exciting to some but feared by others.
- While smart meters allow the consumer to make better informed decisions about energy consumption, others fear that the utility company will become a "big brother" by profiling their usage habits.
- While we cannot prevent consumers from being concerned, the company launching smart meters should ensure appropriate controls are in place, enhance the culture of compliance and educate employees and customers.
- Prior to implementing a smart meter rollout plan, the company should adopt a Privacy-by-Design approach and socialize the project with regulators and consumer advocates. The more collaborative the approach, the better buy-in and support will be garnered by stakeholders.
- Education should occur early in the process both at the utility and with the public. The company must set forth its policy regarding treatment of customer information and transparency of use. This may be in multiple forms including a "code of use" as well as ensuring that the privacy notice/policy contemplates new technologies.
- The privacy organization should review the current practices of the marketing or other organizations that may use customer information to make decisions. Strict controls regarding usage should be documented and periodically monitored.
- System design and implementation should only collect the information required/necessary for the company to conduct business and should not include system features that can be turned on later with little notice to the consumer.
- The company may consider publishing its "state of privacy compliance" report on its website and provide an opportunity to discuss results with regulators and privacy advocacy groups to stay ahead of regulatory criticism. The company should not hide behind areas of opportunities, rather seek to improve them. The goal of transparency alleviates the legitimacy of privacy concerns that consumer or critics may raise if the company does not explain how the technology works.
- In addition to appropriate policies and procedures, tools such as encryption and data monitoring tools should be considered to ensure that information is not being misused. Without monitoring software, the company may not be able to stop a potential theft until it is too late.
- Again, partnership with all internal and external stakeholders. No one likes change; however, the company must work with all parties to address concerns and risks, while identifying benefits. While it is impossible to get all customers to embrace change, the majority of stakeholders will feel valued through inclusion.
Recently, the European Data Protection Supervisor warned that smart meter technology could be used to track what “households do within the privacy of their own homes; whether they are away on holiday or at work; if someone uses a specific medical device or a baby monitor, or how they spend their free time.”
In July, the European Network and Information Security Agency published a study on smart grids
on the European Commission and member states to “develop policy documents and regulations on cybersecurity and privacy of the smart grid in order to improve the current regulatory and policy framework.” The study stated that “cybersecurity and privacy are not being addressed appropriately, since, in many cases, it has been considered as an overlay more than a very integral part of the design phase.”
At the beginning of the year, the U.S. Department of Energy hosted a workshop of more than 80 representatives of stakeholder groups aiming to identify key smart grid issues and areas of concern as well as approaches toward a national privacy strategy.
Key issues
included a need to educate consumers; create privacy protections; “police the bad actors”; identify what “informed consent” looks like from the consumer perspective; examine third-party use of data, and avoid a federal strategy that is too prescriptive.
Ontario Information and Privacy Commissioner Ann Cavoukian
with utilities Hydro One and Toronto Hydro to create a guidance document on how utilities can embed privacy into smart grid and smart meter technologies from the design phase to their implementation. “
” outlines best practices and operationalizes Privacy by Design.
Cavoukian took on smart meter privacy after a law was passed in Ontario requiring that smart meters be installed at each household within the province by 2012. Such a law required swift action in the name of citizens’ privacy, Cavoukian said, adding, however, that it wasn’t an arduous task to get government and industry on board.
She noted their response was, “‘We are trying to promote energy conservation and two-way conversation in real time, but we’re not trying to diminish our customers’ privacy.”
The key to the smart grid’s success lies in early consumer education and building privacy into the nascent technologies right from the start, Cavoukian said. She referenced various jurisdictions where consumer pushback to smart meter installation resulted in headaches for utilities, noting such incidents can be avoided with the proper attitude and action on consumer privacy. Cavoukian sees a shift over the last couple of years in such attitudes. Where utilities used to feel they “owned” customer data and could do with it as they pleased, they now increasingly understand that the data belongs to the customer and should be handled accordingly—that is, only collected, stored, retained and used for the purposes stated, unless positive consent from the consumer indicates otherwise.
“You need to gain the trust of your customers, and you do that by engaging them in the discussion,” Cavoukian said. “That education leads to consent. When you have openness and transparency, you’re not hiding anything…there are no surprises. There should be no secondary uses without the positive consent of consumers.”
Today, the province has smart meters installed at 4.7 million households, and Cavoukian says, “It’s working beautifully.”
Since issuing the guidance, Cavoukian has continued to partner with utilities worldwide, including in Germany and Switzerland and most
with San Diego Gas & Electric in the U.S.
Opower, an energy information software company that partners with utilities to empower consumers to make informed decisions about their energy usage, recently
it is embedding Cavoukian’s Privacy-by-Design framework into its operations. It released an advisory explaining to customers how it is embedding the framework into its “Data Principles.”
Cavoukian says her office is now partnering with the Future of Privacy Forum to develop a trust seal for third-party use that would allow customers to provide positive consent for access to their data for marketing purposes.
In the U.S., the Obama administration’s Consumer Bill of Rights will likely
to the granular data collected by smart meters. It states that under the bill, personal data “refers to any data, including aggregations of data, which is linkable to a specific individual.”
In the meantime, U.S. state governments are
toward their own solutions. Maine’s public utilities commission (PUC) recently
utility Central Maine Power (CMP) to provide an opt-out choice to consumers facing smart meter implementation after customers challenged the state’s smart meter program. The PUC also ruled, however, CMP could charge a fee for such opt-outs, a decision the state’s Supreme Court recently upheld.
In June, Canada’s Hydro-Quebec similarly began to allow for an opt-out clause in its smart meter rollout.