The U.S. Department of Energy has acted as steward for the DataGuard Energy Data Privacy Program for the last several years, but it's the next 12 months that will determine the program’s future. The DoE has been able to get a couple of organizations to participate in the program and the agency continues its effort to recruit more. If momentum does not pick up in 2019, however, it may mean lights out for DataGuard.
The DataGuard program is a voluntary code of conduct smart grid companies can follow to display privacy commitments to customers, particularly concerning energy-use data. As smart meters — which measure home energy use — rise in popularity, customer energy use data can be used to determine when individuals are home, when they are on vacation or what times they watch TV, for example.
The DoE has spent a lot of time on DataGuard and has taken steps to put it in the best situation to grow, the agency said. The agency anticipates that next year could be when the code of conduct takes a big step forward as organizations continue to learn about the privacy issues surrounding the smart grid and energy use data. Privacy professionals, however, have taken a much more critical look at the program, and question whether DataGuard is the best resource to tackle this new energy paradigm.
The code of conduct is broken down into five principles. Organizations that follow the voluntary code have to describe their data collection practices, the ways customers will be allowed access to their data, the methods the company will use to create anonymized data, their plans to enforce the code's principles, and how they will gather consent when energy data is used for “secondary purposes.”
Department of Energy Smart Grid Task Force Director Eric Lightner said DataGuard was inspired by the Obama administration's Consumer Privacy Bill of Rights. The report encouraged industry to adapt the Bill of Rights into privacy programs and solutions. Industry stakeholders, consumer advocate groups, third-party providers, public utility commissions and others took part in several meetings to help develop the voluntary code of conduct that would eventually become DataGuard.
Since then, the DoE been in charge of the program. However, the agency did not expect it would be the captain of the ship for so long.
“Our intent was once it got enough momentum to stand on its own, that we were really looking to turn it over to some nonprofit to be the steward moving forward,” said Lightner. “That is still our goal, but we feel like we are not really there yet in terms of having enough momentum and enough adopters to do that.”
Why hasn’t DataGuard taken off? Privacy professionals have some ideas.
The Privacy Professor CEO and President Rebecca Herold, CIPP/US, CIPM, CIPT, FIP, and Southern California Edison Privacy Compliance Program Leader Chris Pahl, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, both cited the challenges inherent in getting companies to commit to a voluntary compliance program.
“There is no motivation for them to use this,” said Herold. “What is the incentive to say to utilities that they need to do a better job protecting data? Is there a way to give them some sort of incentive? There are a lot of possibilities with regards to discounts or tax breaks, but there’s got to be some incentive there in addition to saying there are real life benefits, such as preventing data breaches.”
In addition to concerns about voluntary compliance, Pahl pondered what actions could be taken for noncompliance to the code.
“When anything is done on a voluntary basis, that doesn’t give me much credence for the program, or uniformity throughout similar companies,” said Pahl. “There needs to be some type of penalty or some type of retribution that’s going to happen to them if they don’t live up to these things, or this just becomes another seal."
Lightner said DataGuard has always been intended to be a voluntary program.
“We really just wanted to honor the White House’s challenge to develop a voluntary, industry-driven program, and that’s really what we did,” said Lightner. “The other thinking was since we are not a regulatory entity, we really cannot enforce these things, but we really wanted to work with the industry and have it voluntary because it allows for a lot more flexibility in terms of how to implement the principles and practices within your company.”
The code of conduct takes a high-level approach. Lightner believes this allows organizations to adopt the principles in the best way for their business.
“We really wanted this to be applicable and adoptable by third-party providers of products and services and utilities,” said Lightner. “That presented a very difficult challenge at first because those entities are so different. It’s another reason why we wanted to stick to high level principles rather than getting into details, because the ways a utility might have to adopt something might be completely different from a small startup company that really isn’t a regulated entity.”
Lightner also wanted to dispel the notion DataGuard has no teeth, something both Pahl and Herold cited as a barrier to success. Lightner said DataGuard adopters that don't follow through with compliance could face penalties from state attorneys general or the Federal Trade Commission for deceptive business practices.
Even with those commitments, privacy professionals will still have some questions about the viability of the program.
“There needs to be enough, from a vetting process, before someone is brought into the fold of membership, that there is a type of discussion to try and determine the background of these entities,” said Pahl, who added his organization had to notify a regulator about the actions of one of the participants of voluntary code.
Despite the concerns from privacy professionals, one of the participants in the program,spoke positively about the DoE’s program. Utility API CEODaniel Roesler said his company was drawn to the DataGuard program due to its emphasis on consent as a best practice.
Roesler said he'd like to see DataGuard get stronger as its participants continue to grow. One of the reasons why Roesler is confident DataGuard will thrive is due to the EU General Data Protection Regulation.
“After GDPR, it basically means that distributed energy companies operating under the DataGuard code of conduct in the U.S. will not have a whole lot of trouble whenever they expand into Europe,” said Roesler. “If you are already following the guidelines of DataGuard in the U.S., updating will just be a little bit of paperwork, but there is no fundamental business model incompatibilities.”
Whether DataGuard takes the next leap forward remains to be seen. Lightner shares Roesler’s optimism about the future of the program, but he acknowledges it is not guaranteed. The DoE has shifted away from utilities as its main target for DataGuard to third-party providers of products and services who could benefit from consistency in their data collection and use. Utilities already face regulation, and a commitment to DataGuard would be a tough sell, Lightner believes. DataGuard uses the same rationale for the customer energy use data that falls under its umbrella. Since personal information is covered by preexisting privacy laws, Lightner explains, it was not necessary to include it in the voluntary code of conduct.
Despite Pahl and Herold's concerns about the program, they are pleased it at least exists.
“I think that it’s good that we have a program like this, and not everything is negative about it,” said Herold. “I think it’s good that they recognized the need to have something to address consumer privacy. I think they are ready to move on and become a more mature offering by filling in the gaps that exist and actually become a more comprehensive program and also provide some motivation and incentives for utilities and the utilities’ third-party vendors to participate.”
For Lightner and the DoE, the next 12 months will determine whether DataGuard will have enough momentum to move on and become that more mature offering.
“We’ve been hard at work at this for some time now, and by the end of 2019, we should have enough information to make the evaluation either to continue the program and really identify a steward to pick it up, or walk away,” Lightner said.
photo credit: arbyreed Individualized via photopin(license)