On 27 March, the French Data Protection Authority (CNIL) made public a formal notice to Direct Energie, the French electricity supplier. At issue: the collection from smart meters of consumption data by the hour or by the half hour, without the customer's prior "free, informed and specific" consent” to such disclosure. Although the decision of the CNIL is based on French law, it applies the same principles as those set out in the GDPR and is therefore of interest through the EU, as an indication of the likely approach of other authorities to this issue post-GDPR.
In a nutshell, why does the CNIL criticize Direct Energie?
According to the CNIL’s formal notice to Direct Energie, during the installation of a smart meter, Direct Energie asked Enedis, which manages the distribution network, to provide the electricity consumption data of its customers. Such personal data are considered by the CNIL as sensitive, as they can reveal information relating to customers' privacy (times when they wake up or go to bed, periods of absence or number of people at home…). The CNIL had already underlined in the past that consent was needed for the collection or disclosure through smart meters of detailed consumption data of customers. Consent is also considered as a requirement at European level by the “article 29 Working Party” – the European Data Protection advisory board – for using smart metering technology in the energy sector.
The CNIL criticizes Direct Energie for asking customers to consent simultaneously to two things:
However, the activation of the smart meter does not depend on Direct Energie, but on Enedis which manages the distribution network. Therefore the smart meter would be activated anyway, even without the customers' consent.
According to the CNIL, “the customer is under the false impression that he chooses to activate the meter, while he actually only consents to the collection of his consumption data."
Moreover, Direct Energie states in its information notice to customers that this collection of their consumption data will allow more precise billing, whereas the company does not actually offer a billing based on hourly consumption, reports the CNIL.
The company now has a period of three months to comply. If it does not comply, the CNIL can impose a fine of up to € 3 million under the current French data protection (DP) act. The CNIL underlined that it decided to make this notice public in order to make people aware of their rights and their ability to control their energy consumption data.
Why is this decision important in the light of the looming GDPR requirements?
1) This decision from the CNIL results from an interpretation of the notions of consent and legal basis for processing of personal data, which in the current French DP act already mirror the GDPR requirements which will enter into application by May 25 2018 in all E.U. Member States
2) Another interesting data protection issue under the GDPR to be considered in the future by companies looking to process customer usage data, relates to the new right provided by article 21 of the GDPR, to object at any time to profiling of personal data for direct marketing purposes:
When the GDPR comes into application, customers will therefore be able to object to the profiling of their data for marketing purposes, in all cases: While in the specific case of smart meters prior consent is required due to the sensitive nature of energy consumption data collected, in the future in all cases where companies wish to have a better understanding of their customers' behaviour by analyzing for instance their consumption in order to adapt their marketing offers accordingly, the customers will have a right to ask them to stop doing this, which could for example result in companies being obliged to suppress the data of the customers from their customer relationship management systems.
This new right and its impact must be anticipated by companies, which must be able in the future to ensure that their systems technically reflect the requirements of the new anti-profiling right according to the Privacy by design principle which is also provided by the GDPR.
In addition, they must review their communication strategy in order to explain the possible interests of profiling for their customers and why the customers may be interested to get offers more adapted to their needs. In the same way, Direct Energie will need to explain why consenting to the collection from smart meters of consumption data and to the analysis of the consumption details will allow it to adapt the electricity production to the real needs of the consumer, in order to reduce his or her electricity bill.