We are all having to be more and more aware of data protection in our activities. The new Data Protection Impact Assessment Template for Smart Grid and Smart Metering systems is a pioneering method whereby industry has worked together with the European Commission to make compliance reliable and cost-effective. Meant first and foremost for the Australian public, Michael Mitchell, Principal Consultant for Keypoint Law in Sydney and Ludovica Sara Fondi, Policy Officer at the Brussels based association CEDEC (the European Federation of Local Energy Companies) write a valuable article on the subject, of interest for the European audience too. This article first appeared in the November 2018 issue of Governance Directions, the official journal of Governance Institute of Australia.
Data Protection Impact Assessments: The European experience
- Data protection, or privacy law as it is known, is an area of increasing regulation.
- Greater regulation of data protection brings with it positive benefits for consumers but the need for compliance adds to the stress and resource burden on businesses.
- The European Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems offers a useful guide to Australian business to make compliance reliable and cost-effective.
As Australian privacy law becomes more far-reaching in its extent, and carries heavier sanctions for breach, the interest of business in cost-effective compliance grows. How do we evaluate our privacy obligations, how do we take action to fulfil those obligations, and how do we demonstrate that we have done so?
The experience of the European Union with its strong regime of data protection may provide guidance to assist Australian industry in these matters. The new Data Protection Impact Assessment Template for Smart Grid and Smart Metering systems is a pioneering method whereby industry has worked together with government to make compliance reliable and cost-effective.
Managing compliance with privacy law
Increasing levels of regulation is a feature of doing business in western countries. One area of such increasing regulation is data protection, or as it is known in Australia, privacy law. Companies are motivated to avoid damage to their business reputation that may result from a breach, not to mention heavy sanctions. As both the intrusiveness of privacy law and penalties for non-compliance increase, business leaders are ever more concerned about how to best manage compliance, both in regard to cost, and effectiveness.
While greater regulation of data protection brings with it many positive benefits for consumers in Australia, yet the need for compliance also adds to the stress and resource burden imposed on businesses. Like other regulatory regimes, privacy laws and principles tend to be broad in scope (perforce, to limit evasion), combined with increasingly higher maximum penalties for breach.
A recent development in the EU has the potential to provide practical solutions and guidance in compliance. This is the development of a Data Protection Impact Assessment Template for Smart Grid and Smart Metering systems. Although relating directly to the energy sector, the process by which it has been created and the results are worth studying by all industries in Australia.
To put this in context, the EU is Australia’s second largest two-way trading partner, and largest two-way trading partner in services. (1) The energy sector in the European Union holds particular interest for Australian companies. A January 2018 survey of senior-level investors in renewable energy found that Germany was the leading target area for M&A work over the next 12 months, but France also had a significant profile. (2) It seems likely that bilateral investment between Australia and the EU in the energy space will grow. (3)
The GDPR and background to use of Data Protection Impact Assessments in the EU
The European General Data Protection Regulation (GDPR) became fully applicable and enforceable from 25 May 2018. It significantly increased the regulation of data protection within the European Union. One of its key foci is to give individuals more control over their personal data. (4) The GDPR’s reach covers not only foreign businesses located in Europe, but also those which trade with Europe in goods or services, and which monitor the behaviour of individuals in the EU. Thus the GDPR is already an important consideration for many Australian firms.
The GDPR contains many provisions which do not have an equivalent in Australian privacy law, or which are not regulated so extensively in Australia. One example is the requirement that data controlling entities appoint a data protection officer (DPO) when there is systematic monitoring of data subjects on a large scale. Therefore, DPOs are essential in the smart services business dealing with ‘big data’. The DPO is a cornerstone of the accountability principle in the GDPR. (5) In turn, the DPO carries significant responsibility and will seek all ways that can guide or assist him/her in the discharge of that responsibility.
A further example of such an area is the EU consumer’s right to data portability. Consumers not only have the right to receive their personal data but the controlling entity must also facilitate the transmission of that data to another controller. A primary purpose of data portability is to limit any lock-in effect, typically exploited by companies in certain services in order to keep their own customers as long as possible. Rather, the GDPR seeks to provide consumers with freedom in relation to the choice between different providers. The GDPR also encourages controllers to develop interoperable formats to enable data portability. The Regulation does not impose a specific format, but specifies that it should be structured, commonly used and machine-readable. (6)
At the present time, data portability is not required in Australia in the same terms as in the GDPR, but it may only be a matter of time before this occurs noting, for example, the current political ‘hot’ topic of consumer energy prices. Australian governments may, therefore, be attracted to European energy reform which, whilst encouraging an increased reliance on renewable resources, also carries a strong message about consumer empowerment and promotion of competition. Thus the ‘Clean Energy Package for All Europeans’ legislative package is said to ‘reduce energy imports, boost our industrial competitiveness and leadership, create jobs, lower energy bills, empower the European consumer, help tackle energy poverty and improve air quality’. (7) In the same way, a major justification for the concept of data portability in the GDPR is that consumers will be encouraged to opt for a different supplier when they are aware that data portability is available.
The foregoing factors have all provided impetus to the development of the DPIA energy template.
The Data Protection Impact Assessment template for the energy sector
Under the GDPR, a DPIA is required whenever data processing is likely to result in a high risk to the
rights and freedoms of individuals. This contrasts with the regime under the Australian Privacy Act 1988, where a Privacy Impact Assessment is recommended by the Office of the Australian Information Commissioner, but not required except in certain limited circumstances. (8)
The GDPR standard requires a DPIA at least in those cases where an entity engages in:
- a systematic and extensive evaluation of the personal aspects of an individual, including profiling
- processing of sensitive data on a large scale
- systematic monitoring of public areas on a large scale.
Examples include a bank screening its customers against a credit reference database; a hospital about to implement a new health information database with patients’ health data; or a bus operator about to implement onboard cameras to monitor drivers’ and passengers’ behaviour. (9) In the energy sector, it is clear that operators of smart grids and smart metering operations will be covered, for whom the collection and usage of personal data (for example, household consumption, usage data) is one of the key business enablers.
Issues of data protection are significant for operators of smart grid and smart meter services. By 2020, it is expected that almost 72 per cent of European consumers will have a smart meter for electricity while 40 per cent will have one for gas. (10) The use of smart meters in Australia is much lower, but is expected to rise, thus the experience of European smart meter operators will be useful as a guide to Australian conditions in future.
A brief history of development
The editorial team responsible for the template was composed of industry representatives drawn from the Smart Grid Task Force (SGTF), which had been set up by the European Commission in 2009. The SGTF is a stakeholders’ platform that involves regulators and other competent authorities, consumers, suppliers, traders, power exchanges, transmission companies, distribution companies, power equipment manufacturers, standardisation organisations and ICT products and service providers. The first draft template was presented in 2013, and work on successive versions has proceeded since then. The final version has now been presented.
The Data Protection Impact Assessment template is intended for data controllers that are smart grid operators which manage or initiate smart grids or smart metering systems, as well as those that introduce changes to existing smart grid architecture platforms. It has now been published in final form and may be found at https://ec.europa.eu/energy/en/data-protection-impact-assessment-smart-grid-andsmart- metering-environment.
The process set out in the document will guide data controllers and their DPOs in conducting a thorough DPIA which describes the envisaged data processing, an assessment of the risks to the rights and freedoms of data subjects, the measures, safeguards, controls and mechanisms envisaged to address the risks, ensuring the protection of personal data.
The present DPIA template is composed of three parts:
- The introductory part in Chapter 1 — which provides information about the development of the template, its nature and scope of application. It provides context necessary to understand the process of the DPIA in the smart grids’ environment, its legal and business conditioning as well as relevant terminology.
- The explanatory part in Chapter 2.
- and the questionnaire in Chapter 3.
The questionnaire is the operative part of the template to be used by smart grids and smart metering
systems’ operators in the DPIA process. The questionnaire is mirrored in the explanatory part — that is, every element of Chapter 3 is explained by a corresponding entry in Chapter 2. Having Chapter 2 and Chapter 3 presented side by side (with two screens or with two printed copies) facilitates the understanding of the DPIA process and streamlines its implementation. The operative part consists of eight steps from the pre-assessment, to determine whether a DPIA is necessary, to the final step, which should ensure that the identified actions are actually carried out and risks mitigated.
Use of the template is not mandatory, nor can it guarantee compliance with EU law. However, it is expected that it will be effective in assisting data controllers to deal with their DPIA obligations, and in promoting a common methodology. It could well be of use to companies operating outside Europe, dealing with ‘big data’ and subject to similar data protection rules. These can be companies willing to test this completely new risk assessment methodology (based on the risk for the user/ data subject, rather than on the risk for the company/ data controller). Finally, in the future and with appropriate changes, it may become suitable to perform impact assessments in companies active in sectors other than energy.
The European Data Protection Impact Assessment Template for Smart Grid and Smart Metering
Systems offers a useful guide to Australian business as to:
- how such a template may be developed as an industry project in co-operation with government, rather than for a single entity
- how such a template may be useful to assist companies across all sectors in identifying, complying with, and proving their compliance with privacy/data protection legislation.
2 ‘Great Expectations – Deal Making in the Renewable Energy Sector’ KPMG International at p6
3 See e.g. Article 48 of the Framework Agreement Between the European Union And Its Member States, Of The
One Part, And Australia, Of The Other Part (Not Yet In Force)
4 European Commission press release http://europa.eu/rapid/press-release_MEMO-18-387_en.htm
6 GDPR art. 20
9 See Article 29 Working Party Guidelines on Data Protection Impact Assessment (DPIA) and determining
whether processing is ‘likely to result in a high risk’ for the purposes of Regulation (EU) 2016/679, 4 April
2017 (GDPR); also Articles 35 and 36 and Recitals (89) to (96) of the GDPR.