Privacy & Information Security Law Blog

On June 27, 2012, the Conference of the German Federal and State Data Protection Commissioners (the “Conference”) issued a Resolution and a comprehensive guidance paper regarding data protection compliance with respect to smart metering.

Smart metering is the use of intelligent energy networks and meters for monitoring and billing purposes. According to the Resolution, smart meter systems help guarantee a sustainable energy supply in terms of resource efficiency, environmental friendliness and the efficient production, distribution and use of energy. The guidance paper issued by the Conference describes and analyzes the individual processing activities involved in the various uses of smart metering in light of German data protection law. In particular, the guidance paper describes the “use cases” in terms of the respective level of data protection involved.

The following is a summary of the Conference’s key recommendations:

• The processing of smart meter data is authorized only to the extent that it is necessary for the purposes listed in the German Energy Industry Act;
• The meter readings should be separated by intervals to help ensure that no conclusions about a user’s behavior may be drawn from his or her energy consumption;
• Smart meter data should be transmitted in anonymized, pseudonymized or aggregate form, to the extent possible;
• It must be possible to collect local high resolution data directly from the end user without requiring third party data processing activities;
• The data should be transmitted to as few recipients as possible;
• Appropriate deletion periods should be determined to avoid excessive data retention;
• The end user should be able to detect access to the smart meter, prevent its use and inspect the communication and processing activities related to the smart meter;
• The end user, as a data subject, must be given the means to exercise his or her right to deletion, correction and objection;
• The end user must be able to choose a tariff that reveals as little as possible about his or her lifestyle, without interfering with his or her energy supply;
• Smart meters should not be freely accessible from the outside; guidance on what amounts to legitimate access to the data can be found in the Technical Directive of the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or “BSI”); and
• The principles of data protection should be considered when designing smart meter systems (e.g., privacy by design). The technology should provide the end user with the information needed to control his or her energy consumption and protect his or her privacy; in particular, a legally binding framework should be created for the design, processes and infrastructure of the devices, as well as for their implementation.