HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

On May 6, 2011, the California PUC (CPUC) issued a proposed decision  by CPUC President Peevey addressing smart grid privacy and security. The proposed decision is part of a longstanding proceeding we first discussed here. 

The proposed decision represents a significant step towards a set of smart grid privacy rules in the United States during a time that smart grid privacy is attracting increasing global attention. For example, as discussed in the Chronicle of Data Protection post on April 18, 2011, the European Union’s Article 29 Working Party issued smart meter guidelines last month.

• Email This
• Print

By Winston Maxwell (Paris) and Marco Berliri (Rome)

The European Union's Article 29 Working Party published on April 11, 2011 an opinion on smart metering, recommending Privacy by Design, data minimization, and consumer interface options that give customers increased control over their data and privacy settings.

The opinion indicates that most data collected by smart meters will be considered "personal data" under the Data Protection Directive because the data will be associated with a unique identifier such as a meter identification number, which in turn can be linked to a living individual. The opinion states that the "data controller" will in most cases be the energy supplier, but that the grid operator may also be controller, as may be the third party service provider (so-called Energy Service Companies, or ESCOs). As mentioned in the Art 29 WP's opinion 1/2010 on data controllers and processors, it is not infrequent for there to be more than one controller.

• Email This
• Print

On September 21, 2010 Hogan Lovells privacy partners Marco Berliri and Winston Maxwell briefed the Italian smart metering consortium E-Cube on the practical aspects of privacy by design. The seminar commenced by a presentation of the E-Cube project by Telecom Italia Director of Public Policy, Lorenzo Pupillo. The e-Cube project involves leading Italian industrial companies and universities in Italy, and is funded by the Italian government. A full presentation of the e-Cube project can be found in Dr Pupillo’s paper here.

Seven pillars of privacy by design.

After Dr Pupillo’s introduction, Marco Berliri and Winston Maxwell presented the seven principles of privacy by design, contrasting the preventive and “positive sum game” approach with the current confrontational and “zero sum game” approach that is currently the norm when dealing with data protection authorities in some European countries. Marco Berliri gave an overview of the current legislative framework for privacy in Europe, while Winston focused on the June 2010 report of the smart grid task force at the European Commission. The report, submitted by the so-called Expert Group 2 (EG2), fully endorses the privacy by design approach, recommending that European standards organizations working on smart grid standards take privacy requirements into account. The EG2 report urges smart grid stakeholders to be inspired by security and privacy practices of other industries, particularly telecommunications and banking. The EG2 report also highlights a methodology developed by a consortium of electricity providers in the Netherlands to conduct privacy impact assessments of smart grids systems.

NIST report compared.

Marco and Winston then compared the European approach as outlined by the EG2 report with the August 2010 recommendations of the NIST in the U.S. The NIST’s report on privacy over smart grid contains a useful discussion of different concepts of personal data which go from the U.S. concept of “personally identifiable information” (PII) to data about behavior inside the home that can be developed using Non-intrusive Appliance Load Monitoring (NALM) which provides a very detailed individual fingerprint of a given household’s behavior. The NIST suggests that the traditional notion of PII in the U.S. may not be adequate to address the risks posed by granular use data. Marco compared PII with the European concept of personal data. In response to a question from an E-Cube consortium member, Winston and Marco described the process of developing privacy use cases, using the two examples presented in the NIST report, as well as a use case involving the Canadian electricity company Hydro-One. Each use case requires breaking a service into small individual parts. For each part of the service one must ask whether key privacy requirements are being addressed. For example, if a consumer brings home a smart thermostat from the store and plugs it in for the first time, that thermostat will first seek to communicate with the home area network, which will in turn communicate the details of the thermostat to a central server so that the thermostat can be authenticated and registered in the service. In a privacy use case, this seemingly simple process may be broken down into five or more individual parts and for each part one must ask the questions: Is the communication link encrypted? Is the device transmitting the minimum amount of data necessary? Are organizational measures in place to ensure that the data are accessible only by the right people in the organization? Does the process contemplate a date when the data would be deleted? It is by building these individual use cases that Privacy by Design can be built up, piece by piece. As aptly put by the EG2 report: “Security is a path, not a destination!”

Sharing consumption information.

Finally, Marco and Winston compared Italian legislation which obligates electric utilities to share consumer usage data with the similar requirement adopted in December 2009 by the California Public Utilities Commission. Winston mentioned that the U.S. FCC is placing a particular emphasis on innovations at the edges in the smart grid ecosystem but this policy creates a dilemma for regulators who may not have jurisdiction over the service providers to whom the data are supplied. Winston pointed out that the California PUC is expected to issue more detailed privacy requirements before the end of 2010 and that these requirements are expected to address the issue of transfers of data to a third party service providers.

Cloud computing.

Marco reminded participants of the rules regarding transfer of personal data outside the European Union, pointing out that some data may in fact be transferred outside the European Union if an electricity service provider outsources some of its data processing, or makes use of cloud computing.

A copy of Marco and Winston’s presentation can be found here.

• Email This
• Print

By Eric Bukstein

As energy companies across the country are gearing up to start providing electrical service through “Smart Grids,” California is one of the first jurisdictions to begin creating a regulatory framework for the operation of a Smart Grid.  On May 21, 2010, the California Public Utilities Commission (“CPUC”) issued a proposed decision, authored by Commissioner Nancy Ryan, providing California energy companies with details on what information must be included in any Smart Grid deployment plans submitted to the CPUC by a July 1, 2011 deadline.  The CPUC currently is taking comments on the decision, which will be considered and finalized by the entire commission.  While the proposed decision addresses some privacy and data security issues, the CPUC stated that further proceedings will focus more specifically on information access and privacy protections.

Smart Grids provide for a two-way flow of information and electricity, allowing both customers and utilities more control over energy consumption and costs, increasing the reliability of the energy grid, and allowing for a more efficient delivery of energy.  Utilities’ use of smart grids raises privacy concerns because of the possibility of linking personal information to granular details about energy use.  For an excellent background on Smart Grids and the privacy issues they present, see the white paper, Smart Privacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation, co-authored by Hogan Lovells partner, Christopher Wolf.

CPUC’s proceeding started after the California legislature passed a law in September of 2009 requiring the CPUC “to determine the requirements for a Smart Grid deployment plan” by July 1, 2010.  This decision was the result of a year of proceedings in which the CPUC received comments from stakeholders as to how to best implement this law and move toward the deployment of a Smart Grid. 

The CPUC’s proposed decision addresses many issues beyond privacy, laying down an outline, by way of eight topics which need to be addressed, for a utility company’s Smart Grid deployment plan.  The CPUC specifically added Grid Security and Cyber Security Strategy to a list of topics, which were initially suggested by utility companies, that should be addressed in each utility company’s deployment plans.  The full list of categories is as follows:

1.      Smart Grid Vision Statement;

2.      Deployment Baseline;

3.      Smart Grid Strategy;

4.      Grid Security and Cyber Security Strategy;

5.      Smart Grid Roadmap;

6.      Cost Estimates;

7.      Benefits Estimates; and

8.      Metrics.

Regarding privacy and data security, the proposed decision asks utility companies to assess these issues in two areas.  First, as part of a privacy impact assessment to be included in a baseline report (item 2 above), which analyzes current practices, the utility company must address the following questions:

• What data is the utility now collecting?
• For what purpose is the data being collected?
• With whom will the utility currently share the data?
• How long will the utility currently keep the data?
• What confidence does the utility have that the data will [sic] is accurate and reliable enough for the purposes for which the data is used?
• How does the utility protect the data against loss or misuse?
• How do individuals have access to the data about themselves?
• What audit, oversight and enforcement mechanism does the utility have in place to ensure that the utility is following their own rules?

Second, in a section of the proposed decision devoted to information security, the CPUC requires a utility company to describe “security strategies” that “address physical, cyber and human threats for grid operations with implementation of Smart Grid technologies.”  Each Smart Grid deployment plan needs to discuss how it will incorporate National Institute of Standards and Technology (“NIST”) requirements and guidelines into the security program of the utility.  The CPUC declined to adopt specific Smart Grid security standards at this time, but recommends that utility companies consult documents, prepared by NIST and the Department of Homeland Security, for guidance when preparing security plans.  The CPUC also directed that each deployment plan should contain a systematic risk assessment, including a “security audit based on industry best practices.”  This assessment should address:

"The prevention of, preparation for, protection against, mitigation of, response to, and recovery from security threats for the utilities’ advanced meter and communications infrastructure, distribution grid management, and distribution grid management with implementation of other Smart Grid technologies and infrastructure, including all major subsystems and utility storage of customer information."

Additionally, the CPUC orders that each deployment plan discuss the following questions:

·        What types of information about customers are or will be collected via the smart meters, and what are the purposes of the information collection?  Could the information collection be minimized without diminishing the specified purposes?

·        Does the utility have or expect to have other types of devices, such as programmable communicating thermostats (PCTs), which can collect information about customers?  If so, what types of information is collected, and what are the purposes of the information collection?  Could the information collection be minimized without interfering with the specified purposes?

·        What types of information, if any, does the utility plan to collect from the smart meter and HAN gateway?

·        How frequently will the utility take readings from the smart meter?  Is this frequency subject to change?  Will customers control this frequency?

·        For each type of information identified above, for what purposes will the information be used?  The purposes should be articulated with specificity, e.g., “targeted marketing” instead of “promoting energy efficiency.”

·        For each type of information collected, for how long will the information be retained, and what is the purpose of the retention?  Could the retention period be shortened without diminishing the specified purpose?

·        What measures are or will be employed by the utility to protect the security of customer information?

·        Has the utility audited or will it audit its security and privacy practices, both internally and by independent outside entities?  If so, how often will there be audits?  What are the audit results to date, if any?

• Email This
• Print

The Federal Communications Commission released its long-awaited National Broadband Plan today, providing an aggressive roadmap for advancing affordable broadband deployment and adoption; stimulating economic growth; and boosting the nation's capabilities in education, healthcare, homeland security, and other areas.  The Plan also appears to confirm that the FCC is looking to take an expanded role in privacy-related consumer protection issues.

In the Plan, the FCC discusses a number of broadband privacy and data security issues focused on the protection of and consumer control over personal information.  For example, the FCC states 

 

[t]he collection, aggregation and analysis of personal information are common threads among, and enablers of, many application-related innovations...

and the Plan notes the value of services such as customized suggestions for movie rentals or books and more targeted and relevant advertising.  It cautions, however

many users are increasingly concerned about their lack of control over sensitive personal data.

The FCC then remarks:  

Innovation will suffer if a lack of trust exists between users and the entities with which they interact over the Internet.  Policies therefore must reflect consumers’ desire to protect sensitive data and to control dissemination and use of what has become essentially their “digital identity.”  Ensuring customer control of personal data and digital profiles can help address privacy concerns and foster innovation.

The FCC also makes several broadband privacy and data security recommendations in the Plan, including:

• Encouraging Congress and the Federal Trade Commission (as well as the FCC) to clarify the relationship between users and their online profiles, including disclosure and consent requirements and data collection, sharing, storage, safeguarding, and accountability responsibilities;

• Suggesting that Congress consider helping spur the development of trusted "identity providers" that can help consumers maximize the privacy and security of their data;

• Having the FTC and FCC jointly develop principles to require that customers provide informed consent before broadband service providers share certain information with third parties (including account and usage information and other personally identifiable information); and

• Prompting the federal government to put additional resources into combating identity theft and fraud and enhancing consumer online security.

In addition, the Plan includes several privacy and data security recommendations in the smart grid and cybersecurity areas, including a recommendation that states require utilities to "provide consumers access to, and control of, their own digital energy information, including real-time information from smart meters and historical consumption, price and bill data over the Internet."  If states fail to do so within 18 months, the Plan recommends that Congress consider national legislation.

• Email This
• Print

A new white paper, Smart Privacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation,  highlights the importance of building privacy into new "Smart Grid" technologies from the outset.  The paper is co-authored by the Privacy Commissioner of Ontario, Dr. Ann Cavoukian, Jules Polonetsky and Hogan’s Christopher Wolf.  Wolf and Polonetsky co-authored the paper in their capacity as co-chairs of the Washington-based Future of Privacy Forum.

“The information collected on a Smart Grid will form a library of personal information, the mishandling of which could be highly invasive of consumer privacy,” said Christopher Wolf. “There will be major concerns if consumer-focused principles of transparency and control are not treated as essential design principles, from beginning to end.”

“The smart grid will provide benefits for the economy and the environment and could mean savings for individual consumers,” said Jules Polonetsky. “But the success of the grid will be completely dependent on consumers trusting that their data is being handled responsibly. If companies do not get privacy right from the start, billions will have been spent in vain.”

The paper outlines Commissioner Dr.Ann Cavoukian’s SmartPrivacy concept and how it can be used to address the privacy concerns raised by the Smart Grid.   

• Email This
• Print