The Article 29 Working Party criticised the focus of the data protection impact assessment (DPIA) template (17-page / 291KB PDF) that the European Commission has recommended for use by those involved in smart metering.
The Commission had intended for the Template to "describe the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to assist in demonstrating compliance with [EU data protection laws], taking into account the rights and legitimate interests of data subjects and persons concerned." However, the Working Party said that the Commission's Template failed to meet its own objective.
"The submitted DPIA Template does not directly address the actual impacts on the data subjects, such as, for example, financial loss resulting from inaccurate billing, price discrimination or criminal acts facilitated by unauthorised profiling," the Working Party said. "The WP29 considers that the DPIA Template in its current form cannot achieve its objective mandated by the Commission Recommendation. The DPIA does not provide a practical tool for assessing the impact on the individuals concerned."
Smart metering enables a two-way flow of electricity and information that allows real-time information about demand for energy to inform the level of supply needed to meet that demand in a near-instantaneous fashion.
Smart metering technology is due to be put in place in the UK from 2014. Approximately 55 million meters will be installed, covering every UK household and business, by 2019. The Government has said smart metering will help to reduce unnecessary energy use and emissions and cut consumers' energy bills.
However, there are inherent privacy issues around the use of the technology. The Working Party said that smart metering "enables massive collection of personal information" and that the data can reveal intrusive details about individuals' lives.
"Smart metering may enable tracking [of] what members of a household do within the privacy of their own homes and thus [the] building [of] detailed profiles of all individuals based on their domestic activities," the Working Party said. "From the detailed energy consumption data collected via the smart meters, a lot of information can be inferred regarding the consumers’ use of specific goods or devices, daily routines, living arrangements, activities, lifestyles and behaviour."
The future possibility of linking consumption data recorded from smart meters with other data collected about individuals, through a network of technology and devices loosely referred to as 'the internet of things' also presents risks to privacy, it added.
The Working Party called on the European Commission to revisit its DPIA Template. Amongst its complaints, it said that controls that the Commission had identified could be put in place to mitigate against the risk to privacy in smart metering had not been linked to the actual "risks to be mitigated".
"The ultimate objective of the DPIA process thus is to identify controls that minimize any negative impact on the rights and freedoms of the data subjects," it said. "If the risks and their impact on data subjects are not considered in their entirety, it is not possible to correctly identify and implement the necessary controls and safeguards."