by K.T. Weaver, SkyVision Solutions

The French data protection authority (‘CNIL’) announced on March 27, 2018, that it had issued a formal notice to the nation’s primary electric supplier for failing to obtain consent for the collection of customer usage data through smart meters [1].

The utility company now has a period of three months to correct the failure or face a fine of up to € 3 million [2].

CNIL observed that at the time of the installation of smart meters, customers were asked to provide a single consent for the installation of the meter and for the collection of hourly electricity consumption data as a corollary to the activation of the new meter and in order to benefit from certain tariffs.  However, as the installation was mandatory, customers were in fact only consenting to the data collection. Therefore, CNIL determined that consent was obtained in such a way by the electric supplier that it was invalid, as it could not be considered “free, informed and specific.” [1]

Furthermore, CNIL considered that the collection of personal data related to hourly consumption was not necessary for the performance of the contract entered into by the customer, which only requires the supply of electricity, billed on a monthly basis.  With regard to legitimate business interests pursued by the company, CNIL found that according to the information notice provided to customers, the collection of hourly consumption data would allow a more precise billing, “but that the automatic collection of this data, which is particularly intrusive and detrimental to their privacy, disregards their interests and rights, especially since there are no tariff offers based on their hourly consumption.”  For these reasons CNIL concluded that the smart meter granular data collection had no legal basis as it was not based upon valid consent [1].

Although the CNIL decision was based upon French law, it has implications for the entire European Union (EU) as it applies the same principles to be implemented in May 2018 as part of the EU’s General Data Protection Regulation or GDPR [2].

The rationale used by CNIL in France is also nearly identical to the arguments made in the United States in the court case of Naperville Smart Meter Awareness (NSMA) v. City of Naperville and where failure to obtain a valid customer consent for granular smart meter data collection represents an illegal, unwarranted, and unreasonable search in violation of the Fourth Amendment [3].

Current (and antiquated) case law in the United States establishes that customers have no reasonable expectation of privacy in aggregate power usage readings taken once a month from an analog-type meter.  The actual case law states that nothing of significance can be determined from that information, i.e., “The power records, unlike telephone or bank records, do not reveal discrete information about [the customer’s] activities.” [4]

Utility companies in the United States then try to extrapolate the monthly aggregate readings legal argument to granular data collected by a smart meter by saying that it is the same thing, just more frequent.  But this is not true since more granular data collection fails the test of not revealing discrete information about a customer’s activities.  Privacy groups Electronic Frontier Foundation (EFF) and Privacy International (PI) have a way to explain this concept, that smart meter so-called “aggregate data” are actually disaggregated by time and do therefore reveal intimate details about what is going on inside the home [5].

It is hoped that the French decision by CNIL can further move the needle in the direction of protecting consumer privacy interests in the United States and other places worldwide.

References

[1] France: CNIL’s notice to DIRECT ENERGIE on collection of smart meter data “indication of likely approach of DPAs post-GDPR,” March 29, 2018, at https://www.dataguidance.com/france-cnil-notice-direct-energie-collection-smart-meters-data-indication-likely-approach-dpas-post-gdpr/

[2] GDPR and smart meters: French Data Protection Authority serves a formal notice to a major energy supplier to get ready for GDPR, March 29, 2018, at https://web.archive.org/web/20180406215700/https://www.lexology.com/library/detail.aspx?g=b2ea028e-10d8-417c-b48a-ece1c268a948

[3] “Naperville Smart Meter Awareness Group Appeals to Higher Court on Fourth Amendment Violations,” SkyVision Solutions Blog Article, February 2017, at https://smartgridawareness.org/2017/02/22/naperville-group-appeals-to-higher-court/

[4] See State v. Kluss, 867 P.2d 247, 254 (Idaho App. 1993) (finding that monthly aggregate power usage figures “do not reveal discrete information about Kluss’s activities” because they may be caused by any one of numerous kinds of electrical usage”); accord Sampson v. State, 919 P.2d 171, 173 (Alaska App. 1996) (Mannheimer, J., concurring) (agreeing that no reasonable expectation of privacy exists in gross monthly electrical usage figures, because such figures “reveal no details of the activities that consumed the electricity”).

[5] Privacy Advocacy Groups Submit Amicus Brief Opposing Smart Meter Fourth Amendment Violations, SkyVision Solutions Blog Article, February 2017, at https://smartgridawareness.org/2017/02/28/privacy-advocacy-groups-amicus-brief-on-smart-meters/

[6] Additional reference link added August 2018:  http://pde.cc/countdown-to-gdpr-a-pre-gdpr-object-lesson-in-france/