2014/724/EU: Commission Recommendation of 10 October 2014 on the Data Protection ... (32014H0724)
EU - Rechtsakte: 12 Energy

COMMISSION RECOMMENDATION

of 10 October 2014

on the Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems

(2014/724/EU)

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 292 thereof,
Whereas:
(1) Smart grids are an enabler for implementing key energy policies. In the 2030 policy framework context, smart grids, as the backbone of the future decarbonised power system, are recognised as a facilitator for the energy infrastructure's transformation in order to accommodate higher shares of variable renewable energy, improve energy efficiency and ensure security of supply. Smart grids provide an opportunity to boost EU technology providers' competitiveness, as well as a platform for traditional energy companies and new market entrants to develop innovative energy services and products in grid infrastructure and related information and communications technology (ICT), home automation and appliances.
(2) Smart metering systems are a stepping stone towards smart grids. They provide the tools to empower consumers' active participation in the energy market, and enable system flexibility through demand response schemes and other innovative services. In accordance with Directive 2009/72/EC of the European Parliament and of the Council(1) and Directive 2009/73/EC of the European Parliament and of the Council(2), Member States are required to ensure the implementation of smart metering systems that assist the active participation of consumers in the electricity and gas supply markets.
(3) The operation of smart metering systems — and a fortiori any further developments of smart grids and appliances — hold the potential to process data relating to an individual, i.e. personal data as defined by Article 2 of Directive 95/46/EC of the European Parliament and of the Council(3).
(4) Opinion 12/2011(4) of the Working Party on the protection of individuals with regard to the processing of personal data set up in accordance with Article 29 of Directive 95/46/EC states that smart metering systems and smart grids hold the potential to process increasing amounts of personal data and to make that personal data available to a wider circle of recipients than at present, thus creating new risks for data subjects that were previously unknown to the energy sector.
(5) Opinion 04/2013(5) of the Working Party states that smart metering systems and smart grids foreshadow the impending ‘Internet of Things’, and that the potential risks associated with the collection of detailed consumption data are likely to increase in the future when combined with data from other sources, such as geo-location data, tracking and profiling on the internet, video surveillance systems, and radio frequency identification (RFID) systems(6).
(6) Raising awareness about the features and substantial benefits of smart grids should help this technology fulfil its full potential, while at the same time mitigating the risks of it being used to the detriment of the public interest, thus enhancing its acceptability.
(7) The rights and obligations provided for by Directive 95/46/EC and by Directive 2002/58/EC of the European Parliament and of the Council(7) are fully applicable to smart metering systems and smart grid environments when personal data are processed.
(8) The package adopted by the Commission for reforming Directive 95/46/EC includes a ‘Proposed Data Protection Regulation’(8), which, when adopted, would apply to smart metering systems and smart grid environments when personal data are processed.
(9) The Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of 12 April 2011 on ‘Smart Grids: from innovation to deployment’(9) highlighted data protection and security as one of the five challenges for smart grid deployment and identified a number of measures to accelerate this deployment, including the ‘privacy by design’ approach and assessment of network and information security and resilience.
(10) The Digital Agenda for Europe lists a set of appropriate measures, in particular on data protection in the Union, on network and information security and on cyber-attacks. The ‘Cybersecurity Strategy for the European Union: An Open, Safe and Secure Cyberspace’(10) and the Commission proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union of 7 February 2013(11) put forward legal measures and set incentives to foster investments, transparency and user awareness, aiming at making the EU's online environment more secure. Member States, in collaboration with industry, the Commission and other stakeholders, should take appropriate measures to ensure a coherent approach in security and personal data protection.
(11) The opinions of the Working Party on the protection of individuals with regard to the processing of personal data set up in accordance with Article 29 of Directive 95/46/EC, and the European Data Protection Supervisor's opinion of 8 June 2012(12) provide guidance to safeguard personal data and guarantee data security when data are processed in smart metering systems and smart grids. Opinion 12/2011 of the Working Party on smart metering recommends Member States to proceed with implementation plans which require a Privacy Impact Assessment.
(12) In order to leverage the benefits generated by smart metering systems, one of the key preconditions for the use of this technology is to find appropriate technical and legal solutions which safeguard privacy of the individual and protection of personal data as fundamental rights under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union. The Commission Recommendation 2012/148/EU(13) sets out specific guidance on data protection and security measures for smart metering systems and invites Member States and stakeholders to ensure that smart metering systems and smart grid applications are monitored and that fundamental rights and freedoms of individuals are respected.
(13) The Recommendation 2012/148/EU states that data protection impact assessments should make it possible to identify data protection risks in smart grid developments from the start, following the principle of data protection by design. It announces the development by the Commission of a Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems, to be submitted for opinion to the Working Party on the protection of individuals with regard to the processing of personal data.
(14) The Recommendation 2012/148/EU further indicates that the Data Protection Impact Assessment Template should guide data controllers in conducting a thorough data protection impact assessment which describes the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with Directive 95/46/EC, taking into account the rights and legitimate interests of data subjects concerned.
(15) The ‘Proposed Data Protection Regulation’ replacing Directive 95/46/EC would render Data Protection Impact Assessments mandatory under certain conditions, as a key instrument to enhance data controllers' accountability. In this respect, the Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems, albeit itself non-compulsory, will serve the purpose, as an evaluation and decision-making tool, of supporting data controllers in the smart grids sector to comply with a future legal obligation under the ‘Proposed Data Protection Regulation’.
(16) A Template developed at Union level for conducting data protection impact assessments aims at ensuring that the provisions of Directive 95/46/EC and Recommendation 2012/148/EU are followed coherently across Member States and that a common methodology for data controllers guaranteeing adequate and harmonized processing of personal data throughout the EU is promoted.
(17) Such a Template should facilitate the application of the principle of data protection by design by encouraging data controllers to carry out an impact assessment of data protection as soon as possible, hence allowing them to anticipate potential impacts on the rights and freedoms of data subjects and implement stringent safeguards. Such measures should be monitored and reviewed by the data controller throughout the lifecycle of the application or system.
(18) The report produced from the Template's implementation should also contribute to national Data Protection Authorities activities regarding the monitoring and oversight of the compliance of processing and, in particular, the risks for the protection of personal data.
(19) The Template should not only facilitate the resolution of emerging data protection, privacy and security issues in the smart grid environment, but also contribute to addressing data handling challenges linked to the development of the retail energy market. Indeed, an important part of value in the future retail market will stem from data and wider integration of ICT into the energy system. The collection and organisation of access to this data are key to the creation of business opportunities for newcomers, especially aggregators, energy service companies or the ICT branch. Data protection, privacy and security will therefore become increasingly important issues for utilities to handle. The Template will help ensure, especially in the initial phase of the roll-out of smart meters, that smart metering system applications are monitored and that fundamental rights and freedoms of individuals are respected, by identifying data protection risks in smart grid developments from the start.
(20) Following submission of the Template — as formulated by the smart grid sector's main stakeholders through a process monitored by the Commission — to the Working Party for formal consultation, Opinion 04/2013 was issued. Subsequent to the submission of a revised Template based on Opinion 04/2013, the Working Party issued Opinion 07/2013 of 4 December 2013(14). The recommendations formulated in these two opinions were taken into account by the stakeholders.
(21) Opinion 07/2013 of the Working Party recommends the organisation of a test phase for the implementation of the Template, in which individual Data Protection Authorities may consider offering support. This test phase should contribute to ensure that the Template provides improved data protection to individuals in the context of the deployment of smart grids.
(22) In light of the benefits generated by the Template for industry, consumers and for national Data Protection Authorities, Member States should cooperate with industry, civil society stakeholders and national data protection authorities to stimulate and support the use and deployment of the Data Protection Impact Assessment Template at an early stage in the deployment of smart grids and the roll-out of smart metering systems.
(23) The Commission should contribute to the implementation of this Recommendation directly and indirectly by facilitating dialogue and cooperation amongst stakeholders, in particular through the centralisation and dissemination of information feedback during the test phase between industry and national data protection authorities.
(24) In light of the test phase's conclusions and subsequent to the revision of Directive 95/46/EC, the Commission should assess the need to review and refine the methodology promoted in the Template.
(25) This Recommendation respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the EU. In particular, this Recommendation seeks to ensure full respect for private and family life (Article 7 of the Charter) and the protection of personal data (Article 8 of the Charter).
(26) After consulting the European Data Protection Supervisor,
HAS ADOPTED THIS RECOMMENDATION:

I.   

SCOPE

1.
This Recommendation provides guidance to Member States on measures to be taken for the positive and wide-ranging dissemination, recognition and use of the Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems (hereinafter referred to as ‘DPIA Template’), to help ensure the fundamental rights to protection of personal data and to privacy in the deployment of smart grid applications and systems and smart metering roll-out.
The DPIA Template is available on the website of the Smart Grid Task Force (http://ec.europa.eu/energy/gas_electricity/smartgrids/smartgrids_en.htm).

II.   

DEFINITIONS

2.
Member States are invited to take note of the following definitions:
(a) ‘smart grid’(15) means an upgraded energy network to which two-way digital communication between the supplier and consumer, smart metering and monitoring and control systems have been added;
(b) ‘smart metering system’ means an electronic system that can measure energy consumption and production, adding more information than a conventional meter, and can transmit and receive data using a form of electronic communication(16);
(c) ‘data protection impact assessment’ means a systematic process for evaluating the potential impact of risks where processing operations are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes to be to carried out by the controller or processor or the processor acting on the controller's behalf;
(d) ‘data protection by design’ requires to implement, having regard to the state of the art and the cost of implementation, both at the time of the determination of the means for processing and at the time of the processing itself, appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of Directive 95/46/EC and ensure the protection of the rights of the data subject;
(e) ‘data protection by default’ requires to implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage;
(f) ‘best available techniques’ means the most effective and advanced stage in the development of activities and their methods of operation, which indicate the practical suitability of particular techniques for providing in principle the basis for complying with the EU data protection framework. They are designed to prevent or mitigate risks on privacy, personal data and security.
(g) The Article 29 Data Protection Working Party was set up under the Directive 95/46/EC.

III.   

IMPLEMENTATION

3.
In order to guarantee protection of personal data throughout the Union, Member States should encourage data controllers to apply the DPIA Template for Smart Grid and Smart Metering Systems, and in doing so, encourage them to take into account the advice of the Working Party on the protection of individuals with regard to the processing of personal data, in particular its Opinion 07/2013(17). The opinions of the Working Party are available on the Smart Grid Task Force's webpage (http://ec.europa.eu/energy/gas_electricity/smartgrids/smartgrids_en.htm).
4.
Member States should cooperate with industry, civil society stakeholders and national data protection authorities to stimulate and support the dissemination and use of the DPIA Template at an early stage in the deployment of smart grids and the roll-out of smart metering systems.
5.
Member States should encourage data controllers to consider as a complementary element to the Data Protection Impact Assessment, the Best Available Techniques to be determined by Member States in collaboration with the industry, Commission and other stakeholders for each of the common minimum functional requirements for electricity smart metering as listed in point 42 of Recommendation 2012/148/EU.
6.
Member States should support data controllers in developing and adopting Data Protection by Design and Data Protection by Default solutions enabling effective data protection.
7.
Member States should ensure that the data controllers consult their respective national data protection authorities on the data protection impact assessment, prior to processing.
8.
Member States should ensure that data controllers, following the conduct of a data protection impact assessment, and in line with their other obligations under Directive 95/46/EC, take the appropriate technical and organisational measures to ensure protection of personal data, and review the assessment and continued appropriateness of the identified measures throughout the lifecycle of the application or system.

IV.   

TEST PHASE

9.
Member States should support the organisation of a test phase(18) with deployment of real cases, including by seeking and encouraging testers from the smart grid and smart metering industries to engage in this test phase.
10.
Member States should ensure, during this test phase, that all relevant applications or systems apply the Template, the advice(19) of the Working Party on the protection of individuals with regard to the processing of personal data, as well as the provisions contained in Section III of this Recommendation, in order to have the best impact on data protection and to provide as much input as possible for the Template's subsequent review.
11.
Member States should encourage and support national authorities competent for data protection to offer their support and guidance to data controllers throughout the test phase(20).
12.
The Commission intends to directly contribute to the implementation and monitoring of the test phase by facilitating dialogue and cooperation amongst stakeholders, in particular by providing the stakeholder platform(21) for the organisation of stakeholder meetings involving the testers, industry and civil society representatives, national data protection authorities and energy regulators.
13.
Member States should encourage the testers to communicate and share the results of the test phase with the national authorities competent for data protection and with the other relevant stakeholders in the framework of the stakeholder platform based on three categories of evaluation criteria:
(a) efficiency of the Template in assessing the impact of individual smart grid applications on data protection;
(b) usefulness of the Template in guiding the data controller in the conduct of the impact assessment according to the concrete circumstances of the application or system; and
(c) user-friendliness of the Template from the data controller's perspective.
The reporting on these evaluation criteria should focus on providing information relevant to the application of the Commission Recommendation and of the Template across all relevant applications or systems.
14.
The Commission intends to ensure the compilation of an inventory of data protection impact assessments conducted during the test phase. The inventory of data protection impact assessments will be made available on the Smart Grid Task Force's webpage throughout the test phase and will be regularly updated in order to foster continuous and prompt improvement in the Template's application.

V.   

REVIEW

15.
Within two years of publication of this Recommendation in the
Official Journal of the European Union
, Member States should provide the Commission with an assessment report highlighting the relevant conclusions stemming from the test phase.
16.
Two years after the publication of this Recommendation in the
Official Journal of the European Union
, the Commission intends to assess the need for revision of the DPIA Template based on the test phase reports provided by Member States and in light of the abovementioned evaluation criteria. The Commission will consider organising a dedicated stakeholder event to exchange views on this assessment prior to undertaking a revision.
17.
This revision should contribute to ensure that the DPIA Template provides improved data protection to individuals in the context of the deployment of smart grids and adequately reflects the provisions of the revised Directive 95/46/EC and the Working Party's Opinion 07/2013.
Done at Brussels, 10 October 2014.
For the Commission
Günther OETTINGER
Member of the Commission
(1)  Directive 2009/72/EC of the European Parliament and of the Council of 13 July 2009 concerning common rules for the internal market in electricity and repealing Directive 2003/54/EC (
OJ L 211, 14.8.2009, p. 55
).
(2)  Directive 2009/73/EC of the European Parliament and of the Council of 13 July 2009 concerning common rules for the internal market in natural gas and repealing Directive 2003/55/EC (
OJ L 211, 14.8.2009, p. 94
).
(3)  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (
OJ L 281, 23.11.1995, p. 31
).
(4)  Article 29 Data Protection Working Party,
Opinion 12/2011 on smart metering
, 00671/11/EN, WP183, 4 April 2011.
(5)  Article 29 Data Protection Working Party,
Opinion 04/2013 on the Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems (‘DPIA Template’) prepared by Expert Group 2 of the Commission's Smart Grid Task Force
, 00678/13/EN, WP205, 22 April 2013.
(6)  
Ibid.
and Recommendation CM/Rec(2010)13 of 23 November 2010 of the Council of Europe Committee of Ministers to Member States on the protection of individuals with regard to automatic processing of personal data in the context of profiling.
(7)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (
OJ L 201, 31.7.2002, p. 37
).
(8)  COM(2012)11 final.
(9)  COM(2011) 202 final.
(10)  Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, ‘Cybersecurity Strategy for the European Union: An Open, Safe and Secure Cyberspace’, 7 February 2013, JOIN(2013) 1 final.
(11)  COM(2013) 48 final.
(12)  European Data Protection Supervisor's Opinion of 8 June 2012 on the Commission Recommendation on preparations for smart metering roll-out: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2012/12-06-08_Smart_metering_EN.pdf
(13)  Commission Recommendation 2012/148/EU of 9 March 2012 on preparations for the roll-out of smart metering systems (
OJ L 73, 13.3.2012, p. 9
).
(14)  Article 29 Data Protection Working Party,
Opinion 07/2013 on the Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems (‘DPIA Template’) prepared by Expert Group 2 of the Commission's Smart Grid Task Force
, 2064/13/EN, WP209, 4 December 2013.
(15)  The DPIA Template, developed by the Smart Grid Task Force, defines smart grids as energy networks that can cost-efficiently integrate the behaviour of all users connected to them in order to ensure an economically efficient, sustainable power system with low losses and high quality and security of supply and safety: http://ec.europa.eu/energy/gas_electricity/smartgrids/doc/expert_group1.pdf
(16)  Interpretative note on Directive 2009/72/EC concerning common rules for the internal market in electricity and Directive 2009/73/EC concerning common rules for the internal market in natural gas — Retail markets, p. 7.
(17)  See footnotes 4, 5 and 14.
(18)  See footnote 14.
(19)  See footnotes 4, 5 and 14.
(20)  See footnote 14.
(21)  The Stakeholder Platform will be the Smart Grid Task Force, which was created by the European Commission in 2009 as a policy platform to discuss and advise the Commission on policy/regulatory directions and coordinate the first steps towards smart grid deployment: http://ec.europa.eu/energy/gas_electricity/smartgrids/taskforce_en.htm
Markierungen
Leseansicht