On 27 March, the French Data Protection Authority (CNIL) made public a formal notice to Direct Energie, the French electricity supplier. At issue: the collection from smart meters of consumption data by the hour or by the half hour, without the customer's prior "free, informed and specific" consent” to such disclosure. Although the decision of the CNIL is based on French law, it applies the same principles as those set out in the GDPR and is therefore of interest through the EU, as an indication of the likely approach of other authorities to this issue post-GDPR.

In a nutshell, why does the CNIL criticize Direct Energie?

According to the CNIL’s formal notice to Direct Energie, during the installation of a smart meter, Direct Energie asked Enedis, which manages the distribution network, to provide the electricity consumption data of its customers. Such personal data are considered by the CNIL as sensitive, as they can reveal information relating to customers' privacy (times when they wake up or go to bed, periods of absence or number of people at home…). The CNIL had already underlined in the past that consent was needed for the collection or disclosure through smart meters of detailed consumption data of customers. Consent is also considered as a requirement at European level by the “article 29 Working Party” – the European Data Protection advisory board – for using smart metering technology in the energy sector.

The CNIL criticizes Direct Energie for asking customers to consent simultaneously to two things:

  1. the activation of the smart meter, and
  2. the collection of their consumption data.

However, the activation of the smart meter does not depend on Direct Energie, but on Enedis which manages the distribution network. Therefore the smart meter would be activated anyway, even without the customers' consent.

According to the CNIL, “the customer is under the false impression that he chooses to activate the meter, while he actually only consents to the collection of his consumption data."

Moreover, Direct Energie states in its information notice to customers that this collection of their consumption data will allow more precise billing, whereas the company does not actually offer a billing based on hourly consumption, reports the CNIL.

The company now has a period of three months to comply. If it does not comply, the CNIL can impose a fine of up to € 3 million under the current French data protection (DP) act. The CNIL underlined that it decided to make this notice public in order to make people aware of their rights and their ability to control their energy consumption data.

Why is this decision important in the light of the looming GDPR requirements?

1) This decision from the CNIL results from an interpretation of the notions of consent and legal basis for processing of personal data, which in the current French DP act already mirror the GDPR requirements which will enter into application by May 25 2018 in all E.U. Member States

  • Under article 4 of the GDPR, consent to the processing of personal data – when required – must be "freely given, specific, informed and unambiguous": In this case, the CNIL considered that consent was not valid, because it was not correctly informed, and that moreover it was not free and specific since there was only one consent for two different purposes, which was confusing since consent to the collection of consumption data was presented as linked to the activation of the smart meter;
  • Also under article 6 of the GDPR, processing of personal data must have a legal basis, which can be consent, or another alternative legal basis, such as for instance when the processing is necessary for the performance of a contract, or when the processing is necessary for the purposes of the legitimate interests pursued by the company, except where such interests are overridden by the interests or fundamental rights and freedoms of the individuals: In this case, the CNIL considered that the collection of personal data relating to the hourly consumption is not necessary for the performance of the contract entered into by the customer, which only requires the supply of electricity billed on a monthly basis. As regards the legitimate interest pursued by the company, the CNIL considered that according to the information notice provided to customers, the collection of data relating to their hourly consumption would allow a more precise billing, “but that the automatic collection of this data which is particularly intrusive and detrimental to their privacy disregards their interests and rights, especially since there are no tariff offers based on their hourly consumption”. For these reasons the CNIL concluded that the processing had no legal basis since it was not based on valid consent, and that other possible legal bases failed to apply.

2) Another interesting data protection issue under the GDPR to be considered in the future by companies looking to process customer usage data, relates to the new right provided by article 21 of the GDPR, to object at any time to profiling of personal data for direct marketing purposes:

  • This new right will come in addition to the already existing right to object to receiving direct marketing offers, and implies that if a customer refuses to have his personal data “profiled”, i.e. used to evaluate his behaviour for direct marketing purposes, then the company will have to stop profiling the customer.

When the GDPR comes into application, customers will therefore be able to object to the profiling of their data for marketing purposes, in all cases: While in the specific case of smart meters prior consent is required due to the sensitive nature of energy consumption data collected, in the future in all cases where companies wish to have a better understanding of their customers' behaviour by analyzing for instance their consumption in order to adapt their marketing offers accordingly, the customers will have a right to ask them to stop doing this, which could for example result in companies being obliged to suppress the data of the customers from their customer relationship management systems.

This new right and its impact must be anticipated by companies, which must be able in the future to ensure that their systems technically reflect the requirements of the new anti-profiling right according to the Privacy by design principle which is also provided by the GDPR.

In addition, they must review their communication strategy in order to explain the possible interests of profiling for their customers and why the customers may be interested to get offers more adapted to their needs. In the same way, Direct Energie will need to explain why consenting to the collection from smart meters of consumption data and to the analysis of the consumption details will allow it to adapt the electricity production to the real needs of the consumer, in order to reduce his or her electricity bill.