Smart Meters LINKY : The French DPA Puts Energy Groups on Notice
One of the major challenges of Smart Cities is the collection of user’s data in order to deduce correlations such as transport flows or consumption of energy. In France, two major electric supplier companies – EDF and ENGIE – offer connected LINKY meters in order to adapt the electricity supplied to household consumption. These devices allow data consumption to be tracked and sent either on a daily basis, or in a more detailed manner each half-hour. While aggregated daily consumption data can be collected without the agreement of the consumer, the collection of more detailed data consumption – which indicate the electricity consumption half an hour by half an hour – is based on the customer’s consent.
In its formal notice of 11 February 2020, the French data protection authority (CNIL) points out two major problems: an issue relative to customer’s consent and another one related to an excessive retention period.
1/ On the consent issue: After recalling the requirements of the GDPR, the French Data Protection Authority mentions two shortcomings regarding the specificity of the consent collected as well as its freely-given nature.
1.1 On the specificity of the consent: the companies are criticized for collecting one global agreement for two distinct operations – and even three for EDF. In fact, the latter collected a single consent for the collection of daily and half-hourly data, as well as for enrolment in the consulting service provided by the company. To be in compliance, the companies should, therefore, have to obtain the consent of customers for both daily data, on the one hand, and half-hourly data on the other hand.
1.2 On Informed Consent: Companies are criticized for not providing sufficient information to customers to base their consent on. The CNIL criticized EDF for presenting both types of data as equivalent and ENGIE for being too vague.
2. On the retention period: Finally, the French watchdog criticizes an excessively long retention period of consumption’s data after the termination of the contract.
2.1 On EDF practices : The CNIL is challenging the company to keep daily and half-hourly data for 5 years on an active database. While these data are not necessary for billing purposes and in the absence of an archiving procedure, the duration is thus considered excessive.
2.2 On ENGIE practices : The CNIL criticizes ENGIE for keeping the monthly data required for invoicing. In fact, after having kept these data for 3 years on an active database, which is in compliance with the law, the company keeps them for 8 years on an archiving database, that is criticized by the French DPA.
The authority has given companies three months to comply and has decided to make these notices public in order to alert consumers on the practices of these companies and to inform them about their data rights.