Rapid developments in technology have dramatically increased the scale of data sharing and collecting so bringing new challenges in the area of personal data protection. Considering the importance that building trust in the online environment has on economic and social development, the European Union has established a regulation for personal data protection. The existing EU legislation on personal data protection (Directive 95/46/EC), adopted in 1995, intends to protect the fundamental right to data protection and guarantee the free flow of personal data between member states. Currently, a proposal is being discussed for a revised data protection directive.
Data protection directive¶
The European Union Directive 95/46/EC for Data Protection is the official document that has the objective of the protection of individuals with regard to the processing of personal data and on the free movement of the data obtained. The Directive represents an important component of EU privacy and human rights law.
The Data Protection Directive addresses punctual definitions for the identification of personal data and derived parties involved in the data collection, which are (Art. 2 a-h, Directive 95/46/EC):
- Personal data “any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;”
- Processing “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;”
- Personal data filing system ”any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.”
- Controller “a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by National or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by National or Community law.”
- Processor “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.”
- Third party “ any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.”
- Recipient “a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients.”
- Data subject’s consent “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
The principles of the Directive are honesty and transparency, legitimate purpose and proportionality in order to guarantee the free flow of data within the EU. As a result of the Data Protection Directive, European Union member states have implemented legal dispositions to protect the personal data of their citizens and the following basic principles for processing personal data have to be followed in all Member States:
Honesty and Transparency
The data subject has the right to be informed when his or her personal data are being processed. The controller must provide his or her name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair. Data may be processed only under the following circumstances:
- when the data subject has given his or her consent
- when the processing is necessary for the performance of or the entering into a contract
- when processing is necessary for compliance with a legal obligation
- when processing is necessary in order to protect the vital interests of the data subject
- when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed
- when processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject
The data subject has the right to access all data processed about him or her. The data subject even has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or isn’t being processed in compliance with the data protection rules.
Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes.
Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. The data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; The data should not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. When sensitive personal data (including religious beliefs, political opinions, health, sexual orientation, race, membership of past organisations) are being processed, extra restrictions apply.
Back to start of Data protection directive.
Back to Content
Impact of the Directive 95/46 on a project¶
The Data Protection Directive has a direct impact on the implementation of the project’s EDSS and EMS solutions. The envisaged services are focused on improving users’ resource management service involving personal data of their consumption behaviour. However, the information collated is not always subjected as personal data and it is to pilot sites to define the type of information they will manage during the project.
The collection, processing and transmission of personal data must be analysed under the principles of Directive 95/46/CE and especially of the national laws taken for its application. Any additional regulations at national level that are not in the Directive and apply to data protection or any other sensitive information are also taken into account for SMARTSPACES project development.
Regarding the Directive’s principles, honesty and transparency refer to informing the data subject that their personal data is being used. Therefore, data managed during the SMARTSPACES project must be processed only under the following preconditions which need to be met (Art. 7, Directive 95/46/EC):
- When the data subject has given her/his consent
- When the processing is necessary for the performance of or the entering into a contract
- When processing is necessary for compliance with a legal obligation
- When processing is necessary in order to protect the vital interests of the data subject.
The rights of the users from whom information has been collected are the:
- Right of access to collected information
- Right of correction of this information
- Right of opposition to the collection and the processing, in particular right of opposition to the processing at ends of commercial campaigns or use by third parties and to the transfer.
Another principle that applies to the SMARTSPACES project is the legitimate purpose, which implies that personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes.
Processing can only be carried out if the user gives her/his consent, meaning a “demonstration of free, specific, and informed will by which the person concerned accepts that personal data relating to her/him is the subject of a data-processing”.
From this principle, there is the possibility of derogation whenever the treatment is “necessary for the conclusion of a contract to which the person is a part” (and, consequently, consent was given by implication). This question requires an examination of national rules which concern the transposition by the Member States.
Back to start of Impact of the Directive 95/46 on a project.
Back to :Content
Current EC Proposal¶
The next iteration is likely to be summarised under the title “General Data Protection Regulation” (GDPR)
Since the Directive 95/46 was firstly introduced, Data Protection Acts have frequently been amended by legislation with substantial changes especially during 2009 and 2010 widely driven by the essential changes in ICT related technology. In fact, the law on Data Protection is about to undergo the most fundamental change in 15 years. On 25 January 2012, the European Commission officially presented a first draft of the new data protection regulation for a comprehensive reform of the 1995 data protection rules on personal data processing across the European Union. Once the proposal passes into law, through the European parliamentary system, it will replace the existing Data Protection Act and will require organisations operating in or with the EU to make significant changes concerning the way how they deal with personal data processing and use. The new EU regulation is scheduled to replace the existing Data Protection Act by 2014 at the earliest, as the European Commission has set a two-year timetable for the implementation of this proposal through the parliamentary system. This draft regulation mainly aims to:
- Promote greater harmonisation of data protection across the EU through a single European legislation As the Directive has not been consistently implemented across the EU member states, significant differences are observed in their national laws. The new regulation, when implemented, will apply directly across all the EU, and the member states would not need to transpose the new measures by implementing their own local law in each jurisdiction. Consequently, companies operating in more than one EU country would no longer need to cope with the national regulation of each member state. Within the new regulation framework, the current provisions set by member states for national reasons would also disappear.
- Introduce a single data protection regulator for the businesses processing personal data across the EU. International businesses will only have to deal with the data regulator of the country where the company has its main establishment instead of dealing with each data regulator in each member state. The draft proposal of the new regulation includes also guidelines on how to identify the main establishment of the company. Citizens would still be allowed to address complaints to the regulatory authority in their country of residence, this is in order to prevent negative impacts on the level of citizens’ privacy protection.
- Make the data processors share equal responsibilities. The new regulation shall apply to any data processor in the European Union and also to those outside the Union which offer goods and services to the EU citizens.
- Restrict the use of personal data. Before organisations process data, they should require in advance and on an opt-in basis the consent to use personal information. The age for requiring parental consent is proposed to be the 13 years of age. According to the new draft regulation, individuals will have the right to demand from an organisation to transfer information held about them to a third-party organisation, in a format determined by the individual.
- Increase fines and duties for the companies. For repeated breaches and serious violations the supervisory authorities will impose penalties up to €1 million or up to 2% of a company’s global annual turnover. For less serious violations the fines will vary from €250,000 up to 0.5% of turnover. For not supplying information to a user or when not having rectified data the fines are up to €500,000 or up to 1%. The new EU regulations extends administrative duties for the companies, such as: an additional transparency obligation (Article 14); an unlimited right to information (Article 15); drafting corporate guidelines (Article 11); and complex documentation (Article 28). Smaller organisations are put in a better position under the new proposed draft regulation. The obligation to have a data protection officer applies to all public authorities and all businesses employing more than 250 employees, and does not apply to organization with more than 10 employees as stated before.
- Set up a new obligation for reporting data protection breaches. The concept already exists in some EU jurisdictions, such in Germany and Ireland. The draft regulation states that in cases of any personal data breach, the data controllers should notify their relevant data protection supervisory authority within 24 hours, or explain the reasons for not being able to explain the full details of the breach. Separate requirements include notification of data subjects.
- Introduce two new data subject rights for data processors. – The draft regulation introduces the ‘right to be forgotten’ and the ‘right to data portability’. The current data protection already contains legislation regarding the right of the data subject “to be forgotten”, and the new regulation draft develops some further specifications related to this issue. To strengthen this right in an online environment, the draft regulation expands the right to erasure and gives to the individual the right to require to a data controller, who has made personal data publicly available, to stop processing their personal data and to cease all marketing by also informing third parties which are processing that data whenever a data subject requests them to erase it. The right to data portability is the right of the data subjects to require and obtain a copy of their own personal data. In the cases when data subjects provide their data to automated processing systems, they would be allowed to transmit that data from one automated application into another one.
Status: On 24th June 2015 the first Trilogue Meeting on the GDPR has taken place. All parties committed to reform 95/46/EC. Until the Regulation is finally accepted, the issues listed above will require observation to ensure data protection matters relevant to Smart Grids are matched to this future legislation.
Back to start of Current EC Proposal.
Back to Content
EC recommendations for the roll-out of smart-metering¶
2012/148/EU: Commission recommendation on preparations for the roll-out of smart metering systems. Official Journal L 73, 13/03/2012, p. 9.
The EC recommendations in question address entire member states and their regulatory environment. This section links the European regulatory background to the National level.
Along with the strict enforcement of Data Protection Directive and other European legislation (see above), the following recommendations are being provided:
- Smart grid need to ensure data protection and prepare for network and information security (e.g. cyber attacks). The ‘Digital Agenda for Europe’ is recommended as a source for further detail (paragraph 4).
- Technical and legal solutions have to safeguard protection of personal data as a fundamental right under Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union. These matters are of particular relevance during the roll-out phase (paragraph 5).
- Data protection impact assessments should make it possible to identify from the start data protection risks in smart grid developments. (paragraph 9)
- “Data protection and information security features should be built into smart metering systems before they are rolled out and used extensively. Such features can effectively improve consumers’ control over the processing of personal data.” (paragraph 10)
- The principle of ‘security and data protection by design’ should be stimulated by early cooperation of member states and industry as well as civil society stakeholders. (paragraph 11)
- The recommendations highlight that any party with access “should take all reasonable steps to ensure that data cannot be traced to an identified or indefinable person […]”. (paragraph 12)
- Recommendations for privacy enhancing technologies (PETs) have been provided by the EC , especially by using anonymous or pseudonymous data wherever possible.
- “A template developed at Union level for conducting data protection impact assessments will ensure that the provisions of this Recommendation are followed coherently across Member States.” (see Data Protection Impact Assessment (DPIA) Template) (paragraph 14)
Back to start of EC recommendations for the roll-out of smart-metering.
Back to Content
Data Protection Impact Assessment (DPIA) Template¶
The template is being revised on a regular basis. The reader should verify that this is the most up-to-date version.
The EU privacy and data protection framework is composed of a set of several instruments and provisions, among which, the data protection Directive 95/46/EC is the main one. However, within this framework of available regulatory instruments, the EC calls attention to a clear distinction between the ‘right to privacy’, preserved in only one provision (Article 7 of the EU Charter for Fundamental Rights) and ‘the right to data protection’ which is instead enshrined in several instruments. On January 2012, a ‘general data protection’ proposal was released by the EC, which under its Art. 33 explicitly provides for Data Protection Impact Assessment (DPIA). In brief, DPIAs main provisions include:
- Mandatory DPIAs for the data controller under specific circumstances as cited in Art. 33.2
- Minimum of DPIA requirements
- Stakeholders’ involvement in the DPIA process, etc.
The DPIA template is part of the Commission Recommendations regarding data protection and security issues and has been submitted to the Article 29 Working Party for consultation. This, in accordance with the point 5 of the Recommendation adopted by the Commission for the rollout of smart metering systems in the electricity and the gas markets.
Upon request, key benefits and limitations of the DPIA template can be received from empirica.
Back to start of Data Protection Impact Assessment (DPIA) Template.
Back to Content