Following the standard introduction – the EDPS ‘welcomes’ and ‘appreciates’ the efforts of the Commission, and ‘supports the Commission's plan’ – the Opinion gets to the nitty gritty. “That being said,” he says, “the EDPS, in this Opinion, also highlights the issues that in his view would have required more clarity or further specificity in the Recommendation and makes some constructive suggestions as to further steps.”
The issues are more clearly put in the accompanying announcement. While Europe-wide smart metering will bring significant benefits, “it will also enable massive collection of personal data which can track what members of a household do within the privacy of their own homes, whether they are away on holiday or at work, if someone uses a specific medical device or a baby-monitor, how they like to spend their free time and so on.” In short, on the dangers of data mining he warns, “Patterns and profiles can be used for many other purposes, including marketing, advertising and price discrimination by third parties;” to which we should perhaps add, ‘social engineering’.
The EDPS is, naturally, concerned about the privacy implications, and stresses that there should at least be “a mandatory requirement for controllers to conduct a data protection impact assessment and an obligation to notify personal data breaches." (His emphasis.) He also wants to see the mandatory application of privacy-enhancing technologies and data minimization techniques, more guidance on data retention periods, direct access by users to the energy usage data, and the disclosure of both profiles and the logic of algorithms used for data mining. It is noticeable, however, that he doesn’t seek to exclude profiling and data mining, he merely recommends “informed consent for tracking customer behavior and profiling of individuals. In order for the consent to be valid, it must be genuinely informed.”
But the EDPS Opinion says nothing about any potential external threat, nor how to handle it. He deals solely with the threat of the misuse of data by the legitimate data gatherers. David Mahdi, global product marketing manager at Entrust, points out, “Attackers today, will exploit anything that has a big payoff, and smart grids open the door for many to be disrupted.” He believes that the threat landscape is so complex that “that it would be quite bold to say that there aren't any security risks.” In short, he told Infosecurity, “I would say that there isn't a silver bullet, and organisations that are responsible for smart grids should ensure that they have anticipated all perceived threats, and accounted for all measures.”
The future implementation of smart grids across Europe will need to look very closely in both directions: at the potential misuse of data by the data gatherers, and the potential theft of that data by old-fashioned, traditional hackers.