Privacy by Design for smart meters
As states are initiating docket proceedings related to smart meter privacy and passing privacy protection legislation to regulate utility providers utilizing smart meters, it is interesting to note how one utility provider has taken steps towards protecting consumer privacy.
San Diego Gas & Electric (SDG&E) is a utility provider based in southern California. California has been one of the most active states in the country in proactively regulating the protection of smart grid consumer data. So SDG&E has sought to address the regulatory and consumer concerns by adopting Privacy by Design with respect to its smart meter programs.
This blog has previously covered the FTC’s adoption of Privacy by Design as a central component of its recent privacy report. The premise underlying Privacy by Design is that companies will better protect consumer data privacy if they fully incorporate safeguards and a culture of respecting privacy into the early stages of operations, rather than simply responding to legislation and regulations.
Originally developed by Dr. Ann Cavoukian, the current Ontario Information and Privacy Commissioner (IPC), Privacy by Design has been well-received internationally. At its core, Privacy by Design as articulated by the IPC is a set of seven principles designed to achieve its objectives, which the IPC has adapted to apply directly to the smart grid. These principles are:
- To prevent privacy-invasive events from occurring, Smart Grid systems should feature privacy principles in their overall project governance framework and proactively embed privacy requirements into their designs.
- Smart Grid systems must ensure that privacy is the default — the “no action required” mode of protecting privacy.
- Smart Grid systems must make privacy a core, essential functionality in the design and architecture of Smart Grid systems and practices.
- Smart Grid systems must avoid any unnecessary trade-offs between privacy and the legitimate objectives of Smart Grid projects.
- Smart Grid systems must embed privacy end-to-end, throughout the life cycle of any personal information collected.
- Smart Grid systems must be visible and transparent to consumers to help ensure that new Smart Grid systems operate according to stated objectives.
- Smart Grid systems must be designed with respect for consumer privacy, as a core foundational requirement.
SDG&E has relied on these principles as a foundation in creating its Smart Pricing Program, which helps to provide consumers with custom pricing plans tailored to their energy usage. For instance, SDG&E has (i) created a dedicated privacy team, (ii) required that consumers affirmatively opt-in to the collection of any data beyond the minimum (as opposed to imposing on consumers a requirement to opt-out), (iii) created a notice informing new customers of the level of data collection to which they will be subject and (iv) appointed “privacy champions” (subject experts) to promote privacy within the company.
SDG&E’s Smart Pricing Program remains in its beginning stages, so it will be interesting to see how it evolves, and whether it drives other utility companies to respond to consumer privacy demands in a similar manner. SDG&E is working with the IPC in implementing the program to help take advantage of the IPC’s institutional knowledge of applying Privacy by Design to the Smart Grid. The two parties have jointly released a white paper detailing the specific steps that SDG&E hopes to take.