California Adopts Smart Grid Privacy Rule
On July 28, the California Public Utilities Commission adopted a groundbreaking privacy and security rule for Smart Grid energy usage data. The decision and attachments are here and here, respectively. The rule should be a model for other states as well as for federal Smart Grid initiatives.
The Smart Grid uses information technology to better manage electrical energy production, transmission and consumption. By making more information available to all participants, from utilities to consumers, it offers benefits in terms of greater energy efficiency, lower utility bills, and "greener" power generation. At the same time, however, the highly detailed information flowing through the new “smart” energy ecosystem also presents new privacy risks. The sophisticated metering technologies associated with the Smart Grid enable the unprecedented collection of household energy consumption data that can reveal intimate details about personal activities, such as sleep, work, and travel habits.
For some time, there has been broad consensus that data privacy and consumer trust are of central importance to all Smart Grid stakeholders. Consumers must be assured that data about their energy usage is protected against misuse. Utilities need guidance on the conditions under which they can disclose consumer data to third parties. Companies developing new services using this data deserve clarity and certainty as to their responsibilities. However, the traditional patchwork of federal and state laws and industry practices for handling energy usage data is ill-suited to the new data flows. Until California’s recent breakthrough, federal and state government agencies had failed to articulate in sufficient detail a workable framework for managing the privacy and security of home energy consumption data in the Smart Grid context.
CDT was intensively engaged in the proceeding of the California PUC, working in collaboration with the Electronic Frontier Foundation and represented by the Samuelson Law, Technology & Public Policy Clinic at the University of California Berkeley School of Law. In the course of the California proceeding, CDT and EFF laid out a comprehensive data privacy framework based on the Fair Information Practice Principles (FIPPs), which the PUC adopted. Based on that framework, CDT and EFF then drafted a detailed privacy rule intended to provide both the clarity and the flexibility demanded of this still evolving field. CDT and EFF worked with Pacific Gas & Electric to clarify and improve the proposed rule. After extensive comment and some revisions, the PUC adopted a privacy and security rule based largely on the initial proposal of CDT and EFF. The rule tracks all elements of the FIPPs framework, from transparency to accountability.
The CPUC decision leaves some gaps. In particular, the new rule does not address the privacy and security of data that consumers disclose directly to third parties or authorize third parties to obtain from the smart meters in the home. This is an area that merits continuing attention by the regulators, policymakers and consumer advocates.
All in all, though, the California Smart Grid privacy rule is a remarkable achievement that merits the attention of not only utility commissions in other states but also of stakeholders in other sectors, for it shows that a comprehensive privacy and data security framework can be crafted that supports both technology innovation and consumer protection.