29 March 2018
The French data protection authority (‘CNIL’) announced, on 27 March 2018, that it had issued a formal notice to DIRECT ENERGIE, Société Anonyme, for failing to obtain consent for the collection of customer usage data from its Linky smart meters, and ordered it to collect valid consent for the processing, including from those whose data has already been processed, within three months of receiving of the notice (‘the Notice’).
Ariane Mole, Partner at Bird & Bird AARPI, told DataGuidance, “The Notice results from an interpretation of the notions of consent and legal basis for processing of personal data, which, in the Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties, already mirror the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) requirements. Although the decision of CNIL is based on French law, it applies the same principles as those set out in the GDPR and is therefore of interest throughout the EU as an indication of the likely approach of other authorities to this issue post-GDPR.”
CNIL observed that at the time of the installation of the Linky meter, customers were asked to provide a single consent for the installation of the meter and for the collection of hourly electricity consumption data as a corollary of the activation of the meter and in order to benefit from certain tariffs; however, as the installation was mandatory, customers were in fact only consenting to the data collection. Therefore, CNIL determined that consent obtained in such a way by DIRECT ENERGIE was invalid, as it could not be considered free, informed and specific. In addition, further shortcomings were found in relation to the collection of daily consumption data from the distribution network operator, which took place without requesting customers’ consent.
[C]ompanies […] in the future, must be able to ensure that their systems technically reflect the requirements of the new anti-profiling right according to the Privacy by Design principle
Mole noted, “[Further,] under Article 6 of the GDPR, the processing of personal data must have a legal basis […]. In this case, CNIL considered that the collection of personal data relating to the hourly consumption was not necessary for the performance of the contract entered into by the customer, which only requires the supply of electricity, billed on a monthly basis. As regards the legitimate interest pursued by the company, CNIL found that according to the information notice provided to customers, the collection of data relating to their hourly consumption would allow a more precise billing, ‘but that the automatic collection of this data, which is particularly intrusive and detrimental to their privacy, disregards their interests and rights, especially since there are no tariff offers based on their hourly consumption.’ For these reasons CNIL concluded that the processing had no legal basis, since it was not based on valid consent, and that other possible legal bases failed to apply.”
In addition to requiring DIRECT ENERGIE to correct the detected shortcomings, CNIL decided to publish the Notice in order to raise awareness about the issue. CNIL stated that if DIRECT ENERGIE complies within the deadline provided, it will not issue any penalty.
Mole added, “Another interesting GDPR issue to be considered by companies looking to process customer usage data relates to the new right provided by Article 21 to object at any time to the profiling of personal data for direct marketing purposes. While in this specific case prior consent is required due to the sensitive nature of energy consumption data collected, in all future cases where companies wish to have a better understanding of their customers’ behaviour by analysing their consumption [habits], customers will have a right to ask them to refrain from doing so […] This new right and its impact must be anticipated by companies, which must be able to ensure that their systems technically reflect the requirements of the new anti-profiling right according to the Privacy by Design principle […] In addition, they must review their communication strategy in order to explain the possible [benefits] of profiling for their customers […] In the same way, DIRECT ENERGIE will need to explain why consenting to the collection of consumption data from smart meters and to the analysis of [such data] will allow them to [meet] the real needs of the consumer and, for instance, reduce their electricity bill.”
Cristina Ulessi | Privacy Analyst