Privacy Advisor

Stakeholders Aim To Craft Smart Grid Privacy Code of Conduct

February 27, 2013


By Angelique Carson, CIPP/US

The Federal Smart Grid Task Force, led by the U.S. Department of Energy, recently held its first stakeholder meeting on a voluntary code of conduct (VCC) for energy utilities and third parties. The voluntary code would indicate to consumers a company’s commitment to data protection and privacy when it comes to the smart grid. The stakeholder discussions come following widespread consumer and advocate concern on smart grid data use as smart meters are increasingly rolled out, energy data becomes digitized and third parties focus their eyes on using it for marketing and other purposes.

At the live-streamed and interactive February 26 meeting in Washington, DC, stakeholders outlined utilities’ current and future data protection and privacy concerns, such as the granularity of smart grid data; who has access to it and for what purposes, and how to be transparent with consumers.

Federal Trade Commission (FTC) Attorney Ruth Yodaiken of the Federal Smart Grid Task Force opened the event by stating that the FTC, which regulates utilities in cases of deceptive practices, will look favorably at companies engaged in a voluntary code when it must open an investigation into privacy violations, especially “strong codes…codes that are significant and say more than ‘We are gonna try to be good with our consumer data.’”

Paula Carmody of the Maryland Office of People’s Counsel said over the decades, utility customers have become accustomed to dealing with regulated utilities and have enjoyed a sense of security when it comes to data retention. The smart grid, however, has changed that. Energy data can now be used to glean keen insights into consumers’ household habits, and that data is valuable to third parties such as marketers, which makes some consumers and consumer advocates uncomfortable.

“People do have an interest in data security that probably wasn’t there 10 years ago,” Carmody said.

She cautioned that utilities may find themselves increasingly regulated not only by state utility commissions but also by state attorneys general (AG). She noted Maryland AG Doug Gansler’s commitment last year—as president of the National Association of Attorneys General—to “Privacy in the Digital Age” as the organization’s main initiative.

Duke Energy’s Mark Hollis indicated support for a VCC but noted a widely adopted code may be difficult to establish given that utilities operate in various jurisdictions across the U.S. He wondered what a uniform code might look like as a result.

“Will it be one-size-fits-all? Will you have to adopt pieces of it? Can you adopt pieces of it? There are some questions still to be answered there.”

He added that the code, whatever form it may take, must not be lip service and must apply broadly.

“If it’s not adopted widely, and it’s not a strong code, we probably should just call it a day,” he said. “If it’s just another document that everyone will keep on their desks, we’ll bow out gracefully.”

Jules Polonetsky, CIPP/US, co-founder of the Future of Privacy Forum, which launched a smart grid privacy seal last year for companies that use consumer energy data, echoed Hollis’ sentiment that a VCC must not be a document that “sits in a drawer” but rather a code that is “accountable, adopted and therefore enforced.”

He added that times have changed when it comes to the digital information ecosystem.

“Once upon a time, websites had your data and they set the rules for what happened. Today, lots of third parties dictate to websites how data is elected and used, and often those first parties don’t even know or have any substantial say,” he said. “And in fact, those third parties will tell the first party how the data is used, and you’ve got to go along if you like analytics and advertising. That’s what the world looks like now on the Web, and I don’t think that’s what we want this world to look like.”

However, any VCC should have some flexibility, Polonetsky said. He suggested either the establishment of a trade group that would accept members pledging adherence to the code or the development of a process to discipline those who do not.

Xcel Energy’s Megan Hertzler, CIPP/US, said whether the code should apply to companies already regulated by some entity or those outside of that sphere should be confirmed. She added that no matter what code a utility may adhere to, it will be difficult to regulate how associated third parties treat that data once it leaves the utility.

Carmody later introduced a proposed set of elements to be included within a VCC with provisions on data management and accountability; notice and purpose, choice and consent, collection and scope; use and retention; individual access; disclosure and limiting use; security and safeguards; accuracy and quality; openness, monitoring and challenging compliance, and enforcement mechanisms.

Additional concerns voiced at the meeting centered around whether an attempt at establishing a VCC may be a duplication of efforts--given the groundwork already done by the National Institute of Science and Technology and the North American Energy Standards Board, whether a VCC may create a complicated matrix of rules for utilities to comply with­, which players will be charged with what obligations, how to treat aggregated data and creating a sound definition of “sufficiently anonymized data.”

Read more by Angelique Carson:
How To Prepare for, Respond to and Manage Breaches
Researchers Publish Study of Indian Privacy Perceptions
Data protection was not a game at London’s 2012 Olympics