Assessing the European approach to privacy and data protection in smart grids : Lessons for emerging technologies

In this chapter, we would like to sketch societal challenges posed by smart grids, and in particular those related to surveillance, and – subsequently – to critically as- sess the approach of the European Union (EU) to addressing them. We first use the Dutch example of smart meters roll-out to illustrate that smart grids constitute a complex socio-technical phenomenon, and first and foremost, can be used as a sur- veillance tool (sections 2-3). Second, as the treat of abusive surveillance, to which we limit this chapter, is frequently framed in the language of privacy and personal data protection, we briefly introduce relevant legal frameworks of the EU (section 4) in order to demonstrate how smart grids interfere with these notions (section 5). Third, although the said frameworks solved some issues, they still left a number of open questions. Thus the EU has experimented with adding, on top of them, a “light” regulatory framework for personal data protection in smart grids, of which a data protection impact assessment (DPIA) can be seen as a core element. Having overviewed this development in section 6, we attempt to critically assess it in a sub- sequent section. We analyse the choice of regulatory instruments, their scope, focus, quality and effectiveness, among others. We conclude, in section 8, that the DPIA framework, chosen as the main means to solve the threat of abusive surveillance in smart grids, is rather a missed opportunity.

[1]  M. Hildebrandt Legal and Technological Normativity: more (and less) than twin sisters , 2008 .

[2]  Raymond Wacks,et al.  Privacy: A Very Short Introduction , 2010 .

[3]  David Wright,et al.  Constructing a surveillance impact assessment , 2012, Comput. Law Secur. Rev..

[4]  David Wright,et al.  Surveillance: Extending the Limits of Privacy Impact Assessment , 2012 .

[5]  Karen Yeung,et al.  An Introduction to Law and Regulation: Text and Materials , 2007 .

[6]  Michael Friedewald,et al.  Minimizing Technology Ricks with PIAs, Precaution, and Participation , 2011, IEEE Technology and Society Magazine.

[7]  A. Cavoukian,et al.  SmartPrivacy for the Smart Grid: embedding privacy into the design of electricity conservation , 2010 .

[8]  Dennis D. Hirsch,et al.  Protecting the Inner Environment: What Privacy Regulation Can Learn from Environmental Law , 2007 .

[9]  C. Kuner The European Commission's Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law , 2012 .

[10]  P. Hert,et al.  The trouble with technology regulation from a legal perspective : Why Lessig's 'optimal mix' will not work , 2008 .

[11]  Colin J. Bennett,et al.  The Governance of Privacy: Policy Instruments in Global Perspective , 2006 .

[12]  M. Atwood In a Cat's Eye , 1988, Science.

[13]  Paul De Hert,et al.  The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals , 2012, Comput. Law Secur. Rev..

[14]  Mireille Hildebrandt,et al.  Data protection by design and technology neutral law , 2013, Comput. Law Secur. Rev..

[15]  Michael Friedewald,et al.  Seven Types of Privacy , 2013, European Data Protection.

[16]  C. Clastres Smart grids: Another step towards competition, energy security and climate change objectives , 2011 .

[17]  Ross Anderson,et al.  Who Controls the off Switch? , 2010, 2010 First IEEE International Conference on Smart Grid Communications.

[18]  K. Davies,et al.  Scientific Citizenship and good governance: implications for biotechnology. , 2006, Trends in biotechnology.

[19]  D. Lyon Surveillance Studies: An Overview , 2007 .

[20]  P. Hert,et al.  Data Protection in the Case Law of Strasbourg and Luxemburg: Constitutionalisation in Action , 2009 .

[21]  Bert-Jaap Koops,et al.  Smart Metering and Privacy in Europe: Lessons from the Dutch Case , 2013, European Data Protection.

[22]  D. Collingridge The social control of technology , 1980 .

[23]  P. Hert A Human Rights Perspective on Privacy and Data Protection Impact Assessments , 2012 .

[24]  S. Gutwirth Biometrics between opacity and transparency. , 2007, Annali dell'Istituto superiore di sanita.

[25]  David Wright,et al.  Should privacy impact assessments be mandatory? , 2011, Commun. ACM.

[26]  David Wright,et al.  The state of the art in privacy impact assessment , 2012, Comput. Law Secur. Rev..

[27]  Rainer Knyrim,et al.  Smart metering under EU Data Protection Law , 2011 .

[28]  S. Spiekermann The RFID PIA – Developed by Industry, Endorsed by Regulators , 2011 .

[29]  Rachel Finn,et al.  Unmanned aircraft systems: Surveillance, ethics and privacy in civil applications , 2012, Comput. Law Secur. Rev..

[30]  R. Est,et al.  Technology Assessment, Analytic and Democratic Practice , 2012 .

[31]  Christoph Sobotta,et al.  The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR , 2013 .

[32]  Gloria Gonzlez Fuster The Emergence of Personal Data Protection as a Fundamental Right of the EU , 2014 .

[33]  Paul De Hert Biometrics and the Challenge to Human Rights in Europe. Need for Regulation and Regulatory Distinctions , 2013, Security and Privacy in Biometrics.

[34]  George Huitema,et al.  The Neglected Consumer: The Case of the Smart Meter Rollout in the Netherlands , 2011 .

[35]  Serge Gutwirth,et al.  The legal construction of privacy and data protection , 2013, Comput. Law Secur. Rev..

[36]  Kjetil Rommetveit,et al.  A risk to a right? Beyond data protection risk assessments , 2016, Comput. Law Secur. Rev..

[37]  Roger Clarke,et al.  Privacy impact assessment: Its origins and development , 2009, Comput. Law Secur. Rev..

[38]  David Wright,et al.  Privacy and Ethical Impact Assessment , 2012 .

[39]  J. Bohman,et al.  Deliberative Democracy: Essays on Reason and Politics , 1997 .

[40]  L. Bygrave Data Protection Law, Approaching Its Rationale, Logic and Limits , 2002 .

[41]  K. Vries,et al.  A Bump in the Road. Ruling Out Law from Technology , 2013 .