Smart Grid Challenges Through the Lens of the European General Data Protection Regulation
- 68 Downloads
The General Data Protection Regulation (GDPR) was conceived to remove the obstacles to the free movement of personal data while ensuring the protection of natural persons with regard to the processing of such data. The Smart Grid has similar features as any privacy-critical system but, in comparison to the engineering of other architectures, has the peculiarity of being the source of energy consumption data. Electricity consumption constitutes an indirect means to infer personal information. This work looks at the Smart Grid from the perspective of the GDPR, which is especially relevant now given the current growth and diversification of the Smart Grid ecosystem. We provide a review of existing works highlighting the importance of energy consumption as valuable personal data as well as an analysis of the established Smart Grid Architecture Model and its main challenges from a legal viewpoint, in particular the challenge of sharing data with third parties.
KeywordsSmart Grid Privacy Data protection Personal data GDPR
The General Data Protection Regulation (GDPR) came into force on the 25th of May 2018. The GDPR ensures the protection of natural persons with regard to the processing of their personal data and guarantees the free movement of such data provided that the appropriate safeguards are applied. The GDPR finds its legal basis in Article 16 of the Treaty on the Functioning of the European Union (TFEU), which reads as follows: “Everyone has the right to the protection of personal data concerning them”. The definition of personal data has always been an issue of controversy and includes factors related to the “physical, physiological, genetic, mental, economic, cultural or social identity of natural persons” (Art. 4(1) of the GDPR).
In the present paper, we focus on the Smart Grid, an ecosystem of hardware- and software-intensive systems with a large diversity of stakeholders. The Smart Grid is a world-wide solution towards a more reliable, efficient and sustainable electrical grid . Electricity distributors and suppliers are experiencing profound changes in their business where manually reading or reconfiguring electricity meters is no longer valid. Smart Meters automatically register and transmit the data through the Power Line Carrier (PLC) or wireless connections to data concentrators and central systems using Meter Data Management (MDM) Systems. Also, several services can be remotely applied such as changing the pricing policy or activating or deactivating the electrical service.
All the stakeholders in the value chain can benefit from the Smart Grid: End users are empowered through near real-time information (24 h per day, 7 days a week) that they can use to adjust their consumption or to identify a more appropriate pricing policy. Suppliers can perform profiling and provide innovative and personalized pricing policies that can be beneficial to avoid consumption peaks or waste of energy . Distributors have an effective tool to better monitor and manage their networks. In addition, smart metering promises to enable “prosumers” (both producers and consumers of energy) to be more easily rewarded for their contribution. The market around the Smart Grid includes big companies but also SMEs acting as distributors or suppliers as well as a dynamic ecosystem of third-parties providing value-added services.
Data processed in a Smart Meter includes more than one thousand parameters and metrics such as the quality of the signal, but the main one is the electricity consumption which is transmitted at very small intervals of time. That was not the case before the establishment of the Smart Grid, where the electricity consumption was measured with low frequency (e.g., on a monthly basis). The privacy-related issues mainly arise now when instantaneous data can be taken. Energy consumption can be used for guessing the data subject habits, creating a personal behaviour profile, deducing personal and socioeconomic information, listing the existing electrical equipment and monitoring their usage, or guessing the presence, absence or current activity of the residents [5, 45]. Therefore, energy consumption measurements can be considered personal data in the meaning of Art. 4 (1) of the GDPR with great potential to be processed, solely or in combination with other data, for “professional or commercial activities” (Recital (18) of the GDPR). Actually, the EU Electricity Directive (amended in 2019) explicitly mention the requirement that smart meters must comply with the EU’s data protection rules , and the Supreme Court of an EU state member (Spain) recognized electricity consumption data as personal data . Exploiting behavioral data through the Smart Grid can be motivated mainly by financial or political reasons  and a list and categories of privacy harms is available .
Other personal data such as the address, contact details, bank accounts etc. can be found in the Smart Grid context. However, these data mainly appear in administrative or organizational processes such as the billing process of distributors, suppliers and third parties. These cases fall in the general category of privacy issues for information technology services. The aspect that makes the Smart Grid special regarding privacy concerns is the energy consumption, the possibility to associate it with a data subject, and the consequences of disclosing these personal data or its usage without explicit consent.
The methodology of this work consisted on several iterations to create and refine the content with Smart Grid and GDPR experts (both researchers and practitioners) from the European PDP4E project consortium (Methods and tools for GDPR compliance through Privacy and Data Protection Engineering) , the Digital Lab, the Digital Energy, and the Digital Trust Technologies area at Tecnalia, as well as legal experts from the KU Leuven Centre for IT & IP Law, along with a literature review using the snowballing approach .
This paper is structured as follows: Sect. 2 presents background information. Then, Sect. 3 provides our analysis of the Smart Grid Architecture Model regarding the GDPR. Section 4 elaborates on the legal and technical challenges. Finally, Sect. 5 concludes this work and outlines future research objectives.
2 Background on the Smart Grid
2.1 Electricity Consumption Data
Electricity consumption is usually represented as a time series where time is presented in the horizontal axis and the energy consumption (in watts) is presented in the vertical axis. The shape of the time series will be then defined based on the appliances used or not used in the daily lives of residents. Several techniques for time series analysis can be performed such as time series classification or forecasting . For more examples on time series analyses, a taxonomy of Smart Meter data analytics is available . Figure 1 is an illustrative example of a time series from the Google Power Meter project (discontinued in 2011)  which, once integrated with Smart Meters and with the appropriate consent, allowed users to record and visualise their own electricity consumption. We can observe how load signatures (e.g., consumption pattern of the dryer, fridge etc.) can be identified.
The simultaneous use of several appliances can make it difficult to automatically analyse time series (e.g., accumulative effect of energy consumption). However, this effect can be minimized if the load signatures were isolated at some point in time or through approximation techniques. A review by Wang et al.  of Smart Meter Data Analytics presents different applications of this data, and ten open data sets of Smart Meter data.
2.2 The Smart Grid Architecture Model
Domains (Generation, Transmission, Distribution, Distributed Electrical Resources (DER) and Customer Premises),
Zones (Process, Field, Station, Operation, Enterprise and Market), and
Interoperability layers (Component, Communication, Information, Function and Business).
As mentioned in Sect. 1, Smart Meters have drastically changed the electric power industry, notably the SGAM Information and Communication layers have now much more importance compared to the era when the meters were not highly and continuously connected. Compared to the other layers, these two layers are not yet completely mature, so crosscutting concerns such as security have inevitably gained relevance.
2.3 Normative Spaces
The International Electrotechnical Commission created and maintains a standards map  using the SGAM as the reference conceptual framework. It currently contains information about 512 standards categorized in 16 component-related clusters. In addition, for each component, several use cases and examples are included. The standards map identifies 4 crosscutting functions: Telecommunication, Security, Electromagnetic Compatibility (EMC), and Power Quality. Another crosscutting aspect related to security is privacy which is the focus of this work.
The European Smart Grids Task Force Expert Group for Standards and Interoperability produced an interim report on My Energy Data , where Energy Data services were identified as subject to the GDPR. They also analysed the diversity of Smart Grid setups in different countries with respect to privacy. Our aim is to provide a general view without a special focus on country specificity. The Smart Grid Task Force also provides guidance for conducting Privacy Impact Assessment (PIA) and prepared Data Protection Impact Assessment Templates for Smart Grid and Smart Metering systems . Regarding standards, a survey identified ten standards related to privacy in the Smart Grid . The two of high relevance are NISTIR 7628 [36, 37], and NIST SP 800-53 . NISTIR 7628 is also mentioned as the reference for security requirements for device access control and message protection in the Task Force of Privacy and Security approach at the Smart Meters Co-ordination Group.
3 Natural Persons Identifiers and Energy Consumption Through the SGAM Layers
This section presents an analysis of how the identifier of the data subject and its energy consumption is used through the technical infrastructure and stakeholders of the Smart Grid.
3.1 Component and Communication Layers
PLC does not perform well in data transmission for long distances, thus, in case of remote locations, more expensive solutions should be put in place such as Point-to-Point (P2P) protocols to send the data directly to the HES without the need of DDCs. To communicate with the HES, the DDC might use PLC, General Packet Radio Service (GPRS), other radio protocols, Digital Subscriber Lines (xDSL) or Fiber Optics. The HES communicates with the Distribution Management System (DMS) to receive the aggregated reports. Approximately, a DMS exists at national scale for each distributor. Then, already in the Enterprise SGAM zone, the DMS communicates with the Customer Relationship Management (CRM) system. The CRM system is responsible to manage and analyze the interactions with customers. The CRM communicates with the Meter Data Management System (MDMS) of the electric distributor. This MDMS is responsible to store, manage, and analyse the vast amount of data generated in the Smart Grid. For more details we refer to a survey on Advanced Metering infrastructures . A huge variety of other systems, that do not belong to the traditional distributor and supplier actors of the SGAM, appear as third parties completing the ecosystem. The MDMS can communicate with these third parties to enable or complement third-party services.
Regarding the communication, the data is encrypted (e.g., AES 128 ) and Smart Meter devices that transmit unencrypted data are being replaced. Privacy-preserving data aggregation schemes are also being investigated to prevent the inference of electricity consumption information of specific customers when the data is aggregated . The arrows in Fig. 3 are bidirectional because central systems can remotely monitor and operate in the Smart Meter through these protocols (e.g., to respond to customer requests in real-time, to change date/hour, to modify the tariff or power demand threshold). In Fig. 3, close to the Smart Meter device, the auxiliary equipment is another possible component which might directly communicate with the MDMS or with third parties. For instance, in the UK, the communication from the Smart Meter auxiliary equipment with the supplier is direct through radio, replacing the need of DDCs, HES etc. Also, electricity users can decide and consent to add auxiliary equipment to enable third-party services. This way, third parties can obtain the data without the electric distributor.
3.2 Information Layer
From the Field SGAM zone where the Smart Meter is located, the information moves to the Station and Operation zones where the identifiers and energy consumption data is aggregated with those of other users. Then, at the Enterprise zone, as part of the billing process, both the distributor and the supplier have the customers’ physical address, the energy consumption metrics, and the smart meter identifier. Distributors and suppliers process personal data and they might transmit this information to third parties. As we can observe, the information transverses several SGAM zones, complicating the data lineage (term used to designate the management and traceability of the data life-cycle). Figure 4 shows a coarse granularity of the information flow. The presented steps could be largely expanded using more detailed Data Flow Diagrams (DFD) with privacy-related information (e.g., ) on specific organizational and technological settings. However, the presented information is sufficient for the understanding of the challenges.
3.3 Function and Business Layers
A Spanish study on the access to the electric power consumption of Smart Meters and its access and usage by third parties , lists more than forty companies offering services from power consumption data. Some of them use the Smart Meter from the distributor/supplier, while others offer submetering, which means the use of their own auxiliary equipment as mentioned in Sect. 3.1.
Other third parties can be related to the Internet of Things (IoT) . The IoT paradigm extends physical devices and traditional real-life objects with Internet connectivity, sensors to get information about their context, and with the capacity to communicate and interact with other devices and objects to provide services. These dynamic IoT networks and the use of power consumption data are intended to unleash the promises of the Smart House  or the Smart City . IoT also complicates the data lineage and the use of privacy technologies, given the heterogeneity, potential mobility, and usually limited resources of IoT devices and objects .
As we have explained in Sect. 2.3, several normative spaces are placed in the different SGAM domains and zones  and privacy is a prevalent topic among them. The SGAM business layer also includes normative spaces , so we included the GDPR as a legal act impacting all zones and domains, except the electricity generation and transmission domains, as they are unrelated to individuals. Other privacy-related normative spaces  will be similarly positioned.
Categories of challenges based on GDPR concepts
Principles relating to the processing of personal data
- Lawfulness, fairness and transparency
- Data minimisation and purpose limitation
- Special categories of data
Rights of the data subject
- Right to information about processing operations
- Right to access by the data subject and right to erasure
- Right to data portability
- The right not to be subject to a decision based solely on automated processing
Obligations of controllers and processors
- Data protection by design and by default and the security of processing
- Data breach management
4.1 Principles Relating to the Processing of Personal Data
Lawfulness, Fairness and Transparency
The GDPR requires controllers to process personal data in a lawful manner. It entails the need for an appropriate legal basis. Art. 6 of the GDPR provides an exhaustive list of criteria for fulfilling the conditions of lawfulness. In the Smart Grid scenario two potential legal grounds for the data processing stand out as the most relevant ones: consent and contract. The performance of a contract could, for instance, be relied upon for processing electricity consumption data for billing purposes, whereas the consent might be required for conducting marketing campaigns. In all those cases the data should be collected and processed for a specific purpose and, prior to the processing, the controller should opt for the most suitable lawful ground. If there are any additional purposes of processing, a controller should obtain a separate specific and informed consent from a data subject for each of them, where the processing is consent based.
Smart Meter users can currently subscribe by giving their consent to be monitored to receive marketing offers from suppliers or be informed about the pricing policy. Even though the transmission of the personal data to third parties can contribute to the provision of extended services or to more targeted marketing offers, the data subject shall be informed of all the recipients of his or her personal data and, where required, explicitly give their consent. Such consent can be considered freely given only if it can be as easily withdrawn as it was granted. While the Smart Grid was conceived as a new field for the launch of innovative value-added services and improvement of the sustainability of our environment, the management of the consent and handling of its withdrawal, where data is transmitted across the SGAM actors and to third parties, might encounter certain technical difficulties.
Data Minimisation and Purpose Limitation
Since data minimisation and purpose limitation constitute the core GDPR principles, the personal data provided should be limited to what is strictly necessary in relation to the purposes for which they are processed, for instance for the performance of the contract, and for the supply and billing purposes. Thus, the controller must guarantee that third-party processors have the minimal amount of data to perform their intended processing. In contrast to other scenarios where this usually consists in not transmitting some columns from a database, the data minimisation of the energy consumption is different and requires manipulating the time series in different ways. A usual technique is to modify the resolution of the data. For example, the data with a time interval of seconds might not be needed and may be limited to each hour or be collected for the whole day or week. Some works suggest that a half-an-hour frequency is sufficiently reliable for most purposes and hides the operation states of most of the appliances . However, in 2012, the European Commission recommended keeping a frequency under 15 min to “allow the information to be used to achieve energy savings” . Several works explore the trade-offs between privacy and the operational needs of Smart Grid data mainly by investigating different data resolution schemes and load shaping [2, 8, 26, 42, 43], but this research field is still considered to have many open challenges. In fact, the Smart Grid data minimisation is a well-studied case study for the more general problem of time series compression .
Data minimisation could be also performed in early phases (e.g., in the Smart Meter) considering the needs of processing in the whole chain for which the data subject gave his or her consent. Failing to guarantee data minimisation can expose the controllers to fines as it is non-compliant with the GDPR. In addition, it could have the consequence that users start adopting techniques to preserve their privacy. Known techniques are charging and discharging batteries  or the use of load shaping with storage and distributed renewable energy sources .
Special Categories of Data
While weather conditions stay a typical influential factor in predicting energy consumption, data fusion can contribute to more effective Smart Grid data analysis. For example, personal energy consumption prediction and forecasting can be enhanced if other data sources are combined with energy consumption histograms. The cumulative analysis of other data sources, containing various information about a data subject (location, age, gender, socio-economic parameters like the income level, employment status, educational level, whether they are property owners, the number and type of appliances) can help to establish a correlation between electricity consumption and personal habits. On the basis of precise energy consumption details some further assumptions can be made with regard to more sensitive aspects of personal life, such as religious beliefs and practices . According to Art. 9 of the GDPR, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs etc. is prohibited (with specific exceptions). Whereas the intense analysis of multiple data sources can improve the quality of energy services, it is crucial to strike the right balance between legitimate interests of controllers and the fundamental right to protection of personal data. Several studies are trying to identify which are the relevant variables that are worthy to use for the different analyses [19, 25, 31]. While some of these data sources might be discarded, others might be highly valuable for providing better or new services.
As mentioned before, energy consumption is a relevant information to satisfy the promises of the IoT. This way, the devices can decide when to charge, operate, or shut down, to be more cost and energy efficient. The automatic and unsupervised use of this data by the inter-connected devices can be problematic. The Smart Meter can be an inter-connected actor providing energy consumption measurements as well as other data such as the current pricing policy to other actors. Though coordination mechanisms between machines can be established, devices might disclose data or transfer data without consent (e.g., to the manufacturers). IoT manufacturers are very diverse and it is not possible to control which devices will be part of this configurable or self-configurable network at the design stage. Still they might need to transfer data between them (e.g., to accomplish their mission or to provide better and more efficient services), with the consequence of complicating the consent management for the data subjects each time a new device is added. The interconnected devices should be able to negotiate, preferably without human intervention, to make these networks efficient and self-managed. In addition, while the Smart Meter might be related to the controller for the energy consumption and the energy pricing policies, other IoT devices might be related to the controllers of other type of personal data, which will need to be aggregated to provide new or enhanced services.
4.2 Rights of the Data Subject
Right to Information About Processing Operations
The right to information about processing operations is crucial for the exercise of all other data subject’s rights. If customers of the Smart Grid are not informed about processing operations over their data at the time of its collection, they will never be aware of the use of their personal data. The lack of information will prevent them from eventually taking further decisions and actions (e.g., ask for its erasure). The GDPR stipulates that the controller shall take all the appropriate measures to inform the data subject about processing related to his or her personal data. This information shall include all the contact information about the controller, the purposes of processing operations, their legal basis and also recipients of this personal data, if any. The data subject shall be also informed if there are any intentions to transfer personal data to third parties. This information shall be provided free of charge and without undue delay. Since not all SGAM actors are known in advance, especially because of the dynamic ecosystem of third parties, it might be difficult to manage the information obligation under the GDPR.
Right to Access by the Data Subject and Right to Erasure
Upon a data subject’s request, it is technically challenging to guarantee the access to (Art. 15 of the GDPR) and removal (Art. 17) of the energy consumption information from all the Smart Grid actors. As in many other scenarios, the processing chain is complex and coordinating the processing actors and validating a complete access or removal might require complex operations. While there is a legal permission to keep consumption data for the billing purposes, there might be difficulties with managing and separating different data sets. Therefore, the removal will have to take into account when, how and which data should be removed from each processing party. In the context of third parties related to the IoT, there might be connectivity issues that disconnect the controller from a device for long periods of time, making difficult the actual and timely access and removal of the personal data.
Right to Data Portability
Art. 20 of the GDPR provides for the right to data portability. When a data subject wants to change his or her electricity provider, the data portability must allow personal data to be transferred directly to a new company in a practical and simple way for the end user. This might include the historic of energy consumption. Also, prior to the selection of a new company as a supplier (initiated by the user), the new potential supplier might require to perform an analysis of the personal data to identify the best personalised offer. There is a risk that companies may try to hide the access to personal data from competitors. To overcome this issue, a typification of consumption profiles (e.g., standardizing a predefined list of profiles) would contribute to data portability and provide certain degree of data minimisation.
The Right Not to be Subject to a Decision Based Solely on Automated Processing
As set out in Art. 22(1) of the GDPR, the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her. The wording of this provision is not straightforward and may be subject to divergent interpretations, for instance, with regard to its scope of application. The application of this provision to the Smart Grid scenario requires a detailed analysis of all the uses of personal data for profiling considerations. Moreover, there is a need to check whether a data subject might be legally affected by any decisions taken without human intervention and based solely on automated processing.
Profiling is probably the most direct use of the personal data regarding energy data consumption, and highly-personalized marketing is one of its most obvious commercial uses. One of the main objectives of customized advertisement is to create personal profiles and cluster the profiles to maximize the profitability of commercial actions. Apart from that, profiling and monitoring could leave the door open to other kind of uses such as deriving sensitive personal data or targeted monitoring. All these examples interfere with the right to privacy and the right to self-determination. In the Smart Grid scenario profiling can meet the requirement of lawfulness if it is necessary for the performance of a contract between the data subject and an electricity provider, or if it is based on the data subject’s explicit consent as provided in Art. 22(2) of the GDPR.
Manufacturers are interested in knowing how people use their appliances. Each appliance has an electricity load signature which can be used to differentiate its shape from other appliances. For example, in Fig. 1 we observed a peak corresponding to a dryer, and smaller and periodic peaks corresponding to a fridge. If the appliance can be configured by the user or if the circumstances change, this signature can be modified to some extent. Thus, it is possible not only to know the existing appliances, but also how the residents use them. Newborough and Augood  illustrated this fact by showing the difference in the load signatures of the same washing machine using a 40 ℃ cycle and a 85 ℃ cycle.
This practice of using energy consumption and appliance load signatures for nonintrusive load monitoring (NILM), or nonintrusive appliance load monitoring (NIALM) was already identified as problematic regarding privacy when the technologies enabling it started to appear . As another example of how personal preferences can be obtained, automatic analysis of time series was used by Greveler et al.  to show how the information about which TV channel is being watched can be disclosed through Smart Meter power usage profiles. Given the brightness of the TV screen, a consumption prediction model can be defined and used for each channel and compared with the actual consumption. This research concluded that a sample taken each 0.5 s during five minutes is in many cases sufficient to identify the viewed content. Thus, the interests of a person can be inferred through the viewed contents and used for professional or commercial purposes.
4.3 Obligations of Controllers and Processors
Data Protection by Design and by Default and Security of Processing
According to Art. 24 and 32 of the GDPR, the controller and processor should implement all the necessary technical and organisational measures in order to ensure the protection of personal data and appropriate level of security. Moreover, in its Art. 25, the GDPR emphasises the principle of data protection by design and transforms it in a cornerstone obligation of the software development process. However, it is difficult to translate the legal rules into effective technical safeguards. Despite of this, the security of energy networks is closely intertwined with risks to the fundamental rights to data protection and privacy. Principles for privacy by design in the Smart Grid context, and aspects that Smart Grid technologies should consider regarding privacy, has been a subject of study . The Smart Meters constitute a part of a massive “attack surface” and are exposed to security failures . The TACIT project  studied the different cyber-attacks that can take place in a Smart Grid scenario. As electricity supply impacts other critical infrastructures, the cybersecurity threat to the energy sector has an effect on the whole society. Addressing data protection considerations from the design of the meters, and from all the SGAM levels, can contribute to a stronger cybersecurity.
Cyber-attacks have caused important problems for the energy sector, and the European Union has tried to address the issue with the Network and Information Security (NIS) Directive  that increases the harmonization of national laws of Member states. However, since the directive requires the transposition into national laws, some discrepancies across the EU might still remain. While the directive also applies to the energy sector and contains in its annex a list of energy sector organisations that could be considered as operators of essential services, it does not specify the appropriate measures and risk mitigation strategies that should be taken in order to reinforce security. According to Art. 4(1) of the NIS Directive, a risk is “any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems”. Therefore, energy providers should implement a threat and risk management system, establish an effective incident response network, improve resilience to cyber-attacks and ensure technical and human intervention in order to address such issues . Moreover, the European Commission has provided the Smart Grid industry with recommendations on how to perform such data protection impact assessments .
Convergent security analysis (physical and digital) is needed to guarantee the security of processing of personal data as referred to in Art. 32 of the GDPR. NIST  refers to it as combined cyber-physical attacks, and they can affect also privacy concerns. Smart Meters are usually located in a shared place for several apartments. As examples of security threats on a Smart Grid scenario, we can mention physically accessing the Smart Meter, watching the visible display with the counter, observing the residence or identifying the names in the post boxes. These are actions that can reveal the mapping between energy consumption and the associated person. Less populated areas present more technical problems regarding these threats. Smart Meters do not need visible displays, but they are equipped with them. They usually include a LED which blinks more when the power consumption is higher. This could be used, not only to guess the power consumption, but also to associate a Smart Meter with a person if we can link the physical observation of the residence with the visible displays or the blinking of the LED for singling out an apartment. While this kind of activity seems to be more related to sophisticated preparation of criminal activities, their usage for professional or commercial purposes might not be discarded. Also, the operators from the distributor or the supplier have access to various personal information, so privacy adherence by operating personnel must be guaranteed.
Even if the Smart Meters themselves are fully compliant with the law, their connection to other devices makes them more vulnerable. Vulnerability is exacerbated by the low security standards implemented on some IoT devices , so manufacturers should provide for stronger safeguards from the design stage. Recall that controllers are obliged to choose manufacturers that provide for privacy-friendly solutions. Personal data within IoT devices can be available to persons that are not authorized for it, and without the consent of the data subject. Also, Cyber-Physical Systems (CPS)  are highly present in the Smart Grid, and it is considered that security and privacy are hindering the development of CPS in the Smart Grid context since user actions can be monitored or devised from the data that CPS manage .
Data Breach Management
Cybersecurity risks include data breaches that can happen in any information system dealing with personal data. However, there is a special aspect regarding the Smart Grid, which is related to the fact that data subject privacy might have less priority than energy availability. Provided that such measures are proportionate and transparent, public safety will often overrule protection of personal data. For example, Denial-of-Service (DoS) attacks (e.g., sending large amounts of data so that the device is overloaded and it is incapable of answering legitimate requests) have more priority than Man in the middle/Sniffing and intrusion to the servers . DoS has higher priority because the availability of electricity is safety-critical. Safety-critical systems are those whose failure can cause injury or death to people or harm to the environment in which they operate . In other scenarios such as a non-critical web page providing some services, a data breach can be stopped by shutting down the service until the security patch is in place. In the Smart Grid, shutting down the availability of electricity can have uncontrolled or catastrophic consequences (e.g., hospitals or other critical infrastructures connected to the Smart Grid might be affected).
The trade-offs between disclosing personal data or cutting off the electricity should be investigated with appropriate risk assessments (e.g., the Data Protection Impact Assessment mentioned in the GDPR). In a hypothetical case of a data breach, a higher priority may be given to the availability of the service. Microgrid operations or islanding (autonomously providing power to a location without being connected to the main electrical grid) is being investigated to mitigate cyber-attacks and cascading effects [3, 11, 36]. Additionally, operators are asked to report incidents that affect the security, integrity and confidentiality of the service, if such incidents have a significant disruptive effect on the provision of an essential service. Regarding personal data disclosure, the impact on data subjects will need to be assessed, and data subjects or authorities will need to be informed depending on the risk assessment and the severity of the risk.
We analysed the General Data Protection Regulation (GDPR) compliance challenges of the Smart Grid and presented a characterization of the Smart Grid Model Architecture layers with respect to the GDPR. We also categorized and described Smart Grid challenges with respect to GDPR concepts and principles. The GDPR is not only limited to distributors’ and suppliers’ operations, but also covers the growing and diverse ecosystem of third parties providing extra services. The challenges include the large amounts of information that can be obtained from the Smart Meter via personalized profiles, the assurance and minimization of the data flows as well as the consent management before transmitting personal data to third parties. In the Smart Grid, profiling represents substantial risks to the right to data protection since one can single out what the person is doing every hour of the day. This is an important interference to the right to data protection, the right to privacy and the right to self-determination. As future plans, Smart Grid challenges will be addressed at technical level, by providing tools and methods that can help in GDPR compliance.
This work is funded by the PDP4E project, H2020 European Project Number: 787034. We would like to thank all PDP4E project partners for their valuable inputs and comments, and Marta Castro and Mikel Vergara for their discussions.
- 2.Cárdenas, A.A., Amin, S., Schwartz, G., Dong, R., Sastry, S.: A game theory model for electricity theft detection and privacy-aware control in AMI systems. In: Allerton Conference on Communication, Control, and Computing, pp. 1830–1837. IEEE (2012)Google Scholar
- 4.CEN-CENELEC-ETSI Smart Grid Coordination Group: Smart Grid Reference Architecture (2012)Google Scholar
- 5.Chicco, G.: Customer behaviour and data analytics. In: 2016 International Conference and Exposition on Electrical and Power Engineering (EPE), pp. 771–779 (2016)Google Scholar
- 6.Consejo General del Poder Judicial: Electricity consumption data recognized as personal data by the Spanish Supreme Court (2019). http://www.poderjudicial.es/search/openDocument/36f4171fa1525d61/20190723. Accessed 3 Mar 2020
- 10.Energy Expert Cyber Security Platform: Cyber Security in the Energy Sector, Recommendations for the European Commission on a European Strategic Framework and Potential Future Legislative Acts for the Energy Sector (2017)Google Scholar
- 11.EU H2020: EU funding for energy beyond the “Secure, Clean and Efficient Energy” challenge (2017)Google Scholar
- 12.European Data Protection Supervisor: TechDispatch #2: Smart Meters in Smart Homes (2019)Google Scholar
- 13.European Parliament and Council: NIS Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 (2016)Google Scholar
- 14.European Smart Grids Task Force: Data protection Impact assessment template for smart grid and smart metering environment (2014)Google Scholar
- 15.European Smart Grids Task Force: My Energy Data (2016)Google Scholar
- 16.Google: Google PowerMeter (2011). https://en.wikipedia.org/wiki/Google_PowerMeter. Accessed 3 Mar 2020
- 18.Greveler, U., Justus, B., Loehr, D.: Multimedia content identification through smart meter power usage profiles. In: Computers, Privacy and Data Protection (CPDP) (2012)Google Scholar
- 19.Han, Y., Sha, X., Grover-Silva, E., Michiardi, P.: On the impact of socio-economic factors on power load forecasting. In: 2014 IEEE International Conference on Big Data, pp. 742–747 (2014)Google Scholar
- 22.International Electrotechnical Commission: Smart Grid Standards map. http://smartgridstandardsmap.com. Accessed 3 Mar 2020
- 23.Joyee De, S., Le Métayer D.: Privacy harm analysis: a case study on smart grids. In: IEEE Security and Privacy Workshops (SPW), pp. 58–65 (2016)Google Scholar
- 24.Karnouskos, S.: Cyber-physical systems in the smartgrid. In: 2011 9th IEEE International Conference on Industrial Informatics, pp. 20–23 (2011)Google Scholar
- 32.Miller, F.P., Vandome, A.F., McBrewster, J.: Advanced Encryption Standard (2009)Google Scholar
- 34.National Institute of Standards and Technology (NIST): NIST SP 80053 Rev.4 Recommended Security Controls for Federal Information Systems and Organizations (2013)Google Scholar
- 36.NIST: NISTIR 7628: Guidelines for Smart Grid Cyber Security: Volume 2, Privacy and the Smart Grid (2014)Google Scholar
- 37.NIST: NISTIR 7628: Guidelines for Smart Grid Cybersecurity: Volume 1 - Smart Grid Cybersecurity Strategy, Architecture, and High-Level Requirements (2014)Google Scholar
- 38.PDP4E Project: Methods and Tools for GDPR Compliance through Privacy and Data Protection Engineering (2018). https://www.pdp4e-project.eu. Accessed 28 June 2019
- 39.Rajkumar, R., Lee, I., Sha, L., Stankovic, J.A.: Cyber-physical systems: the next computing revolution. In: DAC, pp. 731–736. ACM (2010)Google Scholar
- 40.Salas, P.: Acceso a los datos de consumo eléctrico de los contadores digitales y su uso. Estudio del caso en España y propuestas de mejora para hacer posible el acceso a los datos a terceras partes (2017). https://tinyurl.com/y4gwvrud. Accessed 3 Mar 2020
- 44.TACIT Project: Threat Assessment framework for Critical Infrastructures proTection (2016). https://www.tacit-project.eu. Accessed 3 Mar 2020
- 46.Wohlin, C.: Guidelines for snowballing in systematic literature studies and a replication in software engineering. In: EASE 2014, pp. 38:1–38:10. ACM (2014)Google Scholar
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.