We classified GDPR related Smart Grid challenges based on different the concepts stemming from the GDPR chapters. These concepts are summarized in Table 1. Section 4.1 refers to the principles relating to processing of personal data, Sect. 4.2 elaborates on the rights of the data subject and finally, Sect. 4.3 presents the challenges linked with the obligations of controllers and processors. The controller is the GDPR entity determining the purposes for which and the means by which personal data is processed.
Table 1. Categories of challenges based on GDPR concepts 4.1 Principles Relating to the Processing of Personal Data
Lawfulness, Fairness and Transparency
The GDPR requires controllers to process personal data in a lawful manner. It entails the need for an appropriate legal basis. Art. 6 of the GDPR provides an exhaustive list of criteria for fulfilling the conditions of lawfulness. In the Smart Grid scenario two potential legal grounds for the data processing stand out as the most relevant ones: consent and contract. The performance of a contract could, for instance, be relied upon for processing electricity consumption data for billing purposes, whereas the consent might be required for conducting marketing campaigns. In all those cases the data should be collected and processed for a specific purpose and, prior to the processing, the controller should opt for the most suitable lawful ground. If there are any additional purposes of processing, a controller should obtain a separate specific and informed consent from a data subject for each of them, where the processing is consent based.
Smart Meter users can currently subscribe by giving their consent to be monitored to receive marketing offers from suppliers or be informed about the pricing policy. Even though the transmission of the personal data to third parties can contribute to the provision of extended services or to more targeted marketing offers, the data subject shall be informed of all the recipients of his or her personal data and, where required, explicitly give their consent. Such consent can be considered freely given only if it can be as easily withdrawn as it was granted. While the Smart Grid was conceived as a new field for the launch of innovative value-added services and improvement of the sustainability of our environment, the management of the consent and handling of its withdrawal, where data is transmitted across the SGAM actors and to third parties, might encounter certain technical difficulties.
Data Minimisation and Purpose Limitation
Since data minimisation and purpose limitation constitute the core GDPR principles, the personal data provided should be limited to what is strictly necessary in relation to the purposes for which they are processed, for instance for the performance of the contract, and for the supply and billing purposes. Thus, the controller must guarantee that third-party processors have the minimal amount of data to perform their intended processing. In contrast to other scenarios where this usually consists in not transmitting some columns from a database, the data minimisation of the energy consumption is different and requires manipulating the time series in different ways. A usual technique is to modify the resolution of the data. For example, the data with a time interval of seconds might not be needed and may be limited to each hour or be collected for the whole day or week. Some works suggest that a half-an-hour frequency is sufficiently reliable for most purposes and hides the operation states of most of the appliances [17]. However, in 2012, the European Commission recommended keeping a frequency under 15 min to “allow the information to be used to achieve energy savings” [12]. Several works explore the trade-offs between privacy and the operational needs of Smart Grid data mainly by investigating different data resolution schemes and load shaping [2, 8, 26, 42, 43], but this research field is still considered to have many open challenges. In fact, the Smart Grid data minimisation is a well-studied case study for the more general problem of time series compression [9].
Data minimisation could be also performed in early phases (e.g., in the Smart Meter) considering the needs of processing in the whole chain for which the data subject gave his or her consent. Failing to guarantee data minimisation can expose the controllers to fines as it is non-compliant with the GDPR. In addition, it could have the consequence that users start adopting techniques to preserve their privacy. Known techniques are charging and discharging batteries [41] or the use of load shaping with storage and distributed renewable energy sources [26].
Special Categories of Data
While weather conditions stay a typical influential factor in predicting energy consumption, data fusion can contribute to more effective Smart Grid data analysis. For example, personal energy consumption prediction and forecasting can be enhanced if other data sources are combined with energy consumption histograms. The cumulative analysis of other data sources, containing various information about a data subject (location, age, gender, socio-economic parameters like the income level, employment status, educational level, whether they are property owners, the number and type of appliances) can help to establish a correlation between electricity consumption and personal habits. On the basis of precise energy consumption details some further assumptions can be made with regard to more sensitive aspects of personal life, such as religious beliefs and practices [12]. According to Art. 9 of the GDPR, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs etc. is prohibited (with specific exceptions). Whereas the intense analysis of multiple data sources can improve the quality of energy services, it is crucial to strike the right balance between legitimate interests of controllers and the fundamental right to protection of personal data. Several studies are trying to identify which are the relevant variables that are worthy to use for the different analyses [19, 25, 31]. While some of these data sources might be discarded, others might be highly valuable for providing better or new services.
As mentioned before, energy consumption is a relevant information to satisfy the promises of the IoT. This way, the devices can decide when to charge, operate, or shut down, to be more cost and energy efficient. The automatic and unsupervised use of this data by the inter-connected devices can be problematic. The Smart Meter can be an inter-connected actor providing energy consumption measurements as well as other data such as the current pricing policy to other actors. Though coordination mechanisms between machines can be established, devices might disclose data or transfer data without consent (e.g., to the manufacturers). IoT manufacturers are very diverse and it is not possible to control which devices will be part of this configurable or self-configurable network at the design stage. Still they might need to transfer data between them (e.g., to accomplish their mission or to provide better and more efficient services), with the consequence of complicating the consent management for the data subjects each time a new device is added. The interconnected devices should be able to negotiate, preferably without human intervention, to make these networks efficient and self-managed. In addition, while the Smart Meter might be related to the controller for the energy consumption and the energy pricing policies, other IoT devices might be related to the controllers of other type of personal data, which will need to be aggregated to provide new or enhanced services.
4.2 Rights of the Data Subject
Right to Information About Processing Operations
The right to information about processing operations is crucial for the exercise of all other data subject’s rights. If customers of the Smart Grid are not informed about processing operations over their data at the time of its collection, they will never be aware of the use of their personal data. The lack of information will prevent them from eventually taking further decisions and actions (e.g., ask for its erasure). The GDPR stipulates that the controller shall take all the appropriate measures to inform the data subject about processing related to his or her personal data. This information shall include all the contact information about the controller, the purposes of processing operations, their legal basis and also recipients of this personal data, if any. The data subject shall be also informed if there are any intentions to transfer personal data to third parties. This information shall be provided free of charge and without undue delay. Since not all SGAM actors are known in advance, especially because of the dynamic ecosystem of third parties, it might be difficult to manage the information obligation under the GDPR.
Right to Access by the Data Subject and Right to Erasure
Upon a data subject’s request, it is technically challenging to guarantee the access to (Art. 15 of the GDPR) and removal (Art. 17) of the energy consumption information from all the Smart Grid actors. As in many other scenarios, the processing chain is complex and coordinating the processing actors and validating a complete access or removal might require complex operations. While there is a legal permission to keep consumption data for the billing purposes, there might be difficulties with managing and separating different data sets. Therefore, the removal will have to take into account when, how and which data should be removed from each processing party. In the context of third parties related to the IoT, there might be connectivity issues that disconnect the controller from a device for long periods of time, making difficult the actual and timely access and removal of the personal data.
Right to Data Portability
Art. 20 of the GDPR provides for the right to data portability. When a data subject wants to change his or her electricity provider, the data portability must allow personal data to be transferred directly to a new company in a practical and simple way for the end user. This might include the historic of energy consumption. Also, prior to the selection of a new company as a supplier (initiated by the user), the new potential supplier might require to perform an analysis of the personal data to identify the best personalised offer. There is a risk that companies may try to hide the access to personal data from competitors. To overcome this issue, a typification of consumption profiles (e.g., standardizing a predefined list of profiles) would contribute to data portability and provide certain degree of data minimisation.
The Right Not to be Subject to a Decision Based Solely on Automated Processing
As set out in Art. 22(1) of the GDPR, the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her. The wording of this provision is not straightforward and may be subject to divergent interpretations, for instance, with regard to its scope of application. The application of this provision to the Smart Grid scenario requires a detailed analysis of all the uses of personal data for profiling considerations. Moreover, there is a need to check whether a data subject might be legally affected by any decisions taken without human intervention and based solely on automated processing.
Profiling is probably the most direct use of the personal data regarding energy data consumption, and highly-personalized marketing is one of its most obvious commercial uses. One of the main objectives of customized advertisement is to create personal profiles and cluster the profiles to maximize the profitability of commercial actions. Apart from that, profiling and monitoring could leave the door open to other kind of uses such as deriving sensitive personal data or targeted monitoring. All these examples interfere with the right to privacy and the right to self-determination. In the Smart Grid scenario profiling can meet the requirement of lawfulness if it is necessary for the performance of a contract between the data subject and an electricity provider, or if it is based on the data subject’s explicit consent as provided in Art. 22(2) of the GDPR.
Manufacturers are interested in knowing how people use their appliances. Each appliance has an electricity load signature which can be used to differentiate its shape from other appliances. For example, in Fig. 1 we observed a peak corresponding to a dryer, and smaller and periodic peaks corresponding to a fridge. If the appliance can be configured by the user or if the circumstances change, this signature can be modified to some extent. Thus, it is possible not only to know the existing appliances, but also how the residents use them. Newborough and Augood [35] illustrated this fact by showing the difference in the load signatures of the same washing machine using a 40 ℃ cycle and a 85 ℃ cycle.
This practice of using energy consumption and appliance load signatures for nonintrusive load monitoring (NILM), or nonintrusive appliance load monitoring (NIALM) was already identified as problematic regarding privacy when the technologies enabling it started to appear [20]. As another example of how personal preferences can be obtained, automatic analysis of time series was used by Greveler et al. [18] to show how the information about which TV channel is being watched can be disclosed through Smart Meter power usage profiles. Given the brightness of the TV screen, a consumption prediction model can be defined and used for each channel and compared with the actual consumption. This research concluded that a sample taken each 0.5 s during five minutes is in many cases sufficient to identify the viewed content. Thus, the interests of a person can be inferred through the viewed contents and used for professional or commercial purposes.
4.3 Obligations of Controllers and Processors
Data Protection by Design and by Default and Security of Processing
According to Art. 24 and 32 of the GDPR, the controller and processor should implement all the necessary technical and organisational measures in order to ensure the protection of personal data and appropriate level of security. Moreover, in its Art. 25, the GDPR emphasises the principle of data protection by design and transforms it in a cornerstone obligation of the software development process. However, it is difficult to translate the legal rules into effective technical safeguards. Despite of this, the security of energy networks is closely intertwined with risks to the fundamental rights to data protection and privacy. Principles for privacy by design in the Smart Grid context, and aspects that Smart Grid technologies should consider regarding privacy, has been a subject of study [3]. The Smart Meters constitute a part of a massive “attack surface” and are exposed to security failures [12]. The TACIT project [44] studied the different cyber-attacks that can take place in a Smart Grid scenario. As electricity supply impacts other critical infrastructures, the cybersecurity threat to the energy sector has an effect on the whole society. Addressing data protection considerations from the design of the meters, and from all the SGAM levels, can contribute to a stronger cybersecurity.
Cyber-attacks have caused important problems for the energy sector, and the European Union has tried to address the issue with the Network and Information Security (NIS) Directive [13] that increases the harmonization of national laws of Member states. However, since the directive requires the transposition into national laws, some discrepancies across the EU might still remain. While the directive also applies to the energy sector and contains in its annex a list of energy sector organisations that could be considered as operators of essential services, it does not specify the appropriate measures and risk mitigation strategies that should be taken in order to reinforce security. According to Art. 4(1) of the NIS Directive, a risk is “any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems”. Therefore, energy providers should implement a threat and risk management system, establish an effective incident response network, improve resilience to cyber-attacks and ensure technical and human intervention in order to address such issues [10]. Moreover, the European Commission has provided the Smart Grid industry with recommendations on how to perform such data protection impact assessments [14].
Convergent security analysis (physical and digital) is needed to guarantee the security of processing of personal data as referred to in Art. 32 of the GDPR. NIST [36] refers to it as combined cyber-physical attacks, and they can affect also privacy concerns. Smart Meters are usually located in a shared place for several apartments. As examples of security threats on a Smart Grid scenario, we can mention physically accessing the Smart Meter, watching the visible display with the counter, observing the residence or identifying the names in the post boxes. These are actions that can reveal the mapping between energy consumption and the associated person. Less populated areas present more technical problems regarding these threats. Smart Meters do not need visible displays, but they are equipped with them. They usually include a LED which blinks more when the power consumption is higher. This could be used, not only to guess the power consumption, but also to associate a Smart Meter with a person if we can link the physical observation of the residence with the visible displays or the blinking of the LED for singling out an apartment. While this kind of activity seems to be more related to sophisticated preparation of criminal activities, their usage for professional or commercial purposes might not be discarded. Also, the operators from the distributor or the supplier have access to various personal information, so privacy adherence by operating personnel must be guaranteed.
Even if the Smart Meters themselves are fully compliant with the law, their connection to other devices makes them more vulnerable. Vulnerability is exacerbated by the low security standards implemented on some IoT devices [1], so manufacturers should provide for stronger safeguards from the design stage. Recall that controllers are obliged to choose manufacturers that provide for privacy-friendly solutions. Personal data within IoT devices can be available to persons that are not authorized for it, and without the consent of the data subject. Also, Cyber-Physical Systems (CPS) [39] are highly present in the Smart Grid, and it is considered that security and privacy are hindering the development of CPS in the Smart Grid context since user actions can be monitored or devised from the data that CPS manage [24].
Data Breach Management
Cybersecurity risks include data breaches that can happen in any information system dealing with personal data. However, there is a special aspect regarding the Smart Grid, which is related to the fact that data subject privacy might have less priority than energy availability. Provided that such measures are proportionate and transparent, public safety will often overrule protection of personal data. For example, Denial-of-Service (DoS) attacks (e.g., sending large amounts of data so that the device is overloaded and it is incapable of answering legitimate requests) have more priority than Man in the middle/Sniffing and intrusion to the servers [44]. DoS has higher priority because the availability of electricity is safety-critical. Safety-critical systems are those whose failure can cause injury or death to people or harm to the environment in which they operate [27]. In other scenarios such as a non-critical web page providing some services, a data breach can be stopped by shutting down the service until the security patch is in place. In the Smart Grid, shutting down the availability of electricity can have uncontrolled or catastrophic consequences (e.g., hospitals or other critical infrastructures connected to the Smart Grid might be affected).
The trade-offs between disclosing personal data or cutting off the electricity should be investigated with appropriate risk assessments (e.g., the Data Protection Impact Assessment mentioned in the GDPR). In a hypothetical case of a data breach, a higher priority may be given to the availability of the service. Microgrid operations or islanding (autonomously providing power to a location without being connected to the main electrical grid) is being investigated to mitigate cyber-attacks and cascading effects [3, 11, 36]. Additionally, operators are asked to report incidents that affect the security, integrity and confidentiality of the service, if such incidents have a significant disruptive effect on the provision of an essential service. Regarding personal data disclosure, the impact on data subjects will need to be assessed, and data subjects or authorities will need to be informed depending on the risk assessment and the severity of the risk.