Smart grid data privacy: Chaos by design?

Automation Insight – May 2011

There are ongoing debates taking place at the federal and state levels regarding customer privacy and data collected from smart meters. Traditionally, states are the testing ground for policy and regulation—‘chaos by design’—with federal institutions exerting influence of policy. Currently, different states are adopting different smart grid data policies. Will an approach emerge that has the consent of utilities, consumers, and regulators?

While much emphasis has been placed on the benefits of AMI / smart grid technology over the last few years, utilities are cognizant that the thorny issue of customer privacy cannot be ignored. Consumer buy-in is critically important to advance smart grid deployment: if consumers believe, rightly or wrongly, that a utility is abusing personally identifiable data, or is generally enabling the use of personal information beyond what they deem acceptable, then public opposition can quickly derail plans for AMI implementation.

What’s at stake? Access to, and the ownership of, previously unavailable information on power consumption habits of customers (residential, commercial, and industrial) that is pulled from smart meters, which of course could translate into a lucrative market for those who figure out how to capitalize on the information. Apart from the money-making potential, there are also huge costs that could arise. In some states, utilities may face customer liability claims or regulatory fines if inadequate privacy or security practices result in AMI data used to a customer’s detriment.

If there is a consensus among consumers across the United States, it would include concerns over smart meter data privacy, the threat of identity theft, the possibility of personal behavioral patterns being recorded, and real-time surveillance reminiscent of Orwell’s famous line in 1984 that “Big Brother is watching you.”

Across the table, consensus is proving hard to achieve among policymakers on the issue of whether consumers need to authorize third-party access, how that access should be communicated, and to what extent a utility should be held liable for misuse of data if the utility is required to disclose data to an authorized third party.

The states’ debate
The state level is where the policy debate has been the most robust. Privacy rules are presently being developed in, Colorado, Illinois, California, Ohio, and New York. So far, each state has taken different approaches with varying results.

In California, Pacific Gas and Electric Company (PG&E), Southern California Edison (SCE), and San Diego Gas & Electric (SDG&E) have argued that they should not be held responsible for misuses of consumer data as long as a non-utility third party is involved. The utilities' argument is that the law does not permit the California Public Utilities Commission (PUC) to regulate entities that are not public utilities, and therefore use of the data by a third party is outside the PUC’s domain. Other issues being considered in various jurisdictions are the specific kinds of data that utilities should be allowed (or required) to disclose to third parties, and the applicable complaint process consumers should follow once disclosure of customer data has been allowed.

Colorado has taken a different approach with regard to customer consent on how its data can be used. Last November, the Colorado PUC issued a set of proposed rules to govern how utilities handle smart meter data. The rules require utilities to get permission from their customers if they want to use the data for anything other than billing. The utilities must also get written consent to share the information with third parties. Utilities in Colorado are pushing back. They argue that they currently use customer usage data collected from smart meters and other devices for many purposes—including forecasting future sales, resource planning, and rate design—and that requiring customer consent before the utility could use information gleaned from smart meters is simply impractical.

In Illinois, the City of Naperville has prepared a “Smart Grid Bill of Rights,” in which the right to privacy is a key element. One of the tenets is that personal information will not be connected to usage data released to any third parties. The Naperville initiative is a city-based policy only and has not received the endorsement of the State of Illinois, which demonstrates the fact that privacy policymaking is occurring in various domains.

The Public Utilities Commission of Ohio (PUCO) is in the midst of evaluating written responses to an open docket (11-0277-GE-UNC), which addresses the question of whether consumer privacy can co-exist in relative harmony with emerging electric utility smart grid and advanced metering technologies. PUCO Commissioner Paul Centolella said, “the protection of privacy and promoting the smart grid will not end up being significantly inconsistent objectives. But we need to figure out how to do it."

In Oklahoma, the recent passage of HB 1079 has created a new law in the state—the Electric Utility Data Protection Act— the purpose of which is “to establish standards to govern the access to and use of certain electric utility usage data by electric utilities, customers of electric utilities, and third parties.” Included in the ownership rights of the utility is the provision that an electric utility “may provide customer information without customer consent to affiliates and third parties who, under contract, assist the electric utility in providing regulated services or otherwise carrying out its business objectives.”

And let’s not forget our Canadian neighbors, who face similar policymaking challenges in their pursuit of smart grid deployment. In an interesting approach to the issue, Canadian utilities such as HydroOne and suppliers such as GE and IBM are working with Ontario’s Privacy Commission on a pilot project to create a new privacy policy and incorporate safeguards into product technology. HydroOne is on record stating that customer acceptance is the key to the success of household applications of the smart grid.

To ensure customer acceptance, policy motions on the table in Canada are that no customer identification information will persist in the system other than the company's own billing records; the utility and its affiliates will not share information with third parties; and customers will have to actively agree to subscribe to programs offered by service companies. Canadian regulators also are making approval for smart meters contingent upon “privacy-by-design,” which is a method of "embedding proactively, privacy-protective measures into the design of technology.”

Influence of federal institutions
In September, the National Institute of Standards and Technology (NIST) issued smart grid cybersecurity guidelines for the energy industry, including 189 potential high-level security requirements and ways to assess risks related to modernizing the U.S. electric-transmission system. The document included recommendations on privacy issues that involved personal residences connected to the smart grid, but appeared to defer the responsibility for policymaking on privacy protocols back to utilities and the states. In addition, the NIST report recommended that utilities and others conduct “privacy impact assessments” prior to deploying new technologies.

Furthermore, in its October 2010 report on data access and privacy issues related to smart grid, the U.S. Department of Energy stated that highly detailed or “granular” energy-consumption data should be afforded privacy protection, but also deferred back to states for the policymaking role on how to do it. It included an interesting proclamation that both residential and commercial consumers should be able to access their own energy consumption data and decide whether to grant access to third parties.

Other pertinent national efforts include the North American Energy Standards Board’s creation of a Data Privacy Task Force to develop model business practices for third-party access to consumer smart grid data.

So where is the policy debate on smart grid data heading?
In the United States, privacy regulation of customer data has traditionally been the responsibility of the states, which have developed various privacy protection laws for customer data. Virtually all electric utilities have their own data ownership policies in accordance with regulations promulgated by state regulatory authorities. However, while a handful of states (including the ones mentioned above) are taking an aggressive role in developing privacy policies for smart meter data, many states have not even started to take up the issue.

The creation of potentially disparate data requirements in different jurisdictions, particularly for utilities and vendors that operate in multiple states, could quickly create an operational quagmire, and federal entities appear to be sending a mixed message on the issue—issuing “guidelines” without enforced mandates.

Looking ahead, the smart grid privacy debate is likely to only gain more momentum and, in turn, generate the potential for a consensus to emerge from the chaos. 

 

Share your thoughts and insights on this article. Join the discussion at KEMA’s Utility of the Future blog.