The landmark Supreme Court ruling upholding privacy as fundamental right has warranted a response from every sector that deals with personal data. Power sector also requires collecting and storing personal data of consumers for its efficient functioning. Further, high-resolution smart meter data too has the potential to reveal personal information of consumers such as occupancy, appliance usage patterns and even sensitive information like entertainment preferences, religious sentiments through analysis and inference. The time is right to examine provisions to safeguard private consumer data, as already about 2.1 million smart meters have been installed and are operational across the country; with another 9.1 million under deployment. As Ministry of Power (MoP) aims to replace 250 million conventional electricity meters in Indian homes with smart meters by 2022, various issues of deploying and managing such a large number of smart meters, and handling large volume of personal data becomes crucial to examine and prepare for. Furthermore, a new Personal Data protection legislation is in its final stages of becoming the law. Smart meters in the power sector have a transformational potential to alleviate DISCOM stresses, better manage grid, and improve quality of service to the consumers. Thus, it is not only prudent to examine these issues but also prepare the various actors in the sector, especially the DISCOM, towards this fast changing data regulatory space. In this article, we provide the rationale for a Smart Meter Energy Consumption Data Privacy and Security Framework to be adopted by the sector ahead of the legislation. |
1. Introduction
In 2017, the Supreme Court of India upheld privacy as an integral part of fundamental right to life, setting off the discourse on how various aspects of individual privacy is linked to administrative data. As the Indian government has repeatedly expressed its ambitious plans of replacing ordinary electricity meters in India’s 250 million homes with smart meters by 2022, it is pertinent to examine the aspect of data privacy, primarily to assess the sector’s preparedness. Unarguably, smart meters can be used to effectively plan distribution infrastructure, power purchase, improve billing and collection efficiencies, and offer value added services to the consumers, including time of day tariff incentives. However, smart meter energy consumption data, if used in tandem with other datasets, can reveal personal information making the consumer vulnerable to a host of illegal intrusions like surveillance, stalking, burglary, profiling, unsolicited marketing and so on3.
World over, issues of data privacy of smart meter consumers, have been studied and fiercely debated in technical, judicial, legislative and civil society spaces4. At the policy level, many attempts have been made to strike a balance between the promise of operational efficiencies, and protecting data privacy while doing so. For instance, the European Union Electricity Directive was amended in 2019, to explicitly mention the requirement that smart meters must comply with its General Data Protection Rules. In the US, California was one of the first states to establish rules to prevent utilities from sharing smart meter data with third parties without explicit consumer consent. Today at least half of the US states have similar safeguards. As an extreme example of the perils of a mandatory smart meter programme, which did not consider consumer privacy, Netherlands saw smart grid legislations repeatedly fail to get passed without privacy provisions. Finally, as an example of judicial intervention, the Spanish Supreme Court held that energy consumption data is indeed personal data. Similar institutional arrangements to prevent and tackle privacy breaches are in place in the UK and Germany.
1.1 Indian power sector policy and regulatory context
In 2015, the Forum of Regulators (FoR) released Model Smart Grid Regulations5, a guiding document for power sector regulators. It clearly mentioned that distribution licensees and other agencies responsible for implementation of smart grid projects should “ensure that protection of consumer data and consumer privacy is accorded the highest levels of priority”; the document however lacked in operational elements to ensure the same. Following this, only few State Regulatory Commissions have adopted the privacy provision in their regulations6.
In 2016, the Central Electricity Authority (CEA), a statutory body that advises the government on technical and policy matters related to electricity, came up with ‘Functional Requirements’ for Advanced Metering Infrastructure Service Providers (AMISP)7, which provides detailed technical requirements. While the DISCOMs verbatim reproduce it in most of the smart meter implementation contracts, the functional requirements themselves do not address consumer privacy.
Finally, in 2020, MoP released the Standard Bidding Document8 for procurement of prepaid smart meter providers, which is a detailed guiding document on various aspects of smart meter implementation including technical specifications, functional requirements and service level agreement. While this document has privacy provisions in compliance with the Information Technology Act 2000 and upcoming Personal Data Protection Bill 2019, the same is yet to translate in various DISCOMs’ articles of associations with AMISPs, or are not in the public domain to examine.
Therefore, evidently, the existing instruments do not appear to pay attention to the privacy aspects of smart meter data, especially high-resolution data.
2. Changing regulatory space
2.1. Upcoming Personal Data protection legislation
Presently, while the Information Technology Act 2000 and the “reasonable security practices and procedures” rules under section 43A, by definition, apply to billing data and smart meter data, many DISCOM privacy policies have applied it to only the data collected on their websites. However, these sections of the IT Act will soon be replaced by a new personal data legislation. Following the Supreme Court’s privacy judgement, the Government of India tabled the Personal Data Protection Bill 2019 (PDPB) in the Parliament, in order to strike a balance between utilizing the economic value of personal data and upholding the individual’s right to privacy. The bill outlines rights of the individual (data principal), whose personal data is being collected and processed, roles and responsibilities of various actors (data fiduciaries and data processors) handling personal data, as well as institutes a Data Protection Authority (DPA) to regulate personal data in all spheres.
2.2. DISCOM obligations under PDPB
The upcoming PDPB places several obligations on the ‘data fiduciary’, which is an entity that determines the purposes of collection, storage and processing9 of personal data10 vis-à-vis rights of the electricity consumer (i.e the data principal11). Under the PDPB, DISCOMs have the responsibility of ensuring the personal data collected follows the security and privacy standards set by the DPA. Figure 1 depicts the same. Failing to comply with the legislation and regulations of the DPA, can attract significantly high penalties (Rs. 15 Crore or up to 4% of the turnover, whichever higher). To put things in perspective, taking Uttar Pradesh’s example, DISCOMs anticipate a 5-7% increase in billing efficiency and foresee a net gain of Rs. 4,056 Crore in 8 years through 40 lakh smart meter installations. However, 4% of the approved Annual Revenue Requirement (ARR) for FY18 is about Rs. 2,120 Crore; and this penalty can be levied for multiple instances over the years. Thus, even two instances of this penalty in the next 8 years would completely nullify the anticipated benefits of the smart metering programme, if adequate privacy and security safeguards are not ensured.
Figure 1: Smart Meters and Personal Data Protection Bill 2019
Source: Prayas (Energy Group)
Emerging technical methods have exposed anonymised datasets to the risk of de-anonymisation, revealing the personal details12. Therefore, while PDPB deals with non-anonymised personal data, it also ensures that re-identification of personal data is a punishable offence. At the DISCOM level, there will always be non-anonymised smart meter datasets, regardless of who processes it thereafter. Therefore, it puts the onus on DISCOMs to ensure that the smart meter data is not de-anonymised down the line. The PDPB indeed provides for this risk sharing by requiring DISCOMs to ensure that such third-party engagements happen through contracts that can ensure compliance with the legislation and regulations of the DPA. Table 2 and Table 3 in Annexure detail out the specific obligations and penalties PDPB places on DISCOMs and AMISPs.
As for the governance of non-personal data (NPD) i.e., anonymised smart meter data, a general NPD governance framework has been made public by the Ministry of Electronics and Information Technology13. As NPD governance is an evolving concept, DISCOMs need to ensure their systems are compliant with any such upcoming legislations. Since the PDPB requires DISCOMs to build capacity to tackle privacy challenges, following the obligations under PDPB–which is more likely to be the law sooner–will only further ensure that DISCOMs are better-prepared for obligations under any NPD law or policy.
2.3 Role of power sector regulators
Power sector regulators would have to play a key role in determining the specifics of DISCOM and AMISP obligations with respect to data privacy. As the sole personal data regulator in the country, DPA would have to possibly consult power sector regulators, in order to understand the specific data privacy challenges in the sector and evolve sector specific data regulations.
Smart meter programmes would not be the first instance where power sector regulators would be applying themselves on the matter of personal data sharing. In fact, in 2015, Reserve Bank of India (RBI) attempted to bring electricity and telecom regulators and credit information companies (CIC) to evolve data-sharing frameworks in order to develop credit scores for those who have not accessed credit. It wanted to do so by combining telecom and power utilities consumer billing data.
In this matter, while suggesting that state electricity regulators can come up with regulations enabling such sharing, the Forum of Regulators (FoR) opined that until sector specific laws and personal data regulations are evolved, such sharing would infringe upon consumer privacy. One can assume this regulatory stance and understanding holds for smart meter data too, which as discussed, has more potential of revealing personal details of consumers in comparison to ordinary billing data.
The lacunae in regulatory oversight over every aspect of smart meter implementation was highlighted recently in the case of automatic disconnection of supply to about 1.6 lakh smart metered consumers in UP on 12th August 2020. Uttar Pradesh Power Corporation Limited (UPPCL), in response to being fined by the UPERC for the same, stated that as far as Standards of Performance (SoPs) are concerned; there are no relevant regulations with respect to smart meters.
Indeed, in the absence of a well-defined framework, the power sector regulators would not be able to anticipate data privacy concerns, investigate such breaches and adequately hold licensees and third-party service providers accountable to electricity consumers whose privacy has been breached. On its part, the UPERC had acted swiftly with its suo-motu powers under the Electricity Act 2003 and UPERC regulation. It accepted DISCOMs’ submission that ‘technical malfunction’ was the prima facie issue and ordered an internal investigation from the DISCOMs to find out the root cause. While ruling on this unprecedented matter, UPERC opined that “[…] the incident has not only exposed the loopholes in the implementation of smart meter plan but has also shown a glimpse of bigger issues that may occur as the number of smart meters will increase in future.”14 Perhaps the glimpse of bigger issues includes matters of data privacy that have largely gone unnoticed in the sector. Suffice to say that this is an alarm bell for the entire sector to thoroughly examine and prepare for various challenges in smart meter programme implementation, including data privacy.
3. Data privacy and security framework
As a Joint Parliamentary Select Committee is currently examining PDPB, it is in its final stages of becoming the law. In fact, provisions akin to the PDPB have started applying to other sectors, such as public health, through the National Health Management Policy15. This signals the government’s intent to bring in the legislation at the earliest, underscoring the need for an urgent intervention in the power sector. Other sectors dealing with personal data appear better prepared in terms of institutional frameworks. For instance, the Data Empowerment and Protection Architecture (DEPA) framework that outlines methods and institutions of data sharing and consent management among financial and telecom entities, is currently being piloted16. Regardless of how DISCOMs view smart meter data, DISCOMs are constantly handling personal data.
In order for the DISCOMs to be prepared to follow DPA regulations, a comprehensive Smart Meter Energy Consumption Data Privacy and Security Framework (SMEC-DPSF) has to be in place (Figure 2).
Figure 2: Elements of a smart meter energy consumption data privacy and security framework
Source: Prayas (Energy Group)
Such a framework needs to clearly delineate the following-
- Legitimate purposes of collection, storage, processing and sharing. This could be done by considering various use-cases that fall under the purview of the purposes mentioned in the Electricity Act (2003) provided they do not violate privacy. The framework should define the boundaries of purposes of collection, storage and sharing that does not require explicit consumer consent.
- Data storage and security aspects, which clearly defines DISCOM, AMISP roles in ensuring correctness of the data stored (identifiers, for example) and having a data breach response plans to ensure that consumers are informed about security breaches
- Data sharing protocols, which defines roles and responsibilities of DISCOMs, AMISPs and any other third party vendors.
- Consumer rights and entitlements that define the level, mode and frequency of access a consumer has over their data. Ensures consumers are provided some easily accessible insights of their data. The framework should provide for grievance redressal mechanism for grievances related to smart meter data privacy and security.
- Accountability mechanisms like ‘Data privacy and Security Plan’, annual reports on data breaches, grievances received and resolved, details of the data shared, benefits of such sharing etc
The onus of consultatively and deliberatively defining the parameters of privacy, security, and roles and responsibilities is on MoP, and regulatory commissions. In the next article, we will describe our proposal for a Smart Meter Energy Consumption Data Privacy and Security Framework in detail.
Endnotes
1. We are grateful to our colleagues at Prayas for the rich discussions that enhanced the quality of our analysis. We also thank our colleague Srihari Dukkipati in particular for the valuable comments on the drafts. A condensed version of this article appeared in The Indian Express 21 January 2021- https://indianexpress.com/article/opinion/columns/discom-smart-meters-privacy-security-7156239/
2. Comments and suggestions on the series are welcome, and can be addressed to
3. A summary of privacy concerns related to smart meters is provided in Annexure (Table 1)
4.The vast literature we studied to understand the smart meter privacy concerns, indicate that a mix of technical solutions, and institutional checks and balances are unavoidable to remedy these concerns. Some of them are listed in the Annexure.
5. Model Smart Grid Regulations, 2015 http://www.forumofregulators.gov.in/Data/study/SG.pdf
6. Tripura, Telangana, Assam, Karnataka and Haryana are the only states that have Smart Grid regulations. Out of these, Tripura and Assam stand out for specifying data handling and privacy in more detail.
9. Clause 3 (31) of PDB defines processing as “… in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”
10. Clause 3 (28) of PDPB defines Personal data as “…data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;”
11. Clause 14 of PDPB defines data principal as “…the natural person to whom the personal data relates”
12. Erik Buchmann et al., “Re-Identification of Smart Meter Data,” Personal and Ubiquitous Computing 17, no. 4 (2013): 653–62. discuses few such methods