GDPR and Linky meters: The French Data Protection Authority puts EDF and Engie on notice
The French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés or “CNIL”) has served a formal notice on Electricité de France (“EDF”) and Engie for non-compliance with some of the requirements for obtaining consent in relation to the collection of consumption data from Linky smart meters, as well as for an excessive retention period of such consumption data.
Both companies have three months to comply.
Linky is a communicating meter (a “smart” meter) that transmits consumption data and receives orders remotely. As the fine consumption data can reveal information about privacy (waking and sleeping times, periods of absence, possibly the number of people present in the dwelling place), data protection rules may apply.
Linky meters are currently being deployed by Enedis, the operator of the distribution network for electricity and gas supplied by EDF. Enedis plans to install 35 million meters by 2021.
The compliance failures identified by the CNIL concern the procedures for obtaining consent from individuals prior to the collection of their consumption data and the retention period policies.
The collection of consumption data from Linky smart meters
During the inspections carried out on March 11 and 12, 2019, the CNIL noted that EDF obtains the consent of users to the collection of their fine consumption data by means of a checkbox.
More precisely, the user is offered to activate the collection of his/her daily and half-hourly data via a single “I authorize” checkbox drafted as follows: “My daily electricity consumption (every 30 minutes), my consumption history and my maximum power reached”. In addition, by clicking on a “more information” link, it is then specified “My day-to-day consumption: find out more about it to better understand and control my consumption with the display of my daily consumption (every 30 minutes), my consumption history and my maximum power reached. Enedis transmits my consumption data to EDF, which provides me with personalized advice on my consumption”.
Consent is thus collected for the following purposes: display of daily consumption data in the customer account, display of half-hourly consumption data in the customer account and personalized advice aimed at better controlling electricity consumption.
It should be recalled that for consent to be valid, it must be freely given, specific, informed and unambiguous, as per Article 4§11 of the General Data Protection Regulation (“GDPR”). Wherever any of these criteria is not met, consent cannot be used as a legal basis for processing within the meaning of Article 6§1(a) of the GDPR.
In the matter at hand, the CNIL considered that users’ consent was neither specific nor sufficiently informed.
EDF collects users’ consent to the collection of their daily and half-hourly consumption data through a single checkbox for three distinct purposes, i.e. the display of daily consumption data in the customer account, the display of half-hourly consumption data in the customer account and personalized advice aimed at better controlling electricity consumption. However, these processing operations are distinct and independent of each other (users may wish to consult the history of their daily consumption, without necessarily wishing to benefit from a display on a half-hour basis or to receive personalized advice from their supplier). For the CNIL, the user should be able to give consent by purpose and activate the collection of daily indexes, without necessarily having to agree to activate the load curve in a correlated manner.
Similarly, during the investigations carried out on February 21, 2019, the CNIL found that Engie collects consent through a single checkbox for two clearly distinct processing operations: the display in the customer account of daily consumption data and half-hourly consumption data. It further noted that Engie does not provide, prior to collecting consent, sufficiently precise information to enable the user to understand the difference in scope between the collection of the “daily index” (daily consumption data) and the collection of the “load curve” (fine consumption data by the hour or half hour).
For the same reasons, it considered that the consent of users was neither specific nor sufficiently informed.
Data retention periods
EDF keeps the daily and half-hourly consumption data in an active database throughout the entire duration of the contract and then for a further five-year period, without any intermediate archiving, whether physical on a separate server or logical via access restrictions. No automated wiping procedure is implemented, in particular due to technical complexity.
It should be recalled that pursuant to Article 5§1(e) of the GDPR, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
The CNIL considered that the retention of daily and half-hourly data in an active database for the entire life of the contract and then for an additional period of five years, for all types of contracts and without intermediate archiving, was excessive (neither half-hourly nor daily consumption data are necessary for the billing of consumed electricity, which takes place on a monthly basis).
In addition, electricity suppliers are only required to provide customers with their consumption history for a period of three years following the date of obtaining consent (Article D. 224-26 of the French Consumer Code).
ENGIE keeps its customers’ monthly consumption data in an active database for a period of three years after the termination of their contract, and then for an additional period of eight years in intermediate archiving (i.e. in a database containing data that is still of interest for administrative purposes, e.g. in the event of litigation).
The CNIL considered that while the customer’s contact details can be kept in an active database for three years following the termination of the contract so that Engie can carry out commercial prospecting, the storage of monthly consumption data does not pursue this objective (nor does it pursue the objective of making this data available in the user’s customer account since in practice it is only made available for a period of one year after the contract is terminated).
No follow-up action will be taken with respect to these procedures if the companies comply with the GDPR within the prescribed three-month period.In this case, the close of each procedure will be made public.
On the other hand, if the companies
fail to comply with the GDPR within the prescribed three-month period, the CNIL
may refer the matter to its restricted committee responsible for sanctioning breaches
of the GDPR and the companies may thus ultimately be penalized.