Swedish Utilities begin massive data grab
People in #Sweden need to be vigilant in relation to the installation of smart meters for electricity and water supplies.
Early last year my electricity supplier sent someone to install a smart meter in my home - I turned them away and sent a data subject request to my electricity supplier to find out what data the smart meter will collect and I explained I would not allow installation of such a device until I am convinced that the processing of my personal data by the device is lawful.
I asked my supplier the following 10 questions:
1.?Please list exactly all data which will be collected by the meter.
2.?Please list the explicit purpose for each data collected by the meter.
3.?Please list the specific legal basis for the collection of this data.
4.?Please inform me where the data is stored.
5.?Please inform me with whom the data is shared or otherwise disclosed.
6.?Please inform me if the data is ever transferred outside of the EU/EEA and if so, to where, what safeguards are used, what the purpose is, what the legal basis is.
7.?Please inform me if the data is stored in a US cloud providers infrastructure such as Google Cloud, Microsoft Azure, IBM, Salesforce, Amazon Web Services, AliCloud of any other cloud platform (irrespective of whether or not the data is in an EU data center).
8.?Please inform me how long the data is stored and the basis for that storage period.
9.?Please explain if the data is subjected to any big data analytics, machine learning, artificial intelligence or other automated systems.
10.?Please inform me if the data is used to train any algorithms.
领英推荐
The responses were (to say the least) not satisfactory and were actually misleading.
They claimed there are legal obligations which require them to process this personal data and proceeded to list 3 clauses of Swedish law - none of which require them to process personal data.
They claimed they are required to process data on individual usage of electricity every 15 minutes - but the law requires they only report aggregate usage every hour and does not require the disclosure of personal data.
They claimed they are required by law to retain data for 40 years - there is no such requirement in law.
Now the press (expressen.se) are claiming that they are also required to do this by law (and I have written to the Editor requesting they cite their sources and pointing out the errors in their article - it feels to me that they just accepted the supplier saying they are required to process this personal data).
So to be clear:
1. There is no new law in Sweden which requires electricity suppliers to process your personal data via a smart meter. The law requires that electricity supplier provide aggregate data on usage every hour which does not require the processing of personal data and clearly is not the same as the 15 minute intervals (which is 4x more frequent than required) suppliers are collecting this data via their smart meters.
2. The law does not require electricity suppliers to retain personal data for 40 years (which is what the supplier claimed).
My supplier (Vattenfall) are collecting excessive amounts of data which are not required by law but are using the legal basis of "legal obligation" under Article 6(1)(c) of the GDPR as their justification - which is invalid because there is no such legal obligation and therefore said processing is illegal under the GDPR.
Further, given that they are collecting more data than is necessary to meet their legal obligations or provide the requested service (supply of electricity) and that the smart meter is a connected device meaning the ePrivacy Directive comes in to play (as it is terminal equipment under the law) they are required to obtain consent for any other access to information in the terminal equipment - but because of the clear imbalance of power consent would not be freely given and therefore would not be valid, so their only option is to cease collection of data which is not necessary.
I have refused to allow them to install the meter until such time as their usage complies with all relevant laws and you can too. Don't feel like you have no choice or can be forced to allow installation of these devices - they are legally obligated to comply with these laws and if they are failing to do so, installation of the smart meters is unlawful.
It is really important to remember that just because a company tells you they are legally required to do something, does not mean they are being truthful. You should always check the validity of their claims because in my experience they are pretty much always misleading at best (and often just a downright lie).
Principal Consultant at Ready Solutions Oy
1 年Alexander Hanff if this had continued I assume local grid operators would have had legal requirement to install smart meters. https://www.svk.se/en/stakeholders-portal/electricity-market/data-hub/
Platform Product Owner and DPO @ Elastisys | Kubernetes, GDPR, NIS2
1 年"We have a legal requirement" reached epidemic status. My head keeps hearing "citation needed" every time I read this. Please list the exact article which relates to your so-called legal requirement. We are a company of engineers and did it. Here, see it for yourself: https://github.com/elastisys/terms#a44-legal-basis If you have a non-zero amount of lawyers in-house, I'm sure you can follow our example.
Bringing data at your fingertips | freelance well-rounded engineer | technical writer
1 年What kind of personal data do the smart meters send? My understanding was that they send consumption/production data, but no personal data. (that the energy supplier does have my personal data from the energy contract and they can make a match on address that is something else).
Advokat / Senior Associate p? Advokatfirman Lindahl
1 年I'm not an expert at this subject but it appears that the 15-minute requirement comes from regulation 2017/2195, article 53. It concerns imbalances but according to Energimarknadsinspektion, it's the reason for the new measurement requirement. In any event, the rules which require the utility companies to process this data are found in EIFS 2023:1. They are not in force until the 1st of November though. In chapter 3 § 1 in EIFS 2023:1 it appears to exist a duty to process this data. It includes the identity of the user, see excerpt: 1 § N?tf?retaget ska fortl?pande registrera och lagra f?ljande uppgifter per uttagspunkt i ett n?tavr?kningsomr?de: – anl?ggningsidentitet (anl id), – anl?ggningsadress, – ?rsf?rbrukning, – m?taridentitet p? den eller de elm?tare som ?r installerade i uttagspunkten, – tidpunkter f?r anslutning, fr?nkoppling och ?terinkoppling, – avr?kningsmetod (dygn eller m?nad), – elanv?ndarens identitet (till exempel person- eller organisationsnummer) f?r uttagspunkten, – elanv?ndarens namn och adress, – elleverant?ridentitet (EDIEL-id), och
I wrote about this on a local social media group (for my local community) and my neighbour immediately phoned me because literally 2 days ago an installation engineer came to his house and installed a smart meter against his wishes - but he was informed he had to have it installed and was not given any information as to the data it will process. He is really not happy that he feels he was pressured to install a device which he does not want in his home (specifically for privacy reasons and with no coaching from me).