Next Article in Journal
Literature Review, Recycling of Lithium-Ion Batteries from Electric Vehicles, Part I: Recycling Technology
Next Article in Special Issue
2020–2022: Pivotal Years for European Energy Infrastructure
Previous Article in Journal
An Experimental and Computational Investigation of Tailor-Developed Combustion and Air-Handling System Concepts in a Heavy-Duty Gasoline Compression Ignition Engine
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

The Legal Complexities of Processing and Protecting Personal Data in the Electricity Sector

1
Tilburg Law and Economics Center (TILEC) and Tilburg Institute for Law, Technology and Society (TILT), Tilburg Law School, Tilburg University, 5037 AB Tilburg, The Netherlands
2
Tilburg Law School, Tilburg University, 5037 AB Tilburg, The Netherlands
*
Author to whom correspondence should be addressed.
Energies 2022, 15(3), 1088; https://doi.org/10.3390/en15031088
Submission received: 5 November 2021 / Revised: 6 January 2022 / Accepted: 29 January 2022 / Published: 1 February 2022

Abstract

:
The use of smart meters enables the emergence of innovations in the electricity sector, such as smart grids, prosumers and Peer-to-Peer trading, which can play an important role in realizing the energy transition. These developments rely on the processing of personal data, triggering the application of data protection legislation in addition to the legislation organizing the electricity markets. This article examines the interaction between the General Data Protection Regulation (GDPR) and the Directive (EU) 2019/944 on common rules for the internal market for electricity in the European Union, following the method of doctrinal legal research. Concretely, this article investigates what kinds of tensions may arise from the coexistence of these two legal regimes and whether there are mechanisms in place to prevent or mitigate such tensions. Three main tensions are identified. The first tension lies in the fact that some of the innovations facilitated by smart metering in the energy sector rely on technologies that might not be entirely compatible with the GDPR. A second tension follows from the existence of separate but interrelated regimes for access to data of the consumer/data subject in the two legal instruments here analysed. The third tension relates to a possible overlap of competences between the supervisory authorities of both regimes. This article is a contribution to the still scarce legal scholarship on the interplay between the GDPR the Recast Electricity Directive. The findings of this research are of interest not only for academics but also for practitioners, policymakers and supervisory authorities that have to deal with the issues here identified.

1. Introduction

One of the greatest challenges of the 21st century is combating climate change. An important part of this is the reduction of CO₂ emissions, as agreed in the Paris Agreement. To comply with this Agreement, an energy transition will have to take place, in which renewable energy must replace fossil-based energy, and energy efficiency policy and measures should be implemented.
European Union (hereinafter ‘EU’) and national legislation of the Member States will have to provide leeway for technological developments and new energy services that can contribute to the energy transition and consumer empowerment. Directive (EU) 2019/944 (hereinafter ‘Recast Electricity Directive’) [1] furthers the efforts started with the Third Energy Package to encourage the use of smart meters, which allow consumers to easily keep track of their energy costs and consumption so that they can be encouraged to reduce their demand for energy [2]. This advanced system collects information about the energy consumption and energy production of energy consumers and prosumers and passes this information on to the system operators [3].
In this way, it is easy to measure and predict energy demand so that the energy supply and capacity planning can be adjusted accordingly [4]. Even though smart metering can positively impact the energy sector and enable innovations such as smart grids, prosumerism and Peer-to-Peer energy trading, the technology also raises concerns regarding the protection of personal data and privacy of consumers. A smart meter can record every fifteen minutes (or less) what someone does in their home with regard to energy use [5]. For example, smart meter data can reveal whether someone is away from home and which household appliances the consumer uses [6]. Hence, smart meter data can give insights about the private and family life of the consumers, “including behaviour, habits, or preferences, which in turn might result in unintended consequences such as profiling or tracking” [7] (p. 163).
Smart meter data qualifies as personal data if it is related to identifiable natural persons [8]. Hence, the Regulation (EU) 2016/679, known as General Data Protection Regulation (hereinafter, ‘GDPR’) applies to the processing of data generated by smart meters installed at the homes of household customers (hereinafter, ‘consumers’). As a starting point, there seems to be tension between the growing demand for consumer data under EU energy law and the need to limit the processing of personal data under data protection law [6]. After all, any processing of personal data can be seen as an interference with the fundamental rights of the data subject [9]. Therefore, the processing of personal data of energy consumers should only take place following the rules and principles of data protection law, most notably, the GDPR.
Against this background, the technological developments to promote the energy transition that rely on the processing of consumers’ data cannot be viewed in isolation from the protection of personal data. As a result, two different legal frameworks have to coexist: energy law and personal data protection law.
This contribution examines the interaction between EU energy legislation and data protection legislation in light of the growing use of smart meter data in the electricity sector. In particular, this article focuses on the Recast Electricity Directive and the GDPR. Due to the relative newness of these two legal instruments (applicable since 2019 and 2018, respectively), legal scholarship studying the interplay between them is still scarce and leaves room for further inquiry. Huhta (2019) studies the legal interface between the GDPR and electricity market design legislation under the Clean Energy Package, focusing predominantly on interpreting how the grounds for personal data processing in the GDPR can be applied in the context of smart metering [6]. Graef, Husovec & van den Boom (2020) also study the interplay between the GDPR and the Recast Electricity Directive, but their analysis focuses on identifying ‘spill-overs’ between the rules for personal data portability in the GDPR and the rules concerning access to consumer’s data in the electricity sector, as well as other consumer data access regimes in the EU [10].
The research presented in this paper builds upon this literature but takes a broader approach and seeks to address the following research question: what kinds of tensions may arise from the coexistence of these two legal regimes and whether they provide mechanisms to prevent or mitigate such tensions? Considering the growing use of personal data (a highly regulated topic) in the electricity sector (a highly regulated sector), it is important to explore if the interplay between the EU data protection legislation and the electricity market legislation leads to tensions that should be addressed to achieve the policy objectives of both legal regimes. The focus in this contribution will mainly be on the use of smart meters and the protection of personal data generated by smart meters [6]. This contribution aims to expand the existing body of scholarship studying the interplay of data protection law and energy law. The findings of this research are of interest not only for academics but also for practitioners, policymakers and supervisory authorities that have to deal with the issues here identified.

2. Methodology and Structure of the Article

The research presented in this article was carried out following the methodology of doctrinal legal research, also known as traditional legal research. This type of research aims primarily “to give a systematic exposition of the principles, rules and concepts governing a particular legal field or institution and analyses the relationship between these principles, rules and concepts to solve unclarities and gaps in the existing law” [11] (p. 210). In addition, doctrinal research can also have an evaluative purpose and serve as the basis for future legal reform [12].
In terms of approach, van Hoecke [13] explains that this type of research is an “empirical-hermeneutical discipline” (p. 3), in which texts and documents are the main objects of study, and the interpretation thereof is the main activity of the researcher (p. 4). As noted by van Hoecke, the main materials of this type of research are normative sources (such as legislation and other formal sources of law) and authoritative sources (such as case law and legal scholarly writings) (p.11).
The research presented in this article follows this approach and consists primarily of describing and interpreting European Union legislation in the fields of energy law and personal data protection currently in force, in particular, the Recast Electricity Directive and the GDPR, to address the proposed research question. The interpretation of these normative sources is supported by case law and other authoritative sources such as guidelines and opinions from EU and Member State public bodies. This contribution also builds upon existing scholarship on the regulatory challenges of regulating technological innovations in the energy sector [2,14], as well as literature on the principles and foundations of personal data protection law in general [15,16]. Literature from other disciplines has also been used where necessary to explain the working of innovations in the electricity sector. Legal developments have been followed until 5 November 2021.
The remainder of this paper is structured as follows. Section 3.1. will describe a number of technological developments in the electricity sector, which can contribute to the energy transition and rely largely on the processing of personal data. Section 3.2 and Section 3.3. provide an overview of the objectives, principles, actors, rights, and obligations enshrined in the GDPR and the Recast Electricity Directive, respectively. Section 3.4 identifies points of contact as well as tensions and uncertainties arising from the simultaneous application of these two legal regimes. The conclusions are presented in Section 4.

3. Results

3.1. Smart Meters and Innovative Businesses Based on Consumer (Personal) Data

Today, it is evident that the use of fossil fuels to generate energy is outdated [17]. The transition towards a clean energy system is twofold: on the one hand, the mode of generation of energy must change, and, on the other hand, energy consumption and consumer behaviour must also undergo a drastic transition [17]. Social and technological innovations play an important role in achieving the energy transition [18]. This article focuses on innovations that rely on personal data from smart meters.
Nowadays, copious amounts of personal data are being traced and stored during daily activities. For example, personal data about which train journeys we make is registered by using a rechargeable train card for checking in and out. If all this personal data is brought together, organized and analysed, information about our behaviour is created [19]. As a result, personal data forms a link between our physical environment, services and platforms [19]. Data collection and processing also occur in the energy sector, as will be discussed below.

3.1.1. Smart Meters

The smart meter is an instrument that can be used to measure the energy consumption of a household in a very detailed manner [6]. From a legal point of view, the smart meter is explicitly mentioned in the Recast Electricity Directive. According to the recitals of this Directive, smart meters have two key functions. On the one hand, smart meters can empower consumers by providing information on their energy consumption and/or generation, allowing them to adjust their consumption patterns and participate in demand response programmes and other services so that their energy costs can be reduced (Recital 52 Recast Electricity Directive). On the other hand, smart meters are also a means for Distribution System Operators (DSOs) to keep track of energy demand and the functioning of their networks so that they can fine-tune their system operation to lower operation and maintenance costs (Recital 52 Recast Electricity Directive).
The Recast Electricity Directive sets a number of requirements for smart meters. Following Article 19, smart metering systems shall be “interoperable, in particular with consumer energy management systems and with smart grids, in accordance with the applicable Union data protection rules”. Article 20 stipulates that the Member States must deploy smart metering systems following European standards, Annex II of the Recast Electricity Directive and a number of additional requirements, including (i) being able to provide consumers information on the actual time of use; (ii) complying with EU rules on (cyber)security, privacy and personal data protection; and (iii) “enable final customers to be metered and settled at the same time resolution as the imbalance settlement period in the national market” (Article 20, section (g)). Under Annex II to the Recast Electricity Directive, the roll-out of smart meters in Member States may be subject to an economic assessment of the long-term costs and benefits to the market and the individual consumer, taking into consideration (among others) the “best available techniques for ensuring the highest level of cybersecurity and data protection” (Section 2 of Annex II). If the result of the assessment is indeed positive, at least eighty percent of the final customers (consumers) in the relevant Member State will have to be provided with a smart meter within seven years after the positive result has been determined (Section 3 of Annex II).
In many Member States, smart meter data is collected and managed by the DSOs [6]. The DSOs also have to make available this (personal) data to, for instance, energy suppliers so that they can send bills to consumers. After the DSOs have collected and organized the smart meter data, it is clear how much energy the household has used and when. Based on this, the (expected) energy consumption can be controlled in a targeted manner [19]. This is not only useful for the household itself. More accurate energy consumption data is also very useful for the DSOs to predict and balance network load in an efficient way [2,6]. This balancing task becomes ever more challenging with the growth of renewable distributed generation and Electric Vehicle (EV) charging units connected to the distribution grids, which causes more unpredictable bi-directional energy flows [6]. Thanks to smart meters, the consumer can also easily keep track of how much energy is generated (for instance, by solar panels) and stored by the consumer (for example, in batteries) so that the consumer can have a place in the energy market to offer the surplus energy to flexibility markets or peers. Flexibility markets can contribute to an efficient operation of energy systems by monitoring energy flows, capturing market signals and motivating changes in energy supply and demand by sending out market signals. These changes can be activated by combining smart meters, smart appliances, demand response programmes, renewable energy sources and energy efficiency sources [20].

3.1.2. Innovations Enabled by Smart Meters

The rollout of smart meters and the extensive data processing they generate enable the emergence of innovations in the electricity sector. This section will refer to three examples of developments made possible or facilitated by smart metering and encouraged by the Recast Electricity Directive: smart grids, prosumers and Peer-to-Peer trading.
In the smart grid, modern techniques in monitoring and communication are used to promote the reliability of the grid and solve problems in the area of generation and storage of energy [21]. Therefore, the smart grid is seen as a promising solution for renewable energy developments [21].
The Recast Electricity Directive (following its predecessor, Directive 2009/72/EC) encourages the Member States to modernize energy distribution networks by means of, for example, the introduction of smart grids “built in a way that encourages decentralised generation and energy efficiency” (Recital 51 Recast Electricity Directive). A smart grid is an energy grid that responds intelligently to all components in the grid [22]. It is an “upgraded energy network to which two-way digital communication between the supplier and consumer, smart metering and monitoring and control systems have been added” (Commission Recommendation 2012/148/EU, Section 3(a)) [23]. The purpose of the smart grid is to deliver energy efficiently and sustainably [22]. Smart meters play a major role in establishing a smart grid [22] because they provide detailed information on how much energy is fed into the grid and how much is taken from the grid.
Local renewable distributed generation also gives smart metering a whole new dimension. Households can generate energy themselves by, for instance, installing solar panels on their roofs. In this way, the smart meter can also track how much energy is generated. Local production and consumption are stimulated; What then remains is the net energy consumption (consumption minus generation).
When the consumer generates more energy than is consumed, the consumer can supply this energy to the network. Consumers who supply excess energy to the network in exchange for compensation are known as ‘prosumers’ [2] (pp. 4–5).
The Recast Electricity Directive uses the definition ‘active customers’ to refer to prosumers (Article 2, Section 8, Recast Electricity Directive). In this Directive, the active customer is defined as a final customer or a group of final customers that consume or store energy generated within their own premises (or within other premises, if allowed by the relevant Member State), or final customers that sell the generated energy or participate in energy efficiency or flexibility schemes (Article 2, Section 8, Recast Electricity Directive). An important limitation here is that this cannot be the main commercial or professional activity of the active customer (Article 2, Section 8, Recast Electricity Directive).
Prosumers can offer their energy surplus to the electricity market through intermediaries known as aggregators (Article 2, Section 18, Recast Electricity Directive). Aggregators offer the energy surplus of the prosumers to the market in exchange for a fee [2].
When prosumers do not offer their energy surplus to the market but offer the energy surplus to other consumers, this is known as Peer-to-Peer (P2P) trading [24]. Technological developments in the energy sector enable this decentralized way of trading energy, allowing traditional ways of energy supply to fade into the background [2]. P2P trading can occur within blockchain microgrids, which means that decentralized P2P transactions can occur directly between the peers, eliminating the need for (traditional) third parties to intervene [2]. P2P transactions can also occur in open access platforms [25]. Within the Member States in the European Union, a number of projects are in operation using P2P trading. For example, Vandebron offers the option of purchasing energy from independent producers in the Netherlands [24]. Another example is found in Germany, where PeerEnergyCloud offers a platform in which energy can be traded locally [24]. This serves as an example of a local market, as locally generated energy is bought by a local consumer. Directive (EU) 2018/2001 (known as the ‘Renewable Energy Directive II’, hereinafter RED II) [26] introduced a legal definition of P2P trading as “the sale of renewable energy between market participants by means of a contract with pre-determined conditions governing the automated execution and settlement of the transaction, either directly between market participants or indirectly through a certified third-party market participant, such as an aggregator” (Article 2 (18), RED II).
This Directive also requires that Member States ensure that consumers are entitled to become ‘renewable self-consumers’, among others, by taking part in P2P arrangements, without being subject to “discriminatory or disproportionate procedures and charges, and to network charges that are not cost-reflective” (Article 21, Sections 1 and 2(a), RED II). In sum, the development of smart energy systems and smart meters can lead to a changing role from consumers to prosumers and open the door for innovations such as smart grids and P2P trading. It is worth noting that these are not the only innovations that are enabled by smart metering. There is a growing number of business models and services based on smart meter data (and other sources of data in the electricity sector), such as the so-called ‘engagement enablers’, ‘Energy as a Service’, and the participation of aggregators of prosumers in wholesale electricity markets (see, e.g., CEER 2021 [27], Correa-Florez and others [28] and Iria and others [29])
What all these developments have in common is that they rely on the processing (e.g., collecting, storing, analysing, transmitting) of data, in particular, data relating to consumers. When consumers are natural persons, which is the case, especially in respect of household customers, their data qualifies as personal data and must, therefore, be processed following the requirements laid down in the GDPR.

3.2. Analysis of the GDPR

3.2.1. Objectives of the GDPR

The protection of personal data is a fundamental right enshrined in Article 8 of the Charter of Fundamental Rights of the European Union [30] and Article 16 of the Treaty on the Functioning of the European Union (hereinafter ‘TFEU’) [31]. Regulation (EU) 2016/679 [32], better known as the GDPR, is the most comprehensive EU legislation adopted to regulate this right. The GDPR applies to the processing of personal data in all sectors and situations, except for those explicitly excluded from its scope, e.g., prevention, investigation, detection or prosecution of crimes (Art. 2, GDPR). The GDPR has two main objectives laid down in Article 1 of the GDPR. On the one hand, the GDPR aims to protect the personal data of natural persons (Article 1, Section 2, GDPR). On the other hand, the GDPR aims to regulate the free movement of personal data (Article 1, Section 3, GDPR).
What does ‘personal data’ mean? This question is quite important because the term ‘personal data’ is the central term of the GDPR. If the requirements in the definition of personal data are not met, the GDPR does not apply. This may be the case when data collected in the energy sector relates to companies (and other non-natural persons), or when data can no longer be traced back to natural persons, for example, due to anonymization (Recital 26, GDPR). The latter is only the case if the anonymization can no longer be reversed. If data can still be traced back to a natural person, even if the data has undergone pseudonymisation, the GDPR applies in full (Recital 26, GDPR).
Article 4 of the GDPR defines ‘personal data’ as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” (Article 4, Section 1, GDPR). The Article 29 Working Party (hereinafter Art. 29 WP), a former EU data protection advisory body, interpreted the definition of ‘personal data’ in one of its guidelines, as follows.
Firstly, ‘personal data’ concerns ‘information’ relating to a person, which can be objective information about a person, but it also can be subjective information about a person, such as an opinion [33]. Moreover, the information does not have to be proven or true, nor is the content of the information of great importance [33]. The form in which the information is available is also irrelevant [33]. Moreover, it does not matter whether the information is public or private [15]. In conclusion, the component ‘information’ in the definition of personal data has a very broad interpretation [15].
Second, according to the Art. 29 WP, it must be information ‘related’ to a person [33]. The Art. 29 WP adds three additional elements to this: content, purpose and result. ‘Content’ means that the information is simply about a person. ‘Purpose’ entails that data “are used or are likely to be used, taking into account all the circumstances surrounding the precise case, with the purpose to evaluate, treat in a certain way or influence the status or behaviour of an individual” [33] (p. 10). Finally, with ‘Result’, it is meant that the result of the information is that a person (or their interest) is affected by it.
Third, it must be information related to an ‘identified or identifiable’ natural person. Identified means that one can individualize a person within a group with the information [33]. This may concern direct personal data, such as someone’s name [34]. However, it can also concern indirect personal data [34]. In that case, it concerns specific details of a person. For example, if someone says ‘the girl from Sweden who shouted ‘how dare you!’ at the UN Climate Summit’, then everyone knows this refers to Greta Thunberg. It is important to emphasise that the person’s name does not have to be known for the purposes of the GDPR [15]. It may also be possible that a person is not yet identified but can be identifiable, considering the means that are reasonably available to the processor or another person to identify the individual(s) [33].
Fourth, it is required that the information concerns ‘natural persons’. The GDPR does not apply to data of deceased persons (Recital 27 GDPR) nor legal entities (Recital 14 GDPR).
Based on the foregoing, it may be concluded that data from smart meters in the energy sector can be qualified as personal data within the meaning of the GDPR. Art. 29 WP has come to this conclusion in its Opinion 12/2011 on smart metering [8]. In this Opinion, the Art. 29 WP refers to examples of which types of data are processed when using smart meters. This includes a unique reference number of the smart meter, a display of time and date on the meter, information about the adjustment of the smart meter, descriptions of messages sent and their contents [8]. This information qualifies as personal data because a smart meter almost always contains a unique identification number, which is linked to the person responsible for the energy contract, allowing to single out that person from other consumers [8]. Secondly, using a smart meter makes it possible to create a profile of the consumer’s energy consumption, which is used to make decisions affecting the consumer, e.g., determine the energy consumed for billing purposes [8]. Finally, the use of smart meters to stimulate consumers to reduce their energy consumption to contribute to the objective of reducing overall energy consumption in the EU relies greatly on collecting large amounts of information concerning the behaviour of the consumers [8].
If certain data can indeed be qualified as personal data, there is another requirement for the GDPR to be applicable. This requirement entails that personal data is ‘processed’ (Article 2, Section 1, GDPR)’. Processing has a very broad definition under the GDPR. Processing includes, among other things, the collection, recording, transmission, use and deletion of personal data (Article 4, Section 2, GDPR). This broad notion of processing makes it very likely that the GDPR applies where personal data is involved.

3.2.2. Principles in the GDPR

The GDPR sets out a number of important principles. These are laid down in Article 5 of the GDPR. First of all, the processing of personal data must be lawful, fair and transparent (Article 5, Section 1 under a, GDPR). The principle of purpose limitation requires that the processing of personal data must have a specified, explicit and legitimate purpose (Article 5, Section 1 under b, GDPR). In addition, the principle of data minimisation entails that the processed data must be “adequate, relevant and limited to what is necessary in relation to the purposes” (Article 5, Section 1, under c, GDPR). The principle of accuracy requires that the personal data being processed must be accurate and up to date (Article 5, Section 1 under d, GDPR). Furthermore, the storage of personal data must remain limited to what is necessary for data processing purposes (Article 5, Section 1 under e, GDPR). The principle of integrity and confidentiality requires that appropriate organizational and technical measures have to be taken (Article 5, Section 1 under f, GDPR). Finally, following the principle of accountability, the data controller is responsible for and must be able to demonstrate compliance with all the other principles (Article 5, Section 2, GDPR).
The lawfulness of the processing of personal data has a prominent place in the GDPR. Processing is only lawful if at least one of the six grounds for data processing laid down in the GDPR is present (Article 6 GDPR). The data processing can be lawful if there is specific, free and informed consent of the data subject (Article 6, Section 1 under a, and Article 7 GDPR). The processing may also be lawful if the processing is necessary for the performance of a contract, to comply with a legal obligation, to protect the vital interests of the data subject or other natural persons, for the performance of a task in the public interest or the purposes of the legitimate interests of the controller or third parties (Article 6, Section 1 under b to f, GDPR). The choice for one of these six grounds depends on the purpose of the data processing. It is the controller who decides the purpose, means and lawful basis of the data processing [35]. However, there are two (logical) exceptions to this. When personal data is processed to comply with a legal obligation or to perform a task in the public interest, it is the legislator who determines the basis for data processing.
The grounds for processing under the GDPR are interpreted narrowly. For every basis, except consent, it is required that the data processing must be necessary [36]. With consent, however, the necessity requirement can be read in: there must be in any case a specific purpose that makes the processing necessary, in accordance with the principles of purpose limitation and data minimisation (Article 5, Section 1, sub b and c GDPR).
Furthermore, the GDPR makes an important distinction between ‘normal’ and special categories of personal data. Special personal data are, for example, data about race, ethnicity or philosophy (Article 9 GDPR). These types of personal data may not be processed unless one of the exceptions of Article 9, Section 2 GDPR applies, for example, by obtaining the data subject’s explicit consent.

3.2.3. Actors in the GDPR

The GDPR distinguishes a few important actors in data protection law. The GDPR gives these actors their own rights and obligations. This contribution will only refer to the actors that are of interest with regard to the processing of personal data in the energy sector.
The first actor to be discussed is the ‘data subject’. The data subject is the identified or identifiable natural person to whom the personal data relates (Article 4, Section 1, GDPR). In the case of smart meters, consumers whose energy use is registered can be qualified as data subjects.
The ‘controller’ is the natural or legal person, public authority or agency responsible for processing personal data and determining the purposes and means of the processing of personal data (Article 4, Section 7, GDPR). In the case of the processing of data generated by smart meters in the energy sector, this will usually be the DSO or the supplier [5]. The question of who can be regarded as a controller in respect of a certain data processing activity depends on the purpose of the processing. For instance, when the DSO uses smart meter data to maintain the grid, the DSO will be regarded as a controller under the GDPR [37]. If the energy supplier uses smart meter data for billing purposes, then the energy supplier will be a controller for this data processing operation [37]. It is also possible that two or more entities jointly determine the purposes and means of data processing. This is known as ‘joint controllership’ (Article 26, GDPR).
The ‘processor’ is the actor (natural or legal person, public authority or other body) that processes personal data of data subjects on behalf of the controller (Article 4, Section 8, GDPR). Controllers are obliged to employ only processors that can adopt technical and organizational measures to process personal data in compliance with the GDPR (Article 28, Section 1, GDPR). The processing of personal data carried out by processors must be governed by a contract or a legal act under EU or Member State law, which specifies the scope of the processing, the obligations and rights of the processor and the controller (Article 28, Section 3, GDPR). In general, the controller is ultimately responsible for the processor’s data processing. It is difficult to determine in abstract who will assume the role of processor in the energy sector, asthis largely depends on the data management model of a Member State [6].
The ‘recipient’ is the person, legal entity, government agency or service to which personal data are disclosed (Article 4, Section 9, GDPR). This definition is relevant, for instance, in the context of access to consumer data by eligible parties (see Article 23 of the Recast Electricity Directive). ‘Recipients’ can become data controllers if they process the received personal data for their own purposes. Note that from a data protection perspective, sharing personal data is only allowed if this is compatible with the initial purpose of data processing or if a lawful basis for data processing from Article 6 GDPR can be invoked [38].
Another important actor in the GDPR is the data protection officer (DPO). The GDPR requires the controller and processor to appoint a DPO when the former are either a government body or agency, when the nature, scope and purposes of data processing require the large-scale monitoring of data subjects, or when special personal data are being processed on a large scale (Article 37 GDPR). This, therefore, applies to both public and private organizations. The tasks of the DPO include supervising data processing, informing the controller and processor and cooperating with the data protection authority (Article 39 GDPR).
The data protection authority (DPA) is another very important actor in the GDPR. Article 51 of the GDPR states that each Member State of the European Union must designate an independent supervisory authority to monitor and enforce the application of the data protection rules. For example, the Netherlands has designated the Autoriteit Persoonsgegevens (AP), and Germany has designated the Bundesdatenschutzbeauftragte (BfDI). The powers of the DPA can be divided into investigative, corrective and authorisation and advisory powers (Article 58 GDPR). The European Court of Justice has imposed strict requirements on the independence of the DPA. Not only must the DPA be able to perform its duties independently without external influence (Article 52 GDPR), but also the members of the DPA must not be bound by any instructions while performing their functions [39]. In short, it is not only a question of legal independence but also de facto independence [39].
Finally, it is important to mention the European Data Protection Board (EDPB). The EDPB was created by the GDPR (Chapter III GDPR), replacing the Article 29 Working Party. It consists of one DPA per Member State and the European Data Protection Supervisor (Article 68 GDPR). The EDPB is an independent Board (Article 69 GDPR), and its main tasks are to advise the European Commission and issue guidelines to the public on aspects concerning the protection of personal data (Article 70 GDPR). The central objective of the EDPB is to secure the unity of the application of the GDPR and coordinate national data protection authorities in the EU.

3.2.4. Rights of the Data Subjects

The GDPR grants a number of rights to the data subject (in the case of smart meters, the energy consumer). These rights are entitlements of the data subject, translating into obligations for the data controllers. First of all, the data subject has the right to transparent information from and communication with the controller (Article 12 GDPR). In addition, the data subject has the right to know by whom and for what purposes their personal data is collected (Articles 13 and 14 GDPR). Furthermore, the data subject has the right to access information related to the processing of personal data (Article 15 GDPR). Moreover, the data subject has the right to rectify inaccurate data (Article 16 GDPR) and the right to erasure (known as the ‘right to be forgotten’), which means that their personal data must be erased under certain conditions (Article 17 GDPR). In addition, the data subject has the right to restrict the processing of personal data in the event of possible inaccuracy of the personal data, unlawful processing, unnecessary processing of personal data or pending the outcome of an objection procedure (Article 18 GDPR). The GDPR also grants data subjects the right to data portability (Article 20 GDPR). Finally, the data subject has the right to object to the processing of their personal data (Article 21 GDPR), and the data subject has the right not to be subjected to a decision based solely on automated data processing (Article 22 GDPR). In certain cases, these rights may be limited, for example, in the event that the processing of personal data is necessary for national security purposes (Article 23 GDPR).

3.2.5. Obligations and Responsibilities

Controllers and processors have to comply with a considerable number of obligations enshrined in the GDPR, which apply in addition to the principles and rights mentioned above. Both the processor and the controller must take sufficient appropriate technical and organizational security measures to process personal data (Articles 24 and 32 GDPR). In addition, they must implement data protection by design and by default in their system (Article 25 GDPR). Furthermore, the processor should ensure appropriate organizational and technical security measures, and a processing agreement should be concluded between the processor and the controller (Article 28 GDPR). The controller and processor should also register processing activities (Article 30 GDPR) and cooperate with the appropriate supervisory authority (Article 31 GDPR).
There are also a number of obligations that only apply to the controller. For example, the controller must report data leaks (after receiving information from the processor about this) to the supervisory authority and the data subject concerned (Article 33 and 34 GDPR). If the processing of personal data is likely to create high risks to the rights and freedoms of data subjects, the controller should ensure that a data protection impact assessment (DPIA) is carried out before the start of the processing (Article 35 GDPR). If this assessment concludes that the processing would entail a high risk, the controller must report this to the supervisory authority before processing personal data (Article 36 GDPR). Moreover, when legally required, the controller should appoint a DPO (Article 37 GDPR).

3.3. Analysis of the Recast Electricity Directive

3.3.1. Objectives of EU Energy Policy and the Recast Electricity Directive

Article 194 of the TFEU provides the legal basis and main objectives of EU energy policy, which is a shared competence between the EU and the EU Member States [40]. This article specifies the main goals of EU energy policy within the context of the “establishment and functioning of the internal market and with regard for the need to preserve and improve the environment” and “in a spirit of solidarity”. European Union policy on energy shall aim to “(a) ensure the functioning of the energy market; (b) ensure the security of energy supply in the European Union; (c) promote energy efficiency and energy saving and the development of new and renewable forms of energy; and (d) promote the interconnection of energy networks” (Article 194, TFEU). These goals clearly indicate the transition the European Union must go through, namely the transition to a sustainable European energy sector. These objectives can be seen as a specification of the overarching energy trilemma that encompasses the three main values of EU energy policy: affordability, security of supply and sustainability [41,42]. These three values constantly need to be balanced and optimized when implementing EU energy policy, which means that sometimes trade-offs have to be made and, in some instances, one value might gain more weight than the other [41]. The latest package of legislative measures for the electricity sector in the EU is the ‘Clean energy for all Europeans package’, known as ‘the Clean Energy Package’ (hereinafter, ‘CEP’) [43]. This package introduced the Recast Electricity Directive here studied, as well as the RED II mentioned above, among other legislation.
The legislative measures adopted under the CEP have three main aims. Firstly, they aim to achieve the goals set in the Paris Agreement and European climate goals (Recital 16 Recast Electricity Directive). Therefore, this goal is related to the strategy of the European Commission to aim for a climate-proof electricity supply (Recital 4 Recast Electricity Directive).
The second goal of the CEP, which has existed since the 90s of the last century, is to realize an internal market for electricity within the European Union and promote competition and innovation (Recital 2 Recast Electricity Directive). Directive 2009/72/EC had already contributed to this, but the Recast Electricity Directive was adopted in 2019 to keep up with a new market reality developed in response to many technological developments (Recital 2 Recast Electricity Directive). Therefore, the Recast Electricity Directive has replaced the 2009 Directive [44]. Promoting an internal market and competition should lead to more choices for consumers, better service and competitive and affordable prices.
This leads to the third important goal of the CEP, which is to promote consumer welfare and the interests of consumers. This goal encompasses, first of all, consumer protection. For example, consumers must be informed in a clear and comprehensible way about their rights in the energy sector, for example, by means of a checklist drawn up by the European Commission in collaboration with, among others, Member States, regulatory authorities, consumer organizations and electricity companies with regard to consumer rights that must be handed out to consumers and must be made public (Recital 31 Recast Electricity Directive). From the perspective of consumer protection, there is, of course, also an important role in the protection of the consumers’ personal data.
Another important goal of the CEP can be summarized as consumer empowerment. Consumers “should be able to consume, store and sell self-generated energy and actively participate in the electricity market”, and all obstacles for consumers to actively participate in the energy market should be removed (Recital 42 Recast Electricity Directive). The idea of consumer empowerment enables and encourages market participation such as prosumerism and P2P trading, as well as the development of citizen energy communities. Following Article 11 of the Recast Electricity Directive, the ‘citizen energy community’ is a legal entity that is based on voluntary and open participation, controlled by its members or shareholders, which can be citizens, local authorities or small enterprises (section a). The primary purpose of the citizen energy community is not the creation of profit but providing environmental, economic or social benefits for its members or the areas in which it operates (section b). This community may engage in “generation, including from renewable sources, distribution, supply, consumption, aggregation, energy storage, energy efficiency services or charging services for electric vehicles or provide other energy services” (section c).

3.3.2. Principles of EU Energy Law

Like data protection law, energy law is based on a number of basic principles such as sustainable, reliable and affordable energy for all EU citizens [45]. These three principles are referred to as the energy trilemma [45]. These principles are also closely related to the ideas of energy justice and energy democracy [46] and must be taken into account when adopting new laws in the energy sector [47].
In essence, energy justice means that energy supply and the costs and benefits of the energy transition are distributed fairly among society [41,45,46,47,48]. Energy justice can be seen as a specific interpretation of the rule of law in the energy sector, including the protection of human rights and the right to privacy and data protection.
Energy justice also encompasses the idea that vulnerable groups of energy consumers should be protected (art. 28 and 29 Directive (EU) 2019/944). Energy democracy, which is closely related to the concept of energy justice and can even be seen as part of it, means that citizens are so involved in the energy sector that they become energy citizens [48]. More concretely, energy democracy is about the participation of citizens in procedures governing and regulating the energy transition. Moreover, energy democracy is about citizens taking part in energy projects themselves, for example, by buying certificates of an energy cooperative or by taking part in the governance of energy companies [48].
The principles of Good Regulation also apply to the regulation of the energy transition and are embedded in the European Union energy legislation, including the principles of accountability, independence, effectiveness, transparency, participation, efficiency and flexibility [47]. The principles aim to achieve high-quality regulation of the energy sector and contribute to realizing the values of energy justice and energy democracy and the goals of the CEP.

3.3.3. Actors in the Recast Electricity Directive

The energy consumer is central to the European energy directives and regulations [49]. The role of the consumer in the energy market has changed over the years [49]. Initially, it was assumed that the consumer was the driver of competition between energy suppliers because it was assumed that the consumer was often actively looking for the cheapest supplier [49]. As more attention was paid to climate change, sustainable energy sources and energy efficiency, the idea was added that consumers also have a crucial role in achieving international and European climate and environmental goals, for instance, by switching to renewable energy suppliers [49]. When it was realized that a transition from a traditional distribution network to a smart distribution network was necessary, the role of the consumer was expanded even further by stimulating consumers to manage their own energy consumption through the use of smart meters and by participating in demand response programmes [49].
Interestingly, the term ‘consumer’ is not found in the definitions of the Recast Electricity Directive in Article 2, although it is used throughout the text of the Directive. Article 2 of the Recast Electricity Directive sets out the definition of ‘customer’. The term ‘customer’ can be divided into two parts: the wholesale customer or the final customer of electricity (Article 2, Section 1, Recast Electricity Directive). A ‘wholesale customer’ is a natural or legal person who purchases electricity and then resells it within or outside the system of which this customer is a part (Article 2, Section 2, Recast Electricity Directive). A ‘final customer’ is then the person who buys that electricity for their own use and can, therefore, be qualified as a consumer (Article 2, Section 3, Recast Electricity Directive).
These two types of customers can again be divided into a number of categories. The main customer category for this contribution (focusing on personal data and smart meters) will be the ‘household customer’. This is a consumer who “purchases electricity for the customer’s own household consumption, excluding commercial or professional activities” (Article 2, Section 4, Recast Electricity Directive).
Due to increasing technological developments and modernization in the energy sector, a number of new actors have also emerged in the energy sector. It is expected that the energy transition will lead to more flexibility in the energy networks, which will create more room for new market players and companies [50]. ‘Prosumers’ or ‘active customers’ are among the new market players acknowledged by the latest EU energy legislation. They are customers who consume, store or sell self-generated electricity or participate in flexibility or energy efficiency schemes (Article 2, Section 8, Recast Electricity Directive). In addition, small storage providers may also emerge that can store energy on a small scale for extra capacity to keep supply and demand in balance in a variable energy market [50]. Furthermore, large-scale development of energy cooperatives is taking place in the energy sector [51]. Often, these cooperatives combine economic, social and environmental aims [51]. In this regard, energy cooperatives are hybrid organizations that borrow practices and logic from, among others, businesses and organizations [52]. In some cases, cooperatives cooperate with the traditional (incumbent) energy suppliers and many new market entrants.
A flexible energy market offers commercial opportunities for integrated energy services companies whose task is to (further) digitalize the energy market and stimulate energy distribution by trading flexibility services [53].
This is done, for instance, by aggregators. These aggregators can be natural persons as well as legal persons (Article 2, Section 18, Recast Electricity Directive). The Recast Electricity Directive defines their function as combining the sale, purchase or auction of the consumer or the generation of energy from different customers in the electricity network (Article 2, Section 18, Recast Electricity Directive). Independent aggregators must be independent of the costumer’s energy supplier (Article 2, Section 19, Recast Electricity Directive). Member States must guarantee non-discriminatory access to the electricity market for (independent) aggregators (Article 17, Section 3 under a, Recast Electricity Directive).
Other crucial actors in the energy sector are the energy supplier, the Transmission System Operator (TSO) and the Distribution System Operator (DSO). Suppliers sell or resell electricity to the consumers (Article 2, Section 12, Recast Electricity Directive). The TSO is the body responsible for the operation, maintenance and development of the transmission system (Article 2, Section 35, Recast Electricity Directive). Transmission means that electricity is transported along the (extra) high-voltage system to eventually reach the end customers or DSOs (Article 2, Section 34, Recast Electricity Directive). Usually, the TSO may also be responsible for interconnections with other systems so that the system can meet the demand for electricity transmission. Strict unbundling requirements apply to the TSOs under EU law [54,55]. Unbundling means that TSOs must be both economically and legally independent from companies that produce or supply electricity (Chapter VI Recast Electricity Directive). Unbundling the grid from generation and supply decreases the risk of discrimination in the operation of the grid and gives incentives to network companies to invest effectively in their grids (Recital 67 Recast Electricity Directive).
The DSO is a natural or legal person responsible for operating, maintaining and developing the distribution system (Article 2, Section 29, Recast Electricity Directive). Distribution means that electricity is transported through high, medium and low voltage distribution systems to supply electricity to consumers (Article 2, Section 28, Recast Electricity Directive). If applicable, the DSO is also responsible for interconnections with other systems (Article 2, Section 29, Recast Electricity Directive). A broad responsibility of the DSO is that the distribution system can meet the reasonable demand for electricity in the long term (Article 2, Section 29, Recast Electricity Directive). The EU unbundling requirements for DSOs do not go as far as those of the TSO [54]. The only requirement is that when the DSO is part of a vertically integrated company, it should be independent in terms of legal form, organization and decision-making of other activities not related to distribution (Article 35 Recast Electricity Directive). However, EU legislation contains minimum requirements, which allows the Member States to impose stricter requirements. This is the case, for example, in the Netherlands, where it is required that the DSO must meet the same unbundling requirements as the TSO, requiring economic, legal and administrative unbundling for the DSO [54].
The role of the DSO is growing due to the increased connection of distributed generation, electric vehicles and storage facilities to the distribution grids and the responsibilities of the DSOs to operate the electricity grid safely and reliably. With the implementation of ICT technologies and the use of data, local distribution grids have to transform into smart grids that enable the efficient integration of renewable energy into the energy system [50]. Together, the TSOs and DSOs ensure that the energy is imported and exported, transported, distributed and ultimately reaches the customers [55]. Yet, an important difference is that the TSO acts at the national level, while the DSO focuses on the decentralized regional/local level. In summary, TSOs and DSOs are responsible for managing the electricity system, which increasingly also involves data management.
Another interesting role is that of the compliance officer. The Recast Electricity Directive allows Member States to require that parties responsible for data management appoint a compliance officer (Article 23, Section 4, Recast Electricity Directive). These officers are in charge of monitoring that the parties responsible for data management implement measures to ensure non-discriminatory access to consumer data and that eligible parties comply with the rules of the Recast Electricity Directive. Article 23, Section 4 of the Recast Electricity Directive emphasizes that the duties of the compliance officers are without prejudice to the duties of the DPOs under the GDPR.
In addition, national regulatory authorities are very important actors in the energy sector. They have the task to supervise and regulate fair access to the energy system, among others, by ‘fixing or approving, in accordance with transparent criteria, transmission or distribution tariffs or their methodologies, or both’ (Article 59, Section 1 under a, Recast Electricity Directive).
Their tasks also include ensuring a high level of universal and public service obligations consistent with market opening, taking effective consumer protection measures and protecting vulnerable energy customers (Recital 86 Recast Electricity Directive). Furthermore, they should ensure “non-discriminatory access to customer consumption data, the provision, for optional use, of an easily understandable harmonised format at the national level for consumption data, and prompt access for all customers to such data pursuant to Articles 23 and 24 [of the Recast Electricity Directive]” (Article 59, Section 1, subsection t, Recast Electricity Directive). It is paramount that the national regulatory authorities in the energy sector are independent of the market parties and the government in the sense that they can autonomously perform their regulatory tasks shielded from any instructions or external interferences [56].

3.3.4. Rights concerning Consumer Data in the Recast Electricity Directive

Given the purpose of this contribution, the emphasis in this section will be on the interplay between the rights introduced by the Recast Electricity Directive concerning consumer data and the data protection rules in the GDPR. The Recast Electricity Directive repeatedly refers to the GDPR, emphasizing that the Directive must be interpreted and applied in accordance with the right to the protection of personal data and that the processing of personal data under the Directive must comply with the GDPR (see, e.g., Recital 91, Articles 19, 20 and 23 of the Recast Electricity Directive). However, the Directive does not elaborate on the exact relationship between the GDPR and the provisions concerning the processing of (including access to) consumer data in the electricity sector.
The Recast Electricity Directive puts a lot of emphasis on mandating and facilitating access to data by the consumers themselves. This mainly pertains to metering and consumption data from smart meters (Article 20, section a and e Recast Electricity Directive). The assumption in the Directive is that if consumers are provided with sufficient information, they will be able to get better insight into their energy use and the price they pay for it, allowing them to adjust their consumption patterns and make more informed choices about their energy contracts (see, e.g., Recitals 49 and 56 of the Recast Electricity Directive). In addition, by ensuring that consumers can access their consumption and metering data, the Recast Electricity Directive makes possible that consumers can benefit from added value services beyond the traditional supply of energy, including energy management systems (see, e.g., Article 19). The Recast Electricity Directive requires that access to data must be provided to the consumer at no additional cost (Article 23, Section 5, Recast Electricity Directive). Consumers also have the right to transmit metering and consumption data to another party (Article 20 section e and last paragraph, Recast Electricity Directive). This right will be discussed later in this paper, where this right will be compared with the right to data portability in the GDPR.
Consumers who participate in aggregation contracts are entitled to “receive all relevant demand response data or data on supplied and sold electricity free of charge at least once every billing period if requested by the customer” (Article 13, Section 3, Recast Electricity Directive).
The Recast Electricity Directive also includes provisions concerning consumer data that echo the data processing principles enshrined in the GDPR. For example, when regulating the right of consumers to use tools that compare the offers of different energy suppliers, the Directive explicitly states that the personal data requested by the price comparison tools must be strictly limited to the data necessary for the comparison (Article 14, Section 1 under h, Recast Electricity Directive). In the context of smart meters, the Recast Electricity Directive requires Member States to ensure the privacy and protection of consumers’ personal data in line with the GDPR (Article 20, section c, Recast Electricity Directive). Member States are also obliged to provide appropriate advice and information to consumers about the collection and processing of their personal data (Article 20, section f, Recast Electricity Directive).
The European Commission is designated to establish rules by means of implementing acts regarding non-discriminatory and transparent procedures for accessing meter and consumption data, data necessary for consumer switching, demand response and other services (Article 24, Section 2, Recast Electricity Directive). This is done through the advisory procedure referred to in Article 68, Section 2, Recast Electricity Directive [57].

3.3.5. Obligations and Responsibilities concerning Data Management

The EU Member States have the general duty to implement the Recast Electricity Directive in their national legislation and, therefore, are the main addressees of this legislation. As part of the rules organizing the EU electricity market, the Directive also provides specific obligations in the field of data management in this sector, which involve the processing of personal data. The emphasis of this section will be on these obligations.
The Recast Electricity Directive does not dictate which data management models should be applied in the electricity sector, but it does provide a number of basic requirements that must be observed by the Member States when designing their own data management model. The Recast Electricity Directive requires that the Member States ensure that all ‘eligible parties’ have access to data under transparent and non-discriminatory conditions (Article 23 Recast Electricity Directive). Article 23, Section 1 stipulates that the Member States (or their designated competent authorities) shall specify the rules on the access to consumer data of the final customer by eligible parties in accordance with the requirements laid down in Article 23 and the applicable EU legal framework. In particular, the Member States have to organize the management of data to ensure efficient and secure data access and exchange, as well as data protection and data security, and the processing of personal data must be carried out in compliance with the GDPR (Art. 23, Sections 2 and 3, Recast Electricity Directive).
The Directive understands ‘data’ to include metering and consumption data as well as data required for customer switching, demand response and other services (Article 23, Section 1). In the proposal for a Recast Electricity Directive initially drafted by the European Commission, Article 23 stated that ‘eligible parties’ should include at least customers (consumers), suppliers, TSOs, DSOs, aggregators, energy service companies and other parties which provide energy or other services to customers [58]. However, the final text of the Recast Electricity Directive does not include this list; thus, it will be for the Member States to define who can have access to consumer data.
Article 23 of the Recast Electricity Directive also lays down a few obligations for parties responsible for data management (also known as ‘data managers’). Section 2 of said Article requires that, regardless of the chosen data management model, the data managers must provide access to consumer data to any eligible party, following the data access rules laid down by the respective Member State. The data should be made available to the eligible parties “in a non-discriminatory manner and simultaneously” and access to data must be “easy and the relevant procedures for obtaining access to data shall be made publicly available” (Article 23, Section 2).
In case DSOs act as data managers in countries where smart metering systems have been rolled out, they should comply with certain additional requirements. Article 34 of the Recast Electricity Directive requires that the special compliance program dealing with the unbundling requirements established by DSOs (referred to in Article 35, Section 2 under d of the Directive) shall include specific measures to prevent discriminatory access to data by eligible parties.

3.4. Interactions and Possible Tensions between the Recast Electricity Directive and the GDPR

From the overview provided in the previous section, it is clear that the perspectives and the legal basis of the Recast Electricity Directive and the GDPR are very different. However, there are also certain overarching similarities in what the two regimes strive for. For example, in addition to laying down rules for the protection of personal data as a fundamental human right, the other objective of the GDPR concerns the free movement of personal data in the EU. This creates a quasi-internal market for personal data. At the same time, one of the aims of the Recast Electricity Directive is to establish an internal market for electricity. In this sense, these two legal frameworks come under the same internal market acquis of the European Union. The two legal frameworks also have in common that they strive to protect individuals in their role as consumers (under the Recast Electricity Directive) and their role as data subjects (under the GDPR).
Even though the analysed electricity and data protection legislation have some overarching similarities, there are also natural differences between the two frameworks. The GDPR is an EU Regulation, which applies across all sectors and Member States, without the need of transposition into national legislation. Moreover, laying down the rules for the proper processing of personal data is the core of the GDPR. The Recast Electricity Directive only applies to the electricity market and needs to be transposed into national legislation of the Member States. Provisions concerning the processing of personal data are not the main focus of the Directive but only a part of the rules governing the EU electricity market. Against this background, tensions and uncertainties may arise from the coexistence and simultaneous application of data protection and the electricity legislation that promotes innovation based on the processing of personal data. The next sub-sections refer to those tensions.

3.4.1. Technological Innovations Encouraged in the Energy Sector Might Not (Yet) Be Compatible with the GDPR

This first tension relates to the fact that certain innovations encouraged by the Recast Electricity Directive sometimes rely on technologies that raise questions regarding their compatibility with the GDPR. Take, for example, the case of P2P trading, when it is done using blockchain technology.
As mentioned earlier, P2P trading could play an important role in the energy transition as it enables energy consumers, making use of their rights as active consumers derived from the CEP, to share their surplus of energy with peers. P2P trading means that prosumers do not offer their energy surplus back to the market but to other comparable parties [24], for example, trading energy between households. Before P2P trading can be broadly adopted in the energy sector, a number of conditions must be met [59]. First of all, there must be enough prosumers who want to participate [60]. Second, a link must be made with the traditional energy market so that prosumers can also trade in this traditional market [60]. Third, the provision of data as the heart of P2P trading must be properly organized [60]. Fourth, a particular bidding system and pricing system must be established to trade in the P2P market [60]. Finally, a system must be developed that can display the current status of supply and demand [60].
Using blockchain technology, parties can trade energy with each other without having to make mutual agreements [59]. Special computer systems share information with each other based on which transactions can be established [59,61]. Because blockchain technology is decentralized, no intervention from intermediaries is required [59,62]. This intervention is provided by special computer systems that check the reliability of transactions.
While the legislation adopted under the CEP (in particular, the Recast Electricity Directive and the RED II) encourages the adoption of P2P trading, the use of blockchain for this purpose may create tensions with data protection law. One of the difficulties is that the GDPR is based on the assumption that responsibilities are bestowed and centralized on the data controller(s) and that data subjects can enforce their rights vis-à-vis the data controller(s) [63]. However, blockchain technology strives for decentralization and involves many players, complicating the allocation of responsibility and accountability for data processing and the application of the notion of (joint) controllership under the GDPR [63].
Furthermore, as explained in Section 3.2.3. of this contribution, a data subject derives a number of rights from the GDPR, including the right to be forgotten (erasure) and the right to rectification. However, the nature of blockchain technology is such that modifications to existing data are very difficult, if not impossible, to ensure the integrity of the data and increase trust [63,64]. Hence, it is unclear whether and how data subjects can invoke the rights to erasure and rectification in a blockchain. For this reason, the use of blockchain technology might not always be compatible with the GDPR [63,64]. At the moment, there are no legal provisions in the GDPR or in energy legislation that directly address this tension. The lack of legal certainty in this regard stands in the way of P2P trading enabled by blockchain in the energy sector [65]. A mechanism that could serve to give more clarity in this regard is provided in the GDPR. To ensure the consistent application of the GDPR, the EDPB is tasked with examining any questions on the application of the Regulation (on its own initiative or following a request by one of its members or the European Commission) and issuing guidelines, recommendations and best practices (Article 70, Section 1, (e), GDPR). In the meantime, technical solutions are being developed that can contribute to making blockchain technologies more in line with the GDPR, for example, by anonymizing the personal data involved in the transactions taking place in the blockchain context. Examples of these developments are ‘zero knowledge proofs’ (i.e., providing proof of a statement, without giving access to the underlying data), adding ‘noise’ to the data (i.e., grouping several transactions to make it impossible to distinguish the identity of the senders and recipients of the transactions), and editable blockchains [63].

3.4.2. Parallel Regimes for Access to Data in the GDPR and the Recast Electricity Directive

Consumers are natural persons whose data is processed in the electricity sector enjoy the rights granted to them by both the Recast Electricity Directive (as consumers) and the GDPR (as data subjects). These two legal instruments overlap to a certain extent when it comes to the right to retrieve and give access to smart metering data, which qualifies as personal data, creating uncertainty about the exact scope of the rights of consumers/data subjects in these provisions.
Article 20 of the Recast Electricity Directive grants consumers the right to receive (at their request) consumption data and data on the electricity that they feed into the grid generated by smart meters. Consumers can have access to this data themselves using a “standardized communication interface or through remote access” and can give access to other parties acting on their behalf (Article 20, section e, Recast Electricity Directive). The last paragraph of Article 20 of the Recast Electricity Directive specifies that it shall be possible for consumers to “retrieve their metering data or transmit them to another party at no additional cost and in accordance with their right to data portability under Union data protection rules” (emphasis added).
As previously mentioned, the right to data portability is one of the rights granted to the data subject under the GDPR. This right entitles a data subject to “receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller” (Article 20, GDPR). According to Art. 29 WP, the notion of data provided by the data subject to a controller includes both data that has been actively provided by the data subject and data that has been observed from the activity of data subjects, including data processed by smart meters [66]. The right to data portability can be invoked where the processing is carried out by automated means and is based on the legitimate grounds of consent or contract (Article 20, Section 1(a), GDPR). Where technically feasible, the data subject has the right to have the personal data transmitted directly to the new controller (Article 20, Section 2, GDPR).
There are important differences between the provisions in the Recast Electricity Directive concerning access to smart meter data and the provisions on the right to data portability in the GDPR. In some respects, the provisions in the Directive are further reaching and more protective of the consumer/data subject than those in the GDPR. For example, while the GDPR allows data controllers to charge data subjects a reasonable fee if their data portability requests are excessive, in particular, because of their repetitive character (Article 12, Section 5(a), GDPR), the Recast Electricity Directive states that no additional costs will be charged to the consumers for access to their data or for requests to make their data available (Article 20 last paragraph and Article 23, Section 5. See also [10]). In addition, while the right to data portability as conceived in the GDPR seems to be more suitable for one-off data sharing, the provisions on access to consumer data in the Recast Electricity Directive include the possibility of continuous data sharing (Article 20, section a. See also [10]).
Conversely, the Recast Electricity Directive can be more restrictive than the GDPR when it comes to the parties that can obtain access to the data of the consumer/data subject. The Recast Electricity Directive seems to limit the possibility of accessing consumer data to ‘eligible parties’ as determined by the Member States, which, given the scope of the Directive, will be predominantly actors in the energy sector. In contrast, the GDPR does not introduce any limitations concerning the new controller to which the data will be ported, allowing portability to occur within the same sector or across sectors [66].
The differences between the two regimes pose the question of how to interpret the Recast Electricity Directive when it states that access to smart metering data at the consumer’s request should be in accordance with the right to data portability (last paragraph of Article 20). Does this provision mean that the right to access smart meter data is inspired by the right to data portability introduced by the GDPR, but it is nevertheless regulated autonomously in the Directive? Or does it imply that the GDPR rules on the right to data portability apply next to the rules in the Recast Electricity Directive (as transposed in national legislation) when a consumer requests to have/give access to smart metering data?
The way in which this provision is interpreted can have consequences in terms of what consumers can expect and, correlatively, the requirements that parties responsible for data management have to fulfil.
For example, if a consumer makes repetitive requests to give access to their smart meter data to a third party, can the party responsible for data management charge a fee to the data subject based on the rules for the data portability right in the GDPR? Or does the Recast Electricity Directive take precedence, and consumers can never be charged for their requests even if they are repetitive? Another example: as previously mentioned, when transposing the Recast Electricity Directive, the Member States will have to determine which parties are eligible for access to consumer data. If a consumer requests that their smart metering data is shared with a party that is not included on the list adopted by the relevant Member State, is the party responsible for data management obliged to provide this data based on the broader scope of the GDPR’s right to data portability? Or can the data only be provided to the eligible parties specified by the Member State?
The guidelines on the right to data portability adopted by the Art 29 WP (and endorsed by the EDPB) attempt to provide some guidance in this regard. According to the Art. 29 WP, in cases where there is sector-specific legislation providing for some form of portability, if it is clear from the data subject’s request that they intend to exercise rights under the sectorial legislation rather than under the GDPR, then the provisions of the GDPR do not apply to this request [66]. If instead the request is clearly aimed at portability under the GDPR, “the existence of such specific legislation does not override the general application of the data portability principle to any data controller”, and it must be assessed in the specific case whether and to which extent the sectoral legislation affects the right to data portability [66] (p. 8). Hence, according to Art. 29 WP, the consumer’s intention will determine which regime takes precedence in a given case. This interpretation poses problems because, as noted by Graef, Husovec and van den Boom, “individual consumers will unlikely be aware of the consequences of basing their request either on the GDPR’s [right to data portability] or a sector-specific data access tool” [10] (p. 26). It is also relevant to note that the guidelines adopted by the Art. 29 WP are not legally binding, and the DPAs and judicial authorities might interpret the interaction between Article 20 of the Recast Electricity Directive and the GDPR differently [10]. Against this background, further clarification is required to delineate better the rights of consumers/data subjects and the obligations of parties responsible for data management under these two interrelated data sharing regimes. As at present, the exact implementation of the rules for access to consumer data in the electricity sector depends on the rules for data access laid down by the Member States, it would be welcomed if they address this issue in their national legislation. In particular, it would be important to clarify whether consumers can request that their smart metering data be transmitted directly to parties that are not included in the list of eligible parties adopted by the Member States. A broader interpretation would be more in line with the rights enshrined in the GDPR, which give more control to the individuals (data subjects/consumers) over their data, as well as with the aims of the European Union’s data strategy, which encourages cross-sectoral data sharing [67].

3.4.3. Overlapping Competences of the Supervisory Authorities

Both the Recast Electricity Directive and the GDPR provide the basis for creating an independent authority that supervises the compliance with each of these legal frameworks. In the electricity sector, the national regulatory authorities supervise whether the market actors comply with the regulations applicable to the electricity market, including the rules concerning the management and exchange of consumer data that should implement the relevant provisions of the Recast Electricity Directive (Chapter VII, Recast Electricity Directive). In the field of data protection law, the national Data Protection Authorities (DPAs) (Chapter VI, GDPR) are responsible for supervising compliance with the GDPR, including in the electricity sector.
The coexistence of the rules from the electricity sector with those of the GDPR, in particular the rules concerning access to consumer data, might lead to situations in which both supervisory authorities are competent, as will be explained. The Recast Electricity Directive tasks the national regulatory authorities with “ensuring non-discriminatory access to customer consumption data […] and prompt access for all customers to such data pursuant to Articles 23 and 24” (Article 59, Section 1(t)). In turn, the GDPR tasks the DPAs with monitoring and enforcing the application of its rules, and it gives DPAs the power of (among others) ordering data controllers or processors to comply with requests from the data subjects to exercise the rights pursuant to the GDPR, including the right to data portability above referred.
As mentioned in the preceding section, the Recast Electricity Directive acknowledges that the possibility that consumers have to retrieve their smart meter data or transmit this data to other parties ought to be in accordance with the right to data portability enshrined in the GDPR. This poses the question of what happens if the entity responsible for managing smart meter data refuses access to this data by the consumers themselves or by third parties authorized by the consumers. Which authority should respond to this situation? Does the national regulatory authority (energy regulator) exercise its powers under the Recast Electricity Directive? The DPA in the exercise of its powers to enforce the GDPR’s right to data portability? Or are both authorities competent to investigate and take enforcement actions separately?
The Recast Electricity Directive does not settle this point. It merely states that the national regulatory authorities must fulfil their duties in close consultation and cooperation with other relevant national authorities while preserving their independence and without prejudice to their specific competencies (Article 58, first paragraph and Article 59, Section 2, second paragraph). On the other hand, the GDPR provides mechanisms to organize and facilitate cooperation between DPAs of different Member States (see in particular Chapter VII of the GDPR), but not between DPAs and the authorities supervising other regulatory domains such as the energy sector. The GDPR does, however, include among the tasks and powers of the DPAs the possibility of giving advice and issuing opinions to the national parliaments, governments, other institutions and the general public on any issue related to the protection of personal data (Article 57, Section 1c) and Article 58, Section 3b).
Some Member States have taken measures at the national level to facilitate cooperation between the energy regulator and the DPA. For example, in the Netherlands, the Dutch DPA (Autoriteit Persoonsgegevens—AP) and the national regulatory authority (Autoriteit Consument en Markt—ACM) have adopted a Cooperation Protocol that lays down basic principles and agreements for situations in which the authorities have concurrent powers or related tasks, i.e., in matters subject to the supervision of the ACM in which personal data is processed [68]. The Cooperation Protocol lays down conditions for the exchange of information between the two authorities (Chapter 3), as well as provisions that guide how to proceed when there is a concurrence of powers (Chapter 4). The Cooperation Protocol provides that the ACM and the AP have to consult with each other about the exercise of their powers and decide whether and in which cases joint action is desirable (Article 9, Sections 1 and 2 of the Cooperation Protocol). Following the Protocol, ACM will focus on cases where the main emphasis is placed on applying its legal tasks, while the AP will focus primarily on cases where the main emphasis is placed on applying the GDPR (Article 9, Sections 3 and 4). Moreover, the Protocol provides that the ACM and AP will prevent as much as possible that a supervisee is addressed separately for the same subject simultaneously (Article 9, Section 5); it also requires ACM to refer interested parties to the AP for cases that exclusively or predominantly refer to the application of the GDPR and vice versa, when the matter exclusively or predominantly concerns the application of the issues supervised by the ACM. The Protocol also requires that the ACM and the AP explain the terms from the legal rules supervised by them are explained consistently as far as possible and that they consult each other whenever there is uncertainty about a term. (Article 13 of the Cooperation Protocol). Finally, the two supervisory authorities can “mutually advise on the application of specific laws and regulations that the parties supervise in each other’s cases” (Article 14, Section 3).
At the EU level, the European Data Protection Supervisor (EDPS) has proposed a so-called “Digital Clearing House” [69], a voluntary network of regulatory authorities involved in the supervision of digital markets, focusing on consumer law, competition law and personal data protection. The ultimate aim of the Digital Clearing House is facilitating dialogue, cooperation and exchange of good practices between the different regulatory authorities to “achieve a better and more coherent protection of individuals in an era of big data and artificial intelligence” [70]. The proposal was well-received, and several meetings have already occurred [71]. This initiative could be extended to include national regulatory authorities from the energy sector, considering that the sector is becoming more digitalized and data-driven.
Initiatives like those described here are welcomed to facilitate institutional coordination between the supervisory authorities. Lack of cooperation between the national regulatory authorities and the DPAs could lead to situations in which neither authority intervenes or each of them decides to intervene without taking into account the competences of the other. In addition, if both types of supervisory authorities do not consult with each other, they might interpret differently the concepts, rights and obligations arising from each other’s legal framework, creating uncertainty for the supervisees and the consumers/data subjects.

4. Discussion and Conclusions

Data-driven innovations play a crucial role in realizing the energy transition. This has been acknowledged by the legislation adopted under the CEP, most notably, by the Recast Electricity Directive examined in this contribution. This Directive furthers the efforts started by the Third Energy Package to improve the energy system and increase energy efficiency with the help of smart meters. These devices can provide detailed information on how much and when electricity is used or fed into the grid by consumers and prosumers. Smart meter data can be used by the consumers/prosumers themselves to get insight into their consumption and self-generation and benefit from energy services and other services based on this data. Smart meter data can also be used by network operators to predict energy demand and improve capacity planning.
The use of smart meters enables the emergence of innovations in the electricity sector, such as smart grids, prosumers and Peer-to-Peer trading. These developments rely on the processing of personal data, triggering the application of the rules for the protection of personal data enshrined in the GDPR, in addition to the rules organizing and regulating the electricity market in the EU, particularly the Recast Electricity Directive.
The research presented in this article investigates what kinds of tensions may arise from the coexistence of these two legal regimes and whether there are mechanisms in place to prevent or mitigate such tensions. To understand the interaction between these two frameworks, the article first provided an overview of the objectives, actors, principles, rights and obligations present in the Recast Electricity Directive and the GDPR. Then it moved to identify three tensions that are illustrative of the challenges arising from the interaction between these two legal frameworks.
The first tension lies in the fact that some of the innovations facilitated by smart metering in the energy sector rely on technologies that might not (yet) be entirely compatible with the GDPR. This was illustrated in this contribution with the example of using blockchain technology for P2P trading. The characteristics of blockchain-based technologies may be in tension with some of the basic notions (e.g., the notion of controllership) and rights (e.g., the rights to erasure and rectification) set out in the GDPR. Therefore, more clarity regarding how the blockchain can be used in a way that is compliant with the GDPR is necessary before the blockchain technology can be used on a large scale in the energy sector. A possible mechanism to address this can be found in the GDPR, which gives the EDPB the possibility of adopting guidelines, recommendations or good practices to ensure consistent Regulation application. In addition, technical solutions such as ‘zero knowledge proofs’ and editable blockchains can enhance the compatibility of blockchain with the GDPR.
A second tension follows from the existence of separate but interrelated regimes for access to data of the consumer/data subject in the Recast Electricity Directive and the GDPR. The Directive gives consumers the right to retrieve and to give third parties access to smart metering data, in accordance with their right to data portability. It is unclear how to interpret this reference to the right to data portability regulated in the GDPR, considering that there are important differences between this regime and the provisions for access to smart meter data in the Recast Electricity Directive. In other words, it is unclear to which extent the parties responsible for data management in the electricity sector should also apply the rules laid down in the GDPR next to the rules in the Recast Electricity Directive and which regime takes precedence in case of conflicts. Further clarification is required to delineate better the rights of consumers/data subjects and the obligations of parties responsible for data management under these two interrelated data sharing regimes.
The third tension points at an institutional aspect. The Recast Electricity Directive and the GDPR have their own independent supervisory authorities: the national regulatory authority and the DPA, respectively. The coexistence of the rules from the electricity sector with the GDPR, particularly the provisions on access to consumer data, might lead to an overlap of the competences of both supervisory authorities. The adverse outcome of this tension could be that neither authority intervenes or that each authority interprets the rules differently, considering the different focus and expertise of both authorities. Coordination between the exercise of powers and the interpretation of overlapping powers and concepts is, therefore, needed to ensure there will be no enforcement gap and that data protection rules are applied consistently. Currently, the Recast Electricity Directive and the GDPR do not provide clear coordination mechanisms between national regulatory authorities and the DPAs. As the energy sector becomes increasingly dependent on the processing of personal data, it is important that policymakers further their efforts to strengthen the connection between the sectoral legislation and the general legal framework applicable to the processing of personal data.

Author Contributions

Conceptualization: S.L.; methodology: S.L. and B.E.A.; investigation: T.ten C.; analysis: B.E.A., S.L. and T.t.C.; writing—original draft preparation: S.L., T.t.C. and B.E.A.; writing—review and editing: S.L. and B.E.A.; supervision: S.L. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by Next Generation Infrastructures (NGInfra) and the Dutch Research Council—NWO (Responsive Innovations Program), grant number 439 16 807. The APC was funded by Tilburg University.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Drective (EU) 2019/944 of the European Parliament and of the Council of 5 June 2019 on Common Rules for the Internal Market for Electricity and Amending Directive 2012/27/EU. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32019L0944 (accessed on 21 July 2021).
  2. Lavrijssen, S.; Carrillo Parra, A. Radical prosumer innovations in the electricity sector and the impact on prosumer regulation. Sustainability 2017, 9, 1207. [Google Scholar] [CrossRef] [Green Version]
  3. Zheng, J.; Lin, L.; Gao, D.W. Smart Meters in Smart Grid: An Overview. In Proceedings of the 2013 IEEE Green Technologies Conference (GreenTech), Denver, CO, USA, 4–5 April 2013; pp. 57–64. Available online: https://www.semanticscholar.org/paper/Smart-Meters-in-Smart-Grid%3A-An-Overview-Zheng-Gao/20a2f433d64a6dd35311c338e21e33c78395d590 (accessed on 20 December 2021).
  4. European Commission. Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Towards a Thriving Data-Driven Economy. 2014. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52014DC0442 (accessed on 21 July 2021).
  5. Knyrim, R.; Trieb, G. Smart metering under EU data protection law. Int. Data Priv. Law 2011, 1, 121–128. [Google Scholar] [CrossRef]
  6. Huhta, K. Smartening up while keeping safe? Advances in smart metering and data protection under EU law. J. Energy Nat. Resour. Law 2020, 38, 5–22. [Google Scholar] [CrossRef]
  7. Espinosa Apráez, B.; Lavrijssen, S. Exploring the regulatory challenges of a possible rollout of smart water meters in the Netherlands. Compet. Regul. Netw. Ind. 2018, 19, 159–179. [Google Scholar] [CrossRef] [Green Version]
  8. Working Party Article 29. Opinion 12/2011 on Smart Metering (WP183). 2011. Available online: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp183_en.pdf (accessed on 28 July 2021).
  9. Working Party 29. Working Document 01/2016 on the Justification of Interferences with the Fundamental Rights to Privacy and Data Protection through Surveillance Measures When Transferring Personal Data (European Essential Guarantees). 2016. Available online: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2016/wp237_en.pdf (accessed on 27 July 2021).
  10. Graef, I.; Husovec, M.; Van den Boom, J. Spill-overs in data governance: Uncovering the uneasy relationship between the GDPR’s right to data portability and EU sector-specific data access regimes. J. Eur. Consum. Mark. Law 2020, 9, 3–16. [Google Scholar] [CrossRef]
  11. Smits, J. What is Legal Doctrine? On the Aims and Methods of Legal-Dogmatic Research. In Rethinking Legal Scholarship: A Transatlantic Dialogue; Van Gestel, R., Micklitz, H.-W., Rubens, E., Eds.; Cambridge University Press: Cambridge, UK, 2017; pp. 207–228. [Google Scholar]
  12. Taekema, S.; Van der Burg, W. Legal Philosophy as an Enrichment of Doctrinal Research. Part I: Introducing Three Philosophical Methods. Law Method 2020, 1, 1–20. [Google Scholar] [CrossRef] [Green Version]
  13. Van Hoecke, M. Legal Doctrine: Which Method(s) for What Kind of Discipline? In Methodologies of Legal Research: What Kind of Method for What Kind of Discipline? Van Hoecke, M., Ed.; Hart Publishing: London, UK, 2011; pp. 1–18. [Google Scholar]
  14. Lavrijssen, S.A. Power to the energy consumers. Eur. Energy Environ. Law Rev. 2017, 26, 172–187. [Google Scholar] [CrossRef]
  15. Custers, B.; Sears, A.M.; Dechesne, F.; Georgieva, I.; Tani, T.; Van der Hof, S. Introduction—The Netherlands. In EU Personal Data Protection Policy and Practice; Information Technology and Law Series; Asser Press: The Hague, The Netherlands, 2019; Volume 29, pp. 17–47. [Google Scholar]
  16. Purtova, N. The law of everything Broad concept of personal data and future of EU data protection law. Law Innov. Technol. 2018, 10, 40–81. [Google Scholar] [CrossRef]
  17. Skjølsvold, T.M.; Ryghaug, M. Transforming Society Through Pilot and Demonstration Projects. In Pilot Society and the Energy Transition—The Co-Shaping of Innovation, Participation and Politics, 1st ed.; Palgrave Pivot: London, UK, 2021; pp. 1–22. [Google Scholar]
  18. Hoppe, T.; de Vries, G. Social innovation and the energy transition. Sustainability 2019, 11, 141. [Google Scholar] [CrossRef] [Green Version]
  19. Raad voor de Leefomgeving en Infrastructuur 2021. Digitaal Duurzaam, The Hague. Digital Version; Available online: https://www.rli.nl/sites/default/files/rli_2021-02_digitaal_duurzaam_-_defintiief_advies.pdf (accessed on 21 July 2021).
  20. European Commission. Flexiblity Markets. Available online: https://ec.europa.eu/energy/topics/technology-and-innovation/flexibility-markets_en. (accessed on 19 July 2021).
  21. Huang, Q.; Jing, S.; Yi, J.; Zhen, W.; Jing, S. Introduction. In Innovative Testing and Measurement Solutions for Smart Grid; John Wiley & Sons, Ltd.: Singapore, 2015; pp. 1–10. [Google Scholar]
  22. Bush, S.F. Part One Electric Power Systems: The Main Component. In Smart Grid: Communication-Enabled Intelligence for the Electric Power Grid; John Wiley & Sons, Ltd.: West Sussex, UK, 2014; pp. 3–183. [Google Scholar]
  23. European Commission. Recommendation of 9 March 2012 on Preparations for the Roll-Out of Smart Metering System (2012/148/EU). 2012. Available online: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32012H0148 (accessed on 13 December 2021).
  24. Zhang, C.; Wu, J.; Long, C.; Cheng, M. Review of Existing Peer-to-Peer Energy Trading Projects. Elsevier Energy Procedia 2017, 105, 2563–2568. [Google Scholar] [CrossRef]
  25. Glachant, J.M.; Rossetto, N. A new world for electricity transactions: Peer-to-Peer and Peer-to-X. In Robert Schuman Centre for Advanced Studies Research Paper; RSC Working Paper 2021/56; European University Institute: San Domenico di Fiesole, Italy, 2021; pp. 1–15. [Google Scholar]
  26. Directive (EU) 2018/2001 of the European Parliament and of the Council of 11 December 2018 on the Promotion of the Use of Energy from Renewable Sources (Recast). Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2018.328.01.0082.01.ENG (accessed on 13 December 2021).
  27. CEER. CEER Report on Innovative Business Models and Consumer Protection Challenges. 2021. Available online: https://www.ceer.eu/documents/104400/-/-/44055630-31dc-d3da-386a-a6edfec24eb1 (accessed on 13 December 2021).
  28. Correa-Florez, C.A.; Michiorri, A.; Kariniotakis, G. Robust optimization for day-ahead market participation of smart-home aggregators. Appl. Energy 2018, 229, 433–445. [Google Scholar] [CrossRef] [Green Version]
  29. Iria, J.; Scott, P.; Attarha, A. Network-constrained bidding optimization strategy for aggregators of prosumers. Energy 2020, 2017, 118266. [Google Scholar] [CrossRef]
  30. Article 8 of the Charter of Fundamental Rights of the European Union. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT (accessed on 1 November 2021).
  31. Article 16 of the Consolidated Version of the Treaty on the Functioning of the European Union. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012E%2FTXT (accessed on 1 November 2021).
  32. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation). Available online: https://eur-lex.europa.eu/eli/reg/2016/679/oj (accessed on 1 November 2021).
  33. Working Party Article 29. Opinion 4/2007 on the Concept of Personal Data (WP 136). 2007. Available online: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf (accessed on 21 July 2021).
  34. Lambert, P. EU Data Protection Concepts. In Understanding the New European Data Protection Rules; CRC Press: Boca Raton, FL, USA, 2017; pp. 61–81. [Google Scholar]
  35. DPB. Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR (Version 2.0). 2020. Available online: https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf (accessed on 1 November 2021).
  36. González, E.G.; De Hert, P. Understanding the legal provisions that allow processing and profiling of personal data—An analysis of the GDPR provisions and principles. ERA Forum 2019, 19, 597–621. [Google Scholar] [CrossRef] [Green Version]
  37. Zardiashvili, L.; Dechesne, F. Consumer Control of Energy Data: The Need for the Consent Management Mechanism in the Energy Sector of the Netherlands and Roadblocks Related to its Implementation. Report on Consumer Control of Energy Data. 2019. Available online: https://www.universiteitleiden.nl/binaries/content/assets/rechtsgeleerdheid/instituut-voor-metajuridica/scales/roadblocks-to-implementing-consent-management-mechanism-in-dutch-energy-sector.pdf (accessed on 14 August 2021).
  38. Autoriteit Persoonsgegevens. Verstrekken Van Persoonsgegevens. Available online: https://autoriteitpersoonsgegevens.nl/nl/over-privacy/persoonsgegevens/verstrekken-van-persoonsgegevens (accessed on 22 April 2021).
  39. Court of Justice of the European Union. European Commission v Republic of Austria, C-614/10, ECLI:EU:C:2012:631, Par. 58–65. 2012. Available online: https://eur-lex.europa.eu/legal-content/nl/TXT/?uri=CELEX:62010CJ0614 (accessed on 29 July 2021).
  40. Langlet, D.; Mahmoudi, S. Climate and Energy. In EU Environmental Law and Policy, 1st ed.; Oxford Scholarship Online: Oxford, UK, 2016; pp. 253–282. [Google Scholar]
  41. Sovacool, B.K.; Dworking, M.H. Energy justice: Conceptual insights and practical applications. Appl. Energy 2015, 142, 435–439. [Google Scholar] [CrossRef]
  42. Tundel, J. Europäisches Energierecht. In Christian Theobald and Jürgen Kühling, Energierecht, 111th ed.; C.H.Beck: München, Germany, 2021. [Google Scholar]
  43. European Commission. Clean Energy for All Europeans Package. Available online: https://ec.europa.eu/energy/topics/energy-strategy/clean-energy-all-europeans_en (accessed on 13 December 2021).
  44. Directive 2009/72/EC of the European Parliament and of the Council of 13 July 2009 Concerning Common Rules for the Internal Market in Electricity and Repealing Directive 2003/54/EC. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32009L0072 (accessed on 19 July 2021).
  45. Edens, M.; Lavrijssen, S. Balancing Public Values during the Energy Transition—How Can German and Dutch DSOs Safeguard Sustainability? Energy Policy 2019, 128, 57–65. [Google Scholar] [CrossRef]
  46. Jenkins, K.E.H. Energy Justice, Energy Democracy and Sustainability: Normative approaches to the Consumer Ownership of Renewables. In Energy Transition: Financing Consumer Co-Ownership in Renewables; Lowitzsch, J., Ed.; Palgrave Macmillan: Cham, Switzerland, 2019; pp. 79–97. [Google Scholar]
  47. Lavrijssen, S.; Vitez, B. The energy transition: Democracy, justice and good regulation of the heat markets. Energies 2020, 13, 1088. [Google Scholar]
  48. Van Veelen, B.; Van der Horst, D. What is energy democracy? Connecting social science energy research and political theory. Energy Res. Soc. Sci. 2018, 46, 19–28. [Google Scholar] [CrossRef] [Green Version]
  49. Cseres, K.J. The Active Energy Consumer in EU Law. Eur. J. Risk Regul. 2018, 9, 227–244. [Google Scholar] [CrossRef] [Green Version]
  50. Leal-Arcas, R.; Lesniewska, F.; Proedrou, F. Prosumers: New Actors in EU Energy Security. In Netherlands Yearbook of International Law 2017; Amtenbrink, F., Prévost, D., Wessel, R., Eds.; Asser Press: The Hague, The Netherlands, 2018; Volume 48, pp. 139–172. [Google Scholar]
  51. Bauwens, T.; Huybrechts, B.; Dufays, F. Understanding the Diverse Scaling Strategies of Social Enterprises as Hybrid Organizations: The Case of Renewable Energy Cooperatives. Organ. Environ. 2020, 33, 195–219. [Google Scholar] [CrossRef] [Green Version]
  52. Huybrechts, B.; Haugh, H. The Roles of Networks in Institutionalizing New Hybrid Organizational Forms: Insights from the European Renewable Energy Cooperative Network. Organ. Stud. 2018, 39, 1085–1108. [Google Scholar] [CrossRef]
  53. Boscán, L.; Poudineh, R. Flexibility-Enabling Contracts in Electricity Markets. Oxford Energy Comment. 2016. Available online: https://www.oxfordenergy.org/wpcms/wp-content/uploads/2016/07/Flexibility-Enabling-Contracts-in-Electricity-Markets.pdf (accessed on 28 April 2021).
  54. Lavrijssen, S. Waarborgen voor de Energieconsument in de Energietransitie. 2016. Available online: https://www.vemw.nl/~/media/VEMW/Downloads/Public/Nieuwtjes/Oratie%20Lavrijssen%20compleet%202016.ashx (accessed on 9 July 2021).
  55. Court of Justice of the European Union. European Commission v Fedral Republic of Germany. C-518/07, ECLI:EU:C:2010:125, par. 30. 2010. Available online: https://eur-lex.europa.eu/legal-content/NL/ALL/?uri=CELEX%3A62007CJ0518 (accessed on 29 July 2021).
  56. Court of Justice of the European Union. European Commission v Federal Republic of Germany, C-718/18, ECLI:EU:C:2021:662. 2021. Available online: https://curia.europa.eu/juris/document/document.jsf?text=&docid=245521&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=6247376 (accessed on 27 October 2021).
  57. For the Procedure: See Article 4 of Regulation 182/2011 of the European Parliament and of the Council of 16 February 2011 Laying down the Rules and General Principles Concerning Mechanisms for Control by Member States of the Commission’s Exercise of Implementing Powers. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32011R0182&rid=1 (accessed on 26 October 2021).
  58. European Commission. Proposal for a Directive of the European Parliament and of the Council on Common Rules for the Internal Market in Electricity (Recast) COM/2016/0864 Final/2-2016/0380 (COD). 2016. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52016PC0864R%2801%29 (accessed on 27 October 2021).
  59. Thukral, M.K. Emergence of blockchain-technology application in peer-to-peer electrical-energy trading: A review. Clean Energy 2021, 5, 104–123. [Google Scholar] [CrossRef]
  60. Mengelkamp, E.; Gärttner, J.; Rock, K.; Kessler, S.; Orsini, L.; Wheihardt, C. Designing microgrid energy markets: A case study: The Brooklyn Microgrid. Appl. Energy 2018, 210, 870–880. [Google Scholar] [CrossRef]
  61. Wattenhofer, R. The Science of the Blockchain, 1st ed.; CreateSpace Independent Publishing Platform: California, CA, USA, 2016. [Google Scholar]
  62. Mohanta, B.K.; Jena, D.; Panda, S.S.; Sobhanayak, S. Blockchain technology: A survey on applications and security privacy challenges. Internet Things 2019, 8, 100–107. [Google Scholar] [CrossRef]
  63. European Parliament. Blockchain and the General Data Protection Regulation Can distributed Ledgers Be Squared with European Data Protection Law? 2019. Available online: https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf (accessed on 15 September 2021).
  64. de Almeida, L.; Cappelli, V.; Klausmann, N.; Soest, H. Peer-to-Peer Trading and Energy Community in the Electricity Market—Analysing the Literature on Law and Regulation and Looking Ahead. EUI RSC, 2021/35, Florence School of Regulation, [Electricity]. 2020. Available online: https://cadmus.eui.eu/handle/1814/70457 (accessed on 27 October 2021).
  65. Lang, M.; Müller, M. Blockchain and Smart Contracts in the Energy Industry: A European Perspective. Int. Min. Oil Gas Law Dev. Investig. 2019, 17b-1, 1–17. [Google Scholar]
  66. Working Party Article, 29. Guidelines on the Right to Data Portability (WP242). 2016. Available online: https://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp242_en_40852.pdf (accessed on 27 October 2021).
  67. European Commission. Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A European Strategy for Data. COM, 66 Final. 2020. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1593073685620&uri=CELEX%3A52020DC0066 (accessed on 27 October 2021).
  68. Staatscourant van het Koninkrijk der Nederlanden. Samenwerkingsprotocol Tussen Autoriteit Consument en Markt en Autoriteit Persoonsgegevens. 2020. Available online: https://zoek.officielebekendmakingen.nl/stcrt-2020-36741.html#n1 (accessed on 27 October 2021).
  69. EDPS. EDPS Opinion on Coherent Enforcement of Fundamental Rights in the Age of Big Data. 2016. Available online: https://edps.europa.eu/sites/edp/files/publication/16-09-23_bigdata_opinion_en.pdf (accessed on 27 October 2021).
  70. Digital Cleaning House. Available online: https://www.digitalclearinghouse.org/ (accessed on 27 October 2021).
  71. EDPS. Big Data & Digital Clearinghouse. Available online: https://edps.europa.eu/data-protection/our-work/subjects/big-data-digital-clearinghouse_en (accessed on 27 October 2021).
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Lavrijssen, S.; Espinosa Apráez, B.; ten Caten, T. The Legal Complexities of Processing and Protecting Personal Data in the Electricity Sector. Energies 2022, 15, 1088. https://doi.org/10.3390/en15031088

AMA Style

Lavrijssen S, Espinosa Apráez B, ten Caten T. The Legal Complexities of Processing and Protecting Personal Data in the Electricity Sector. Energies. 2022; 15(3):1088. https://doi.org/10.3390/en15031088

Chicago/Turabian Style

Lavrijssen, Saskia, Brenda Espinosa Apráez, and Thijs ten Caten. 2022. "The Legal Complexities of Processing and Protecting Personal Data in the Electricity Sector" Energies 15, no. 3: 1088. https://doi.org/10.3390/en15031088

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop