French watchdog warns energy firms over Linky data

French data privacy commission la Commission Nationale de l'Informatique et des Libertés (CNIL) announced its terms today (Tuesday February 11).

It said it had given Engie and EDF three months to ensure their Linky smart meter data collection processes were legal, and reminded the companies that clients must be able to “maintain control over their data”.

Both firms were found to have failed to gain explicit consent to collect data for two different uses, and for keeping said data for too long.

In a press release, the CNIL said the companies had been “given formal warning...due to not respecting certain requirements in relation to getting explicit consent for collection of consumption data from Linky smart meters, as well as keeping consumption data for an excessive amount of time”.

Linky smart meters - which automatically collect energy use data and transmit it to the energy company to remove the need for manual readings - have been criticised for what some see as their potential to reveal personal data and information about the connected household.

The CNIL continued: “Detailed consumption data may reveal information on people’s private lives (time they get up and go to bed, periods of absence, the number of people living in the property). It is therefore essential that clients are able to maintain control over their data.”

The CNIL said the law requires companies to obtain “specific consent” for each new kind of data collection, but that the companies had not done this.

It said: “It was established that EDF and Engie collect ‘implicit’ consent for two very different operations; a meter display of daily consumption, and a display of consumption every half-hour [the latter of which was judged to be much more intrusive].”

It conceded that EDF and Engie do “collect effective consent from users” but this is “neither specific nor obvious enough”. The method of gathering consent via one simple “checkbox” form for both metrics could “mislead the user”, and mean that their consent may not constitute “informed consent” as required by law, it said.

Lastly, the CNIL found that the “time of record keeping [of consumption data] was often too long, when considered in context with the reasons for which the data is taken”.

Under law, companies are normally only allowed to keep personal data for as long as they have a genuine, ongoing use for it - and are only permitted to use the data for the exact reason it was initially collected.

Under GDPR rules, which came into force in May 2018, companies must obtain explicit consent (such as an “opt in”, rather than “opt out”) to collect and use personal data, and it must be “freely given, informed, and unequivocal”.