Smart meter data is personal data. DISCOMs should ensure its privacy and security and be ready to comply with the upcoming data protection law
The Ministry of Power (MoP) is planning to replace 250 million conventional electricity meters in Indian homes with smart meters by 2022 under the Smart Meter National Programme. Smart meters can potentially improve distribution companies (DISCOM) finances by automatically generating bills and ensuring timely payment by providing deterrence through remote disconnections of defaulters. This is one of the many initiatives by MoP to address the multiple long-standing issues of the sector, exacerbated by the ongoing pandemic.
About 2.1 million smart meters have already been installed and are operational across the country, while another 9.1 million are under deployment, creating an urgent need to transparently document and thoroughly analyse the experience of deploying such a large number of smart meters. This article highlights one such aspect — the issue of data privacy.
Beyond automated billing and remote disconnections, smart meters can also collect granular electricity consumption data of consumers every half an hour, or even less. This data, if used effectively, can help DISCOMs plan distribution infrastructure, power purchase, and offer value added services to the consumers, further improving DISCOM finances.
However, such high frequency consumption data collected by smart meters also has the potential to reveal private details of consumers like household occupancy patterns, appliance ownership and usage patterns, and even entertainment habits and preferences through analysis and inference.
The Supreme Court has already upheld the right to privacy as a fundamental right, therefore using and sharing such personal consumption data without adequate safeguards and appropriate consent would be tantamount to violation of the same. Furthermore, less secure data management and sharing systems can also expose this data to unlawful activities like burglary, stalking, surveillance, among other things. In other parts of the world, these privacy and security concerns are being addressed through a smart meter specific data protection framework that complements the general data protection framework.
This raises two questions in the Indian context: How effective are the current mechanisms to ensure data security and privacy of existing meters; and how prepared are the DISCOMs to comply with the rules and regulations of the upcoming Personal Data Protection Act. The answers to these questions are largely negative.
The Information Technology Act 2000 (IT Act) along with the 2011 rules on “reasonable security practices and procedures and sensitive personal data or information” by definition, apply to both smart meter data and consumer billing data from ordinary meters. But there is no public information on the DISCOMs’ compliance with the IT Act.
Furthermore, the Central Electricity Authority (CEA), a statutory body that advises the government on technical and policy matters related to electricity, has issued detailed functional requirements of an Advanced Metering Infrastructure (AMI). These guidelines, which have been adopted verbatim in some of the smart meter implementation contracts by the DISCOMs, have no requirements related to consumer privacy.
On the positive side, the standard bidding documents released by MoP, for hiring AMI service providers, do include privacy related provisions. However, we are yet to find its adoption by DISCOMs. Finally, even though the current smart meter data protection mechanisms may be lax, it can change significantly once the Personal Data Protection (PDP) Bill 2019 is enacted.
In order to strike a balance between utilising the economic value of personal data and upholding an individual’s Right to Privacy, the government tabled the PDP Bill 2019. This crucial bill is currently before the Joint Parliamentary Committee and only a few steps away from becoming the law. In fact, provisions akin to those in the PDP bill have already started applying to other sectors such as public health through the National Health Data Management Policy.
The PDP bill, once enacted, will replace the aforementioned provisions of IT Act and bring all consumer data with the DISCOMs, including monthly billing and high frequency smart meter data, under its ambit. DISCOMs, with or without smart meters, would then have the onerous task of ensuring that internal handling of such data as well as all its third party engagements do not violate individual privacy.
Moreover, under the new law, a Data Protection Authority (DPA) would be appointed as the data regulator and DISCOMs would be bound by its regulations. The penalties under the law in case of non-compliance are significantly high, running up to 4 per cent of the annual global turnover. The proposed DPA will also possibly develop sector specific regulations in consultation with the sector regulators.
The electricity sector specific regulations need to be based on a comprehensive data protection framework, developed specifically for smart meter data. Such a framework should clearly identify the type of data that can be collected through smart meters, duration of storage and specific uses of the data as mandated or permitted under the Electricity Act 2003. It should delineate an appropriate consumer consent framework in accordance with the type of data collected and the specific uses.
Given the rapid pace of smart meter installation, MoP should urgently develop such a framework in consultation with CEA, central and state regulators, DISCOMs, smart meter manufacturers, civil society organisations and other stakeholders and publish it in the form of a white paper.
MoP should also solicit for wider public comments on the same. This framework can be a good starting point for the proposed DPA to deliberate with electricity regulators to evolve specific regulations. Meanwhile, it will be prudent on DISCOMs’ part to understand their role as data custodians and start building the internal capacity to safeguard consumer privacy in both consumer as well as DISCOM’s mutual interest.