Privacy in Energy Usage Data Legal Landscape and Best Practices

Brian Orion Lawyers for Clean Energy Cleanweb San Francisco

January 26, 2015

Overview

•  Increasing need to share energy data

•  Privacy Issues with sharing energy data

•  Best practices to address privacy challenges

Robust Energy Usage Data

Source: EPRI

Sharing Energy Data Supports...

•  Customer savings

• Third party service providers

• Utility planning and grid management

• City / local government program implementation

•  Research institution study of energy policies

Challenge

• How to encourage open data and innovation

while protecting customer privacy?

• Many questions: •  What type of customer data can be released?

•  To whom?

•  For what purpose?

•  For how long?

•  Under what restrictions?

Privacy Issues with Energy Data

• Customer information (“Personally Identifiable

Information”) •  Name, address, account number, SSN, etc.

•  Prevent identity theft

• Customer behavior: •  Marketers

•  Criminals

•  Law enforcement

Does it really matter?

90% Chance of String Cheese

Hack ‘em, Danno

Source: San Diego U-T

Big Brother Wants Your Data

Source: SDG&E Annual Privacy Report, 2013

Requestor Records Released (SDG&E 2013)

DEA 1,859

ICE (Homeland Security) 795

FBI 145

IRS 28

. . . . . .

Total 3,019

Who Is At Risk?

• Utilities

• Service providers

• Smart device makers

• Solar providers

• Energy storage providers

• EV companies

• Governments

• Researchers

• Whole smart grid ecosystem...

Best Practices to Address Privacy

• No federal laws •  Federal government acting as facilitator

•  DOE working groups

• States making the rules •  California

•  Colorado

•  Texas

•  Oklahoma

•  Illinois

DOE Voluntary Code of Conduct

• Notice

• Consent

• Access

• Security

• Self-Governance and Redress

•  Notice that explains to customers:

•  What data is collected

•  How data is used

•  With whom shared

•  When sharing okay without consent

DOE Voluntary Code of Conduct

• Notice

• Consent

• Access

• Security

• Self-Governance and Redress

•  Consent means:

•  What data shared

•  With whom

•  For what purpose

•  For how long

•  Requires affirmative consent – “opt-in”

•  Not needed for primary purpose / aggregated

DOE Voluntary Code of Conduct

• Notice

• Consent

• Access

• Security

• Self-Governance and Redress

•  Customer access to data is:

•  Convenient

•  Timely

•  Free / affordable

•  Green Button program

•  Basic

•  Green Button Connect

•  Corrections

DOE Voluntary Code of Conduct

• Notice

• Consent

• Access

• Security

• Self-Governance and Redress

•  Cybersecurity

•  Records retained no longer than necessary

•  Access on “need to know” basis

•  Notice of data breach

•  Secure disposal

DOE Voluntary Code of Conduct

• Notice

• Consent

• Access

• Security

• Self-Governance and Redress

•  Method to address customer complains

•  Data à DNA

•  Chief Privacy Officer

•  Annual training, knowledge test, etc.

California Privacy Rules

•  Legislation in 2010 •  Requires customer consent prior to sharing with

third party contractors

•  No consent needed for “primary purpose”

•  Consent needed for “secondary purpose”

• Expanded in 2013 •  Applies to all businesses

•  Consent needed before sharing

California Privacy Rules

• CPUC Privacy Rules (2011) •  Applies to utilities and their contractors

•  Okay to use for “primary purpose” w/out consent

•  Not okay to share with third party for “secondary

purpose” without consent

•  Okay to share with third party on aggregated /

anonymous basis, subject to restrictions

•  Must make available to customers (hourly or 15-

min interval)

California Privacy Rules

• December 2013 decision: •  Utilities provide access to data directly to third

parties via utility backhaul

•  Requires consent

California Privacy Rules

• May 2014 decision: •  Applies to governmental / research data requests

•  Each quarter, utilities must post aggregated

monthly data at zip code level

• Specific rules for 12 “use cases” •  Local governments

•  Researchers

•  Third party solar, EE vendors not included

• Data Request and Release Process

Best Practices

• Educate your customers

• Avoid giving ammo to “antis”

•  “PEP” •  Proactive approach to privacy

•  Engage customers

•  Positive framing of benefits

Additional Resources

• SmartGrid.gov

• Privacy By Design

• Future of Privacy Forum seal program:

Questions?

Brian Orion

Managing Attorney

Borion@lawyersforcleanenergy.com

Lawyers for Clean Energy

656A Clayton Street

San Francisco, CA 94117

858-354-8222

www.lawyersforcleanenergy.com