CNIL Head of Compliance Explains Approach on Connected Devices, Including Smart Meters
Nerbonne first acknowledged the capacity of connected devices to improve our daily lives but expressed her concerns about their potential impact on individuals’ privacy, including the risk of mass surveillance by governments, corporations and cybercriminals. She gave two practical examples: One example was the difficult compromise between the proportionality, adequacy and transparency principles set out by French data protection law set against the inherent features of connected devices which require the collection of a large volume of data. The other example was the security risks raised by connected devices. Nerbonne specifically referred to the data breaches where several car manufacturers were victims.
Nerbonne insisted on the new role played by regulators in the field of the Internet of Things. For example, the CNIL has recently decided to adapt the CNIL structure by creating a Compliance department, which works hand in hand with a committee dedicated to innovation and technology. She explained that the CNIL needs to innovate through implementing a dynamic compliance framework, in particular given the proposed General Data Protection Regulation (GDPR) which will grant stronger sanctioning powers to data protection authorities. However, Nerbonne indicated that the CNIL considers that sanctions do not necessarily constitute the best way of ensuring compliance. She stressed that it is much more efficient to work in cooperation with professionals on a daily basis. This allows a sector by sector approach which ensures a level of legal certainty for professionals and helps to simplify the relevant administrative formalities.
The CNIL and the FIEEC, the French industry association of electrical, electronic and communication industries, have created a Working Group called “Smart grids and personal data” which published, in May 2014, a Compliance Package on smart meters. This Compliance Package constitutes a new form of regulation by the CNIL including practical guidelines which aims to facilitate the compliance by smart grids operators with French data protection law. This shows the CNIL’s desire for companies to adopt a privacy-by-design approach, thereby ensuring that data protection and privacy considerations are built into the design and manufacturing process of new technologies, as required by the upcoming GDPR.
The Compliance Package identifies three scenarios that smart grid operators may encounter:
The so-called “IN → IN” scenario: the data is collected at home, without involving any external communication (e.g. communication between the thermostat and the heater).
The so-called “IN → OUT” scenario: the data is collected at home and transmitted to service providers (e.g. proposal by a service provider of a new electricity contract based upon consumption).
The so-called “IN → OUT → IN” scenario: the data is collected at home and transmitted externally to enable the user to remotely control equipment (e.g. the provision of a service allowing the user to operate a washing machine at a time of day when electricity is less expensive).
The Compliance Package provides, for each of these scenarios, recommendations on how to handle the situation from a data protection perspective, including a list of purposes for which the data can be collected, the categories of data that can be collected, the retention period for the data, as well as the security measures to be put in place.
Nerbonne announced that the CNIL is currently working with professionals from the automobile sector on the subject of connected cars in order to issue, in 2016, a Compliance Package for this sector.