Based on a complaint about Radius’ remote reading of electricity meters, the Danish Data Protection Agency has assessed that the processing of personal data has taken place within the framework of the General Data Protection Regulation and national special rules.
The Danish Data Protection Agency has made a decision in a case where a number of citizens complained about Radius Elnet A/S’ processing of personal data, as the company uses remotely read electricity meters to collect personal data about the complainants’ electricity consumption in kWh on an hourly basis and then reports the information to Energinet.
Radius is a grid company, i.e. a company that operates electricity distribution networks in Denmark. In this context, Radius collects consumption data from electricity customers, including the complainants, via remotely read electricity meters.
In its decision, the Danish Data Protection Agency found that Radius’ processing of the personal data had taken place within the framework of the General Data Protection Regulation and the national special rules adapting the application of the Regulation. The case has been reviewed by the Data Council.
The Danish Data Protection Agency found overall:
- Radius’ processing of personal data for the purposes of (i) billing and (ii) ensuring security of supply and sufficient quality and capacity in the electricity grid is necessary for compliance with a legal obligation, cf. Article 6(1)(c) of the GDPR,
- Article 25(1) of the GDPR does not apply to the processing activity at issue, as the activity was initiated before 25 May 2018, the date of application of the Regulation; and
- there was no basis for finding that the processing activities carried out by Radius on the basis of its legal obligation were contrary to the principle of proportionality in Article 5(1)(c) of the GDPR.
1)
The Danish Data Protection Agency emphasised that it is clear and precise from the legal basis to which Radius as a grid operator is subject that Radius as a grid operator must collect information on electricity consumption, etc. on an hourly basis and report the information to Energinet, and that this must be done in a specified manner. Furthermore, the Danish Data Protection Agency emphasised that the collection of information on electricity consumption, etc. with a view to ensuring security of supply as well as quality and capacity in the electricity grid is an integral part of the obligation to make available the necessary transport capacity and provide access to the transport of electricity in the electricity supply grid and to ensure the technical quality of the grid to which Radius is subject as a grid operator.
In this connection, the Danish Data Protection Agency noted that information on electricity consumption, etc. as a starting point does not in itself constitute special categories of personal data covered by Article 9 of the General Data Protection Regulation.
In selected cases and under certain circumstances, personal data may be considered sensitive personal data, even though the data should not normally be considered sensitive. This applies, among other things, if the data through intellectual reflection, e.g. deduction, can reveal sensitive information about a person. This may, for example, be the case where a person’s name, which is not in itself sensitive personal data, appears in a list of patients admitted to an oncology department.
However, in the opinion of the Danish Data Protection Agency, this is not the case if it requires the performance of complex analyses or similar to derive sensitive personal data, e.g. information about religious beliefs from information about electricity consumption, etc. if such analyses, etc. are not actually performed as part of the processing activity in question.
2)
With regard to the issue of data protection by design and by default settings, the Danish Data Protection Agency assessed that the purposes and means of the processing of personal data in question, i.e. the collection of information on electricity consumption, etc. on an hourly basis for billing and system operation purposes, had in any event been determined at the latest in December 2017, when the so-called flex settlement was commissioned by Energinet, according to which the grid companies, including Radius, have been obliged to collect and report the information on electricity consumption, etc. to the data hub.
This was thus a processing activity that was initiated before 25 May 2018, which is why Article 25(1) of the General Data Protection Regulation did not apply to the processing activity. In the opinion of the Danish Data Protection Agency, the fact that electricity meters have (still) been replaced at electricity customers in the period from 25 May 2018 to 31 December 2020 could not lead to a different result.
3)
With regard to the issue of proportionality, the Danish Data Protection Agency found, after an overall assessment, that there was no basis for determining that the processing activities carried out by Radius on the basis of the aforementioned legal obligation under the Danish Electricity Supply Act, etc. were contrary to the principle of proportionality in Article 5(1)(c) of the General Data Protection Regulation.
The Danish Data Protection Agency emphasised in particular that it is clear and specific from the legislation that the grid companies, including Radius, are obliged to verify the accuracy of the information reported to the data hub, and that this verification requires access to the specific measurement values collected on an hourly basis.
Furthermore, the Danish Data Protection Agency found that there was no basis for setting aside the assessment that it is necessary to check the individual measurement values, as provided for in the legislation, and that there was no basis for determining that there were other, less intrusive ways of processing the data in question, given the objective pursued.
Finally, the Danish Data Protection Agency emphasised that the method proposed by the complainants – according to the complainants’ own information – was not suitable for checking the individual measurement values, and that the method only made it possible to check the correctness of aggregated measurement values on a monthly basis.