Both companies have three months to comply.
Linky is a communicating meter (a "smart" meter) that transmits consumption data and receives orders remotely. As the fine consumption data can reveal information about privacy (waking and sleeping times, periods of absence, possibly the number of people present in the dwelling place), data protection rules may apply.
Linky meters are currently being deployed by
The compliance failures identified by the CNIL concern the procedures for obtaining consent from individuals prior to the collection of their consumption data and the retention period policies.
The collection of consumption data from Linky smart meters
EDF
During the inspections carried out on
More precisely, the user is offered to activate the collection of his/her daily and half-hourly data via a single "I authorize" checkbox drafted as follows: "My daily electricity consumption (every 30 minutes), my consumption history and my maximum power reached". In addition, by clicking on a "more information" link, it is then specified "My day-to-day consumption: find out more about it to better understand and control my consumption with the display of my daily consumption (every 30 minutes), my consumption history and my maximum power reached.
Consent is thus collected for the following purposes: display of daily consumption data in the customer account, display of half-hourly consumption data in the customer account and personalized advice aimed at better controlling electricity consumption.
It should be recalled that for consent to be valid, it must be freely given, specific, informed and unambiguous, as per Article 4§11 of the General Data Protection Regulation ("GDPR"). Wherever any of these criteria is not met, consent cannot be used as a legal basis for processing within the meaning of Article 6§1(a) of the GDPR.
In the matter at hand, the CNIL considered that users' consent was neither specific nor sufficiently informed.
EDF collects users' consent to the collection of their daily and half-hourly consumption data through a single checkbox for three distinct purposes, i.e. the display of daily consumption data in the customer account, the display of half-hourly consumption data in the customer account and personalized advice aimed at better controlling electricity consumption. However, these processing operations are distinct and independent of each other (users may wish to consult the history of their daily consumption, without necessarily wishing to benefit from a display on a half-hour basis or to receive personalized advice from their supplier). For the CNIL, the user should be able to give consent by purpose and activate the collection of daily indexes, without necessarily having to agree to activate the load curve in a correlated manner.
Similarly, during the investigations carried out on
For the same reasons, it considered that the consent of users was neither specific nor sufficiently informed.
Data retention periods
EDF
EDF keeps the daily and half-hourly consumption data in an active database throughout the entire duration of the contract and then for a further five-year period, without any intermediate archiving, whether physical on a separate server or logical via access restrictions. No automated wiping procedure is implemented, in particular due to technical complexity.
It should be recalled that pursuant to Article 5§1(e) of the GDPR, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
The CNIL considered that the retention of daily and half-hourly data in an active database for the entire life of the contract and then for an additional period of five years, for all types of contracts and without intermediate archiving, was excessive (neither half-hourly nor daily consumption data are necessary for the billing of consumed electricity, which takes place on a monthly basis).
In addition, electricity suppliers are only required to provide customers with their consumption history for a period of three years following the date of obtaining consent (Article D. 224-26 of the French Consumer Code).
The CNIL considered that while the customer's contact details can be kept in an active database for three years following the termination of the contract so that
No follow-up action will be taken with respect to these procedures if the companies comply with the GDPR within the prescribed three-month period.In this case, the close of each procedure will be made public.
On the other hand, if the companies fail to comply with the GDPR within the prescribed three-month period, the CNIL may refer the matter to its restricted committee responsible for sanctioning breaches of the GDPR and the companies may thus ultimately be penalized.
Footnote
1 https://www.cnil.fr/fr/edf-et-engie-mises-en-demeure-pour-non-respect-de-certaines-conditions-de-recueil-du-consentement
To read in French, please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Ms Laure Marolleau
Soulier Avocats
50 Avenue De Wagram
75017
Tel: 14054 2929
Fax: 14054 2920
E-mail: t.caveng@soulier-avocats.com
URL: www.soulier-avocats.com
© Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source