FPF Summary of CPUC Smart Grid Rules

FPF Summary of CPUC Smart Grid Rules

On May 6, 2011, the California Public Utilities Commission (CPUC) issued a proposed decision addressing privacy and security concerns around the Smart Grid.  The CPUC proposed decision is significant, because it presents the most significant step yet in the U.S. towards a comprehensive set of smart grid privacy rules. 
With that in mind, we have prepared a brief summary of the CPUC proposed decision to help navigate the terrain.  

Among the highlights: 

  • Overall, the proposed decision develops a regulatory framework that is wide-ranging in reach.  It would apply privacy and security rules to customers of California’s three investor-owned electric utilities offering or proposing to install smart meters, and extend the proposed rules to the companies that contract with these utilities. 
  • Most notably, the proposed rules would also apply, by utility tariffs, to certain third party companies that are not in contractual privities with a utility.
  • Specifically, a third party would have to comply with the PUC rules when it obtains access to customer’s usage data via Home Area Netwok (HAN)-enabled devices that are “locked” to automatically transfer usage data to the third party. 
  • According to the proposed rules, a covered entity would have to provide customers with transparency through a notice and privacy policy that will be “meaningful, clear, accurate, specific, and comprehensive notice regarding the collection, store, use, and disclosure of covered information.”  Customers would be given access to, and a certain level of control over the collection, storage, use and disclosure of their covered information.  
  • The proposed rules would require utilities to provide third parties with access to usage data that customers authorize if the third parties comply with the privacy and security rules. 

There are several principles targeted toward data management. Covered entities will be limited in their ability to collect data—only information that is “reasonably necessary” or “authorized by the Commission” to accomplish primary or secondary purposes.  Covered entities must have prior customer consent to collect, store and use information, except that electrical corporations may collect and store customer data without customer consent if for a primary purpose.  Subject to certain conditions, covered entities may share information with service providers without consent.  Covered entities must also ensure the quality, integrity, and security of the data. Finally, the PUC imposes data security and privacy audit and reporting requirements which include providing copies of the privacy notices for customers, internal privacy and data security policies, third party disclosure information and secondary uses authorization forms.  The PUC rejected suggestions that third parties should be required to register for certification to offer services that require access to customer energy consumption data.

For a more comprehensive look into the proposed decision, see the FPF summary here

The CPUC is accepting comments regarding its proposed rules until May 26, 2011, with reply comments due five days after that deadline.  FPF will be filing its comments in the upcoming weeks.

Many thanks to our colleague Tim Tobin for his excellent and comprehensive review of the decision.

Leave a Reply

Privacy Calendar

10:00 am Privacy Principles in the Era of Massive Data @ Georgetown Law Center
Privacy Principles in the Era of… @ Georgetown Law Center
Apr 22 @ 10:00 am – 12:00 pm
Experts from the public and private sectors will join public policy experts from the Georgetown University McCourt School of Public Policy and privacy law experts [...]
all-day 6th Biannual International Surveillance & Society Conference
6th Biannual International Surve…
Apr 24 – Apr 25 all-day
The 6th Biannual International Surveillance & Society conference hosted by the University of Barcelona and supported by the Surveillance Studies Network is currently calling for [...]
12:00 pm Data Privacy in Education: Ensuring Student Security while Encouraging Innovation in K-12 Education @ Rayburn House Office Building, Room B-354
Data Privacy in Education: Ensur… @ Rayburn House Office Building, Room B-354
Apr 24 @ 12:00 pm – 1:00 pm
The Congressional E-Learning Caucus in cooperation with Into and the National Coalition for Technology in Education and Training presents a luncheon to discuss “Data Privacy [...]
all-day IAPP Europe Data Protection Intensive 2014
IAPP Europe Data Protection Inte…
Apr 29 – May 1 all-day
The IAPP Europe Data Protection Intensive features timely programming centred on the top issues impacting the European data protection community, with a focus on addressing [...]
5:30 pm InSecurity: Race, Surveillance and Privacy in the Digital Age @ New America Foundation
InSecurity: Race, Surveillance a… @ New America Foundation
Apr 30 @ 5:30 pm – 7:30 pm
Now more than ever, digital tools sit at a precarious tipping point, and many question whether they will be used to address pre-existing disparities, [...]
all-day IAPP Canada Privacy Symposium 2014
IAPP Canada Privacy Symposium 2014
May 7 – May 9 all-day
The IAPP Canada Privacy Symposium is the leading conference for education, debate and discussion of issues that matter most to Canadian privacy and data protection [...]
all-day Privacy Law Scholars Conference (7th Annual) @ The George Washington School of Law
Privacy Law Scholars Conference … @ The George Washington School of Law
Jun 5 – Jun 6 all-day
  UC Berkeley School of Law and The George Washington University Law School will be holding the seventh annual Privacy Law Scholars Conference (PLSC) on [...]
all-day Computers, Freedom, and Privacy 2014 Conference @ Airlie Center
Computers, Freedom, and Privacy … @ Airlie Center
Jun 8 – Jun 10 all-day
Mark your calendars! The 2014 Computers, Freedom, and Privacy Conference will be held June 8-10 at the Airlie Center in Warrenton, Virginia. The Airlie Center [...]

View Calendar