Data protection and security

Both supporters of smart metering and opponents of the new technology have been discussing data protection and security.

Like any other type of data handling, recording energy consumption via smart meter is subject to Austria’s Datenschutzgesetz (Data Protection Act). This Act contains rules for the protection of personal data (i.e. information about persons whose identity is indicated or could be found out) and rules on when it is acceptable to use them. Several principles form the basis for these rules, most importantly the principle that use of the data must be in line with the law and the principle that the data must have been collected for legal purposes.

The Data Protection Act provides that measures must be taken to ensure that the data is secure. This involves keeping a record of data use, in particular when data is changed, retrieved or transmitted, so that there can be a reasonable check of whether such use was admissible. In addition, notification of data use must include information on the data security measures taken, to enable verification of whether these are appropriate.

We do not see cause for concern over smart metering data security. So-called load meters (about 30,000 of them) have been used to record the consumption of energy-intensive industrial and business consumers for more than ten years now. Just as smart meters can, these load meters record consumption and load at 15-minute intervals and most of them can be read remotely. As far as we know, there have been no data protection or security concerns over these meters. Therefore, we consider that the risk is manageable also if smart meters are installed at small consumers’ homes across Austria. Having said that, E-Control does not dismiss data protection and security lightly; we are part of discussions on these topics with system operators and equipment manufacturers to clarify all open questions.

In addition, smart meters are subject to the Intelligente-Messgeräte-Anforderungs-Verordnung (E-Control Ordinance Determining the Requirements for Smart Meters), which requires that the devices and their communication must be encrypted according to the state of the art, so that they are protected from access by unauthorised third parties. IT security is generally part of the system operators’ duties and the required measures must already be in place when data use is notified. Residual security risks, such as unauthorised third parties gaining access e.g. to the system operators’ network control points, are not specific to smart meters. Most system operators have also used transformer substations with remote disabling options for many years and have never encountered massive security breaches. After all, systems must be protected properly regardless of whether smart meters are used or not.