Digital Privacy

Smart meter data: the Government’s at it again

Back in October 2022, ORG exposed Government plans to snoop on UK residents’ smart meters and energy consumption data. In July 2023, the Government backtracked on their plans following ORG’s campaigning, in particular by reducing the frequency by which smart meters’ and energy consumption data would be collected.

All’s well that ends well, if it weren’t that we were all deceived: on August 17, 2023, the Government updated their privacy policy to reflect that “energy consumption data is being collected more frequently than monthly”, thus reverting the improvements they had previously made. By collecting energy consumption data granularly, the Government is making it possible to understand which home appliances are being used and at what time, thus revealing lifestyle choices and potentially sensitive information about targeted households.

There is much to learn from this: the Government is also planning to introduce the Data Protection and Digital Information (DPDI) Bill, which deregulates data protection in the UK and makes it easy for the Government to collect information about you held by private sector entities — whether it’s your energy provider, your local supermarket or your General Practitioner. This story also disproves the Information Commissioner’s Office approach to public sector enforcement: pointing and shaming obviously fails to bring any results when the Government can count on a weak ICO that refuses to take legal action against public sector bodies.

The problem with smart meters

When are you usually away from home? Did you get a good night’s sleep or did you drive while sleep deprived? What time did you leave your home? Did the time it took you to get from to your workplace mean that you broke the speed limit to get there? Or, in a custody battle: Have you ever left your 11 year old child home alone? How often, and for how long? If you are claiming benefits while looking for work, can you explain why you have been away for a couple of days? These are just a range of questions that energy consumption data can answer, or at least guess: maybe you just fell asleep with the lights on, but data is against you and it’s now up to you to demonstrate that you didn’t drive while sleep deprived.

In other words, smart meter data can reveal your lifestyle habits and choices, and be used by third parties to make inferences whose validity or fairness may be doubtful. This is why we previously complained about Government plans to collect this information for “fraud detection” purposes under the Energy Price Guarantee. The Government initially planned to use smart meters to collect this data granularly, store it for ten years, and share it with credit reference agencies, local authorities and debt collectors. In our legal correspondence with them, the Government also failed to address concerns around the lack of documentation concerning this data collection and the lack of transparency about the amount of data they wanted to collect.

These risks and shortcomings are not a given or unavoidable, but a political choice: smart meters can deliver their benefits and functionalities without collecting granular and revealing data about their users, nor does our Government need to know how many times you use your microwave or when you turn off your bedroom’s lights in order to combat fraud.

The Data Protection and Digital Information Bill

Speaking of political choices, the Government is advancing legislation that would make it easier for Ministers to turn any private company into their an informant: the DPDI Bill will make it always legal to share data for law enforcement, national security, fraud detection, or to answer to a request made by a public sector body. This is a significant departure from the legal safeguards provided by the UK GDPR.

Data sharing today can happen only if the potential impact of this information on individuals has been considered before, and if doing so does not expose individuals to unjustified risks. Would you expect that data given to a sexual health clinic is to be shared with the Government for immigration control purposes, or with private insurers for assessing your lifestyle’s risks? Would sharing this data in this manner affect your right to access healthcare services? The answers to these questions would determine the lawfulness of data sharing under the UK GDPR, but not under the DPDI Bill, where data sharing is always legitimate insofar the goal being pursued—for instance, immigration control— has been sanctioned by the Government.

Also, the DPDI Bill would give legislative making powers to UK Ministers, which would allow them to introduce new purposes that make data collection and sharing always legitimate via Statutory Instruments (SI), which are never properly scrutinised by Parliament: indeed, the last time the House of Commons voted against the Government to reject a SI was 1979, almost 45 years ago.

The ICO approach to public sector enforcement

New technologies inherently have the potential to be weaponised and exacerbate power imbalances, raising delicate and complex questions around their impact and interferences with human rights and societal expectations. This is why, in the UK, we have the ICO: a public watchdog, independent from the Government, with powers that allow them to ask these questions and enforce against public and private entities that abuse personal data.

However, the decline in public sector’s standards and the institutional failures that have characterised the past five years of UK political history are biting in the ICO as well: following the highly-politicised appointment of the new Information Commissioner, the ICO adopted a new strategy for public sector enforcement that relies on public shaming and “very angry letters” rather than legally binding enforcement actions and penalty fines. The result of this approach are rather obvious: the watchdog that should enforce the law is leaving the Government off the hook, and thus public sector bodies can just ignore the law and get away with it.

Indeed, the smart meter saga is a good example of the consequences of this approach: the Government first rolled out smart meters and pledged they would never share this information without the consent of their users. Then they started collecting this data for fraud detection purposes. Finally, they were pressured by ORG to reduce the amount of data being collected, only to revert this decision as soon as we turned our head away.

Learning from mistakes

Smart meters are just one of the many new device and appliances that can be connected to the internet and collect data about us. They raise issues and questions that are valid elsewhere: we don’t need to sacrifice our privacy in order to reap the benefits of innovation, nor expose ourself to patronising guessing games by power entities, nor we should trust the Government to do the right thing.

As technology progresses and their risks multiply, we need stronger protections against abuse, more accountability against our decision-makers, stronger oversight and guardrails. These lessons need be brought into the current debate around the DPDI Bill: against a Government that wants to do undermine our rights on their way out, the House of Lords have the opportunity to save the day, oppose Government dangerous plans, and restore the functioning of the ICO.