Countdown to GDPR: A pre-GDPR Object Lesson in France?

GDPR: CNIL Warns Direct Energie about Personal Data
Location: France
Date: March 2018 – 8 weeks ahead of May 25th

On the 27th of March this year the French Data Protection Authority CNIL announced that it had issued a formal notice to DIRECT ENERGIE, Société, for its failure to obtain customer consent to collect customers’ usage data from Linky smart meters installed in their homes. Linky, the energy/electricity usage monitoring meter, is already installed in 8 million French homes, and all French homes should be equipped by 2021.

Have Direct Energie customers with a Linky meter installed consented to have their data collected by this energy supplier? Not enough of them, according to the Commission Nationale Informatique et Libertés (CNIL), which decided to put the company on notice “due to a lack of consent to the collection of consumption data from the Linky communicating meter.”

This desire to collect data attracted in 2012 the attention of the CNIL. They data remain anonymous, are the property of the user and can not be transmitted to third parties, except with the explicit consent of the customer. To wit: nobody will know what time the user wakes up or operates his or her washing machine, if they do not wish. But electricity suppliers, such as EDF, Engie or Direct Energie, can set up specific offers that use customer data to better control electricity consumption.

Direct Energie, a few weeks before this CNIL notice, had launched a Linky special offer that programs the hot water tank remotely. The CNIL criticized the company, that it informed its customers of the collection of their daily consumption data, but without asking for their prior consent.

It further denounced the manner in which the collection of consumption data is presented on a 30 minute basis. The Commission explains that, with the installation of a meter, Direct Energie asks for simultaneous agreement of the customers’ part  on two points: (1) the commissioning of the meter and (2) the “collection of hourly consumption data, which is presented as the corollary to the activation of the meter and as allowing the customer to benefit from a billing at the fair rate “. However, the CNIL emphasizes, the purpose of billing at the fair rate for the customer “is not accurate, since Direct Energy does not offer offers based on hourly consumption.”

The CNIL also considers that this presentation gives the customer “the mistaken impression that he chooses to activate the meter when he actually only consents to collecting his consumption data” – since the installation of this meter “is mandatory, and its commissioning does not depend on the company Direct Energie”.

Direct Energie responds:

Xavier Caïtucoli, founder and president of Direct Energie: “We scrupulously respect the law. Nothing is hidden to our customers, we send three explanatory and detailed e-mails. The proof that customers understand very well is that 35% accept – the others do not respond,” therefore implicitly refuse,” adds the company. “If the CNIL finds that it is not precise enough, we will specify,” says Xavier Caitucoli. “Our data are not sold to anyone,” repeats Mr. Caitucoli, for whom Linky is “very good news, which can do a lot for the energy transition”.

The company then entered a period of three months to remedy the situation and come into compliance with the law, says the CNIL, while recalling that “this formal notice is not a penalty” and that “no further action will be given.”

In summary this seems a pre-GDPR action, a mild sort of object lesson, and most likely  a harbinger of things to come.

#######

What are your thoughts on this? With the GDPR just days away, what are your plans, how have you prepared, what client interactions have been involved?  We welcome your input in the comments below.