Linky: user consent is insufficient to collect as much data

Shift the February 11, 2020 at 5.33 p.m.

Linky meters collect far too much personal data without correctly requesting users' consent, and then store it for too long: the CNIL has just given EDF and Engie to comply with the European General Data Protection Regulations (GDPR).

The CNIL has just put EDF and Engie on notice to better comply with the GDPR in the way in which these players collect data via Linky smart meters. "The fine consumption data can reveal information on private life (times of getting up and sleeping, periods of absence, possibly the number of people present in the accommodation). It is therefore essential that customers can keep control of their data ”, notes the CNIL in a press release.

According to the CNIL, the collection of fine data such as the load curve can betray identifiable behaviors. The CNIL notes that if the energy code authorizes ErDF to collect daily data, the automatic and permanent collection of finer data must necessarily be subject to the express consent of the end user.

However, the Cnil explains that it has found, following inspections, that "EDF and ENGIE are on a global trajectory of compliance" – without really being yet. The CNIL explains: "These two companies have appointed a data protection officer and keep a processing register up to date".

EDF and Engie have been ordered to better respect the consent

Furthermore, the CNIL notes that these companies "Also implement procedures to allow data subjects to exercise all of their Data Protection rights (access, opposition, erasure, etc.), in particular with regard to their energy consumption data" as well as "Procedures for obtaining the consent of individuals prior to the collection of their consumption data and have defined retention period policies".

However, the CNIL notes shortcomings on these last two points: "The CNIL has noted that if the EDF and ENGIE companies do collect consent from their users, this consent is neither specific nor sufficiently informed with regard to hourly or half-hour consumption data", explains the authority.

And to add that "If the companies EDF and ENGIE have globally defined retention periods, CNIL verifications have revealed in particular that these retention periods are sometimes too long with regard to the purposes for which the data are processed".

EDF and Engie were quick to react. EDF explains on Twitter: " EDF undertakes to make the corrections requested by the CNIL. Protecting the personal data of our customers is a priority. We use them exclusively to provide them with the services to which they have subscribed. In no case do we transmit their data".

Read also: Linky – you can refuse the installation of the smart health connected meter

For his part, Engie explains, still on Twitter: “ENGIE respects the protection of personal data and the privacy of its customers. The consumption data collected with their consent is used for the services they subscribe to. ENGIE does not sell any customer data to third parties ”.

Source: CNIL

AB SMART HEALTH REVIEW