nuances newsletter February 2014 covers topics including an article on the implications of the EU General Data Protection Regulation proposal for the smart metering and scoring industries. You will also find articles covering such topics as a new study on energy use in UK homes, the EU Commission’s final proposals for regulating the banking sector and the impact of European case law on Germany’s renewable energy law. The nuances newsletter is written, edited and published by nuances public affairs, Berlin.
Text of nuances newsletter - February 2014
.......................................................................................... Topics / Themen: DIGITALISATION DIGITALISATION .......................................................................................... 1 CUT AND GO IMPLICATIONS OF THE EU DATA PROTECTION REGULATION FOR CURRENT DATA PROTECTION LAW Cut and Go Implications of the EU Data Protection Regulation for Current Data Protection Law / Cut and go Auswirkungen der EUDatenschutz-Grundverordnung auf geltendes Datenschutzrecht ENERGY / ENERGY EFFICIENCY EUROPEAN DATA PROTECTION LAW IS UNDERGOING CHANGE. THE EU COMMISSIONS PLANS TO INTRODUCE NEW DATA PROTECTION LAWS IN 2015. THE GENERAL DATA PROTECTION REGULATION SHOULD DO AWAY WITH THE CURRENT PATCHWORK OF VARYING NATIONAL DATA PROTECTION LAWS AND REPLACE THEM WITH ONE EUROPEAN LAW. ON FIRST GLANCE THIS IS A POSITIVE DEVELOPMENT FOR THE ECONOMY. ON A CLOSER LOOK HOWEVER, SIGNIFICANT DEFICITS CAN BE SEEN. WHILE THE DATA PROTECTION REGULATION SUPERSEDES THE CURRENT EU DATA PROTECTION DIRECTIVE AND A LARGE PART OF NATIONAL LAW, THERE IS THE DANGER OF A LEGAL VACUUM. SMART-METERING, SCORING AND MANY OTHER BUSINESS SECTORS AND BRANCHES WILL FEEL THE EFFECTS I. Introduction 7 Report On Energy Use In UK Homes / Studie analysiert die Entwicklung des Energieverbrauchs britischer Haushalte International Energy Agency Oil Market Report / Neueste Statistik der Energieagentur IEA 9 Franco-German Co-Operation on Energy Policy / Franzsisch-deutsche Zusammenarbeit in der Energiepolitik 9 Changing Regulatory Environment in Europe / Regulatorische Rahmenbedingungen verndern sich in Deutschland und Europa 10 TRANSPORT INDUSTRY With the proposal for a General Data Protection Regulation, the EU is planning to revolutionise data protection law. Staying to the Motto EU data protection law is dead, long live EU data protection law the current data protection directive from 1995 and the national implementations will be decommissioned. 12 EU Emission Trading Scheme to be Expanded / EU-Emissionshandelssystem fr den Luftverkehr FINANCE 1. 14 When the regulation comes into force, its provisions will take the place of the national laws which are of the same legal scope. The national laws will no longer be hold legally valid status. In this way European law is directly affecting companies and authorities. EU Commission Publishes Final Cornerstone of Banking Regulation / EU-Kommission verffentlicht finalen Meilenstein zur Bankenregulierung 2. ANNOUNCEMENTS Direct Implementation of the Regulation: 16 The Term General Regulation: The EU General Data Protection Regulation will be the foundation of European data protection law. However, sector specific rules will still be able to specify what the law is in certain areas. The view from Brussels is that this is a ground basis for the law. This can be complemented and Article by Markus Rosenthal on the UKs energy market reform / Artikel von Markus Rosenthal zur Energiemarktreform in Grobritannien 1 N16 February 2014
specified by the EU Commission with so called delegated legal acts. These are to help with the interpretation of the general regulation. 1. Change of the Smart Metering Legal Situation The German Federal Energy Industry Act implemented EU guidelines stating that houses and apartments must have built in digital meters that can measure the actual energy consumption and the time of consumption to the second. Intelligent power networks should be established using intelligent measurement systems. However, data protection risks for the customer is an issue here according to the data protection authorities on the regional and federal level. The data protection authorities fear that with the expansion of smart metering there will be far reaching violations of the data subjects personal privacy rights. This view is particularly damaging for the development of customer loyalty and management systems of energy providers. Energy providers would need to collect consumption data for bills. Only with the precise knowledge of customer profiles can the full effect of smart metering be realised. This creates a situation where energy efficiency and data protection are seemingly irreconcilable. This situation is as follows. The General Data Protection Regulation should replace the current patchwork of data protection laws in Europe. The refinement and form that the law will take in individual areas will be subsequently carried out by the EU Commission by means of delegated legal acts or implementation acts. However, until the Commission carries out these refinements, there is the threat of a patchwork as only the national laws will be valid for each specific sector. Companies are to interpret the imprecise regulation themselves and will therefore be confronted with risks. This is empirical evidence suggesting that medium sized companies, who do not use their influence in the political field, will face a wave of legal uncertainty. II. Effects of the General Data Protection Regulation on National Legislation The system of German data protection law regulates for a multitude of sector specific areas. In this sense the federal data protection law is applicable only and insofar as when a special legal provision does not cover a specific circumstance. Many sector specific legal provisions can be found in both the regional as well as national laws. The legislature complied with the request of the data protection authority and with the energy industry law it made sector specific rules that formulated requirement for the collection, processing and use of personal data from measurement systems. Similarly the persons entitled to handle data were outlined. On top of that, remote measurements were only allowed to be taken when the end customer was first informed and consented to the intended purpose of the collection as well as the type, scope and time period of the data collection. Furthermore, the possibilities and at the same time duties of anonymisation and pseudonymisation of data are explicitly mentioned and described in detail. The question now is what will happen to the sector specific regulations areas in light of the general regulation. Will they also be a victim of the general regulation like much of the federal data protection law? Will the idea of full harmonization be consistently pursued? Then the economy needs to face the fact that the federal data protection law will no longer be applicable. At least all of the regulations of the federal data protection regulation that are based on the general regulation will not be applicable. Paragraph 21g of the German Energy Industry Act covers the handling of personal data and is therefore extremely important for smart metering. This law will no longer be valid with the passing of the EU General Data Protection Regulation. As a result, consumer rights are only protected by the general provisions of the new EU regulation. The energy industry is therefore exposed to a disproportionate amount of legal uncertainty. Consequently, this means that the BSI Gateway regulations for Smart Metering will be called into question (BSI: Bundesamt fr Sicherheit in der Informationstechnik). EU law takes precedence over national law and the general regulation contains only a few open clauses to national law. Many of the current sector specific laws will be made legal history when the regulation comes in to power because of the few and narrow open clauses to national law. This will create many holes in the law that will affect both data subjects and data processing companies. 2. Lack of Scoring Laws in the EU General Data Protection Regulation Federal data protection and banking law governs the handling of personal data to evaluate the risk of credit 2 N16 February 2014
default. These laws create the platform for a rating procedure that balances the interests of the financial authority and customers. In principle there is consensus among the institutions of the EU, that the responsibilities in the area of data protection should be clearly structured. There is however conflict with the consensus. The commission wants a strong one-stop-show approach. In contrast, the committee for liberties, justice and home affairs of the EU Parliament (LIBE) want the domestic authorities to only lead companies to the implementing authority. This means: this implementing authority should be the only authority in the EU to take legally binding action against the company. Such a procedure would involve consulting domestic data protection authorities where the company is represented and obtaining a position statement from them. The disadvantage of such a consultation process is that it would considerably reduce the speed at which decisions can be made. The attempt to simplify then law would therefore mean more bureaucracy. The Banking Act is a prime example of a sector specific rule for data protection. By directly regulating for the issue and imposing limitations, a great deal of legal certainty is achieved than would have otherwise been under a general all-encompassing data protection law. Only with a lot of skill would it be possible to define the threshold of the general data protection regulation and to find such a differentiated classification as prescribed for in paragraph 10 subsection 1 sentence 3-8 of the German Banking Act. Under the current regulation for example companies can more easily transfer data to external service providers, while protecting customers interests. There is the threat of significant loss if this norm is stricken down by the general regulation without being replaced. While Art. 6 and 19 of the new data protection law define the handling of personal data, neither can weigh up against the loss of the data protection rules contained in