The challenges of sharing data at the intersection of EU data protection and electricity market legislation: lessons from the Netherlands

Abstract

This article examines the interplay between the General Data Protection Regulation and the rules for access to consumer data introduced by the Recast Electricity Directive (2019/944). It brings insights from practice regarding the complexities of applying these two legal frameworks simultaneously by analysing a case from the Dutch electricity market. The case is constructed around a court decision that led Dutch distribution system operators to stop sharing consumers’ ‘personal data with suppliers for the purposes of preparing ‘personalised offers’. The article extracts lessons that can help EU member states when laying down or revising existing legal frameworks for access to consumer data on two main fronts: substantial alignment between data protection legislation and electricity market legislation, and the importance of strengthening cooperation between data protection authorities and energy regulators.

Keywords:

• consumer data
• GDPR
• personal data
• data access
• smart meter data
• data sharing
• data management
• Directive 2019/944

1. Introduction

The implementation of information communication technologies (ICT) in electricity systems (a phenomenon known as ‘digitalisation’) is deeply transforming the electricity sector. Multiple digital technologies have been and continue to be deployed to collect, transmit and analyse growing amounts of data across the entire electricity supply chain, from production to retail.¹ The data collected and processed in the electricity sector include network data, market data, consumer data and even external data such as weather data.²

The structure of the electricity sector in the European Union (EU), shaped by a long and gradual process of liberalisation,³ makes the exchange of data crucial for the correct functioning of this market. Liberalisation, and in particular the introduction of an unbundling regime, broke up vertically integrated energy companies and introduced free competition in the production and supply segments of the electricity supply chain, separating these activities from the operation of the grid (entrusted to transmission and distribution system operators), which is treated and regulated as a natural monopoly. In addition, the roll-out of smart electricity meters encouraged by EU legislation has generated new streams of data, which are usually collected and managed by distribution system operators (DSOs) but need to be accessed by other market parties such as energy suppliers and other service providers.⁴ Against this background, the electricity sector is formed by a constellation of actors who need data from each other to make possible the supply of electricity and to enable new energy services.

Among the multiple types of data used in the electricity sector, consumer data are receiving special attention in recent legislative developments. As a result of the increasing digitalisation of the electricity sector in the EU and the crucial role of energy data in the EU agenda to stimulate the data economy,⁵ there is a growing interest in access to consumer data in the electricity sector and beyond.⁶ Access to consumer data by consumers themselves and by other eligible parties is seen as key to allow consumers to manage their energy consumption, participate in the electricity market and the energy transition, and benefit from services based on energy data.

The growing importance of access to consumer data is acknowledged by the Directive (EU) 2019/944 (hereinafter the ‘Recast Electricity Directive’). This legislation requires member states to lay down rules regarding data management and exchange,⁷ in particular rules on access to consumer data,⁸ which include ‘metering and consumption data as well as data required for customer switching, demand response and other services’.⁹

The Recast Electricity Directive also requires member states to ‘organise the management of data in order to ensure efficient and secure data access and exchange, as well as data protection and data security’.¹⁰ Concerning data protection, the Directive stipulates that when personal data are processed (including giving or obtaining access to personal data), this should be done in compliance with Regulation (EU) 2016/679,¹¹ known as the General Data Protection Regulation (GDPR).¹² Against this backdrop, the sharing of consumer data in the electricity sector is to be governed by two simultaneously applicable regimes: on the one hand, the sectoral rules laid down by member states in transposition of the Recast Electricity Directive; and, on the other hand, the general framework for personal data processing enshrined in the GDPR.

These two frameworks have different scopes, legal bases in EU law, policy objectives, levels of implementation and supervisory authorities.¹³ Moreover, these two legal frameworks define different roles, obligations, and rights that apply simultaneously to the same actors.¹⁴ The parallel application of these two legal frameworks raises questions, as noted by emerging legal scholarship on this topic.

Huhta explores how the objectives of both regimes can be reconciled through legal interpretation, even if they seem to embody opposing interests: on the one hand, the extensive use of smart meter data encouraged by the Recast Electricity Directive, and, on the other hand, the view of processing and transferring personal data as a potential threat to the right to data protection, embedded in the GDPR.¹⁵ The core of her analysis, however, focuses on possible grounds for personal data processing in the context of smart metering, without delving into questions related to access to consumer data.

Graef, Husovec and van den Boom do study the provisions for access to consumer data in the Recast Electricity Directive (as well other sectoral data access regimes in EU legislation), but focus specifically on exploring the spillovers that may result from its interaction with the right to data portability introduced by the GDPR.¹⁶ They find that the interplay between these frameworks can affect how they are interpreted, in the sense that the reach of the provisions of one framework may expand or contract when read together with the other framework.

A recent study by Lavrijssen, Espinosa Apráez and ten Caten also looks at the interplay between the GDPR and the Recast Electricity Directive. Their contribution provides an overview of the different actors, principles and obligations arising from each legal regime, and identifies three possible tensions between the two frameworks.¹⁷ These tensions, however, are not fully developed in the study, leaving room for further exploration.

The aforementioned studies analyse the interplay between the GDPR and the provisions concerning data access in the Recast Electricity Directive but do so in abstracto. With the aim of expanding the body of knowledge on the challenges of applying these two frameworks simultaneously, this article brings insights from practice, by examining a case from the Dutch electricity sector (hereinafter, ‘the Personalised Offer case’).

The Personalised Offer case is constructed around the context, content and consequences of a ruling issued by a Dutch court, the Trade and Industry Appeals Tribunal (in Dutch: College van Beroep voor het Bedrijfsleven), in early 2020.¹⁸ The ruling put forward an interpretation concerning one of the lawful grounds for personal data processing under the GDPR (necessity to comply with a legal obligation), that led Dutch DSOs to stop giving energy suppliers access to consumers’ personal data to prepare personalised offers.¹⁹

Even though the case took place before the adoption of the Recast Electricity Directive, its analysis is still relevant – firstly, because it refers to the interaction between the GDPR and the sectoral rules for access to consumer data in force in the Netherlands at the time of the events, providing rich insight into the challenges of applying horizontal and sectoral frameworks regulating data sharing; secondly, and more importantly, the issues arising from the case are not addressed by the Recast Electricity Directive.

The question that underlies this research is the following: what lessons can be drawn from the Personalised Offer case regarding the interplay of the GDPR and the rules for access to consumer data in the electricity sector? The aim of the article is twofold. Firstly, this article reflects on what occurred in the Dutch case and shows that the lack of alignment between the legal regime for access to consumer data in the electricity sector and data protection legislation might end up hindering data sharing in the electricity sector and/or jeopardising the protection of personal data. Secondly, the article posits that member states have an important role to play in contributing to the consistent application of the two legal frameworks, and introduces a number of suggestions in that regard, focusing on two main issues: ensuring substantive alignment between the two legal frameworks, and the importance of having clear cooperation mechanisms between the energy regulators and the data protection authorities.²⁰ This research is carried out following the methodological approach of doctrinal legal research, based on an analysis of EU and Dutch legal sources (specified throughout the article), as well as legal scholarship on data protection and access to consumer data in the electricity sector.

The paper is structured as follows: section 2 will provide an overview of the provisions governing access to consumer data in the Recast Electricity Directive and will elaborate on their relationship with the GDPR. Section 3 describes the facts of the Personalised Offer case. Section 4 will identify the lessons from the case, and make suggestions to enhance the alignment between the two legal regimes here studied. Section 5 concludes.

2. The regime for access to consumer data under the Recast Electricity Directive and its relationship with the GDPR

2.1. Access to consumer data under the Recast Electricity Directive

In the electricity sector a distinction is usually made between access to data necessary to fulfil regulatory obligations and access to data necessary for additional energy services.²¹ The first category refers to the exchange of data for processes that are necessary for the correct functioning of the electricity systems and the continuous supply of electricity. Under this category, actors such as DSOs and energy suppliers must collect and exchange consumer data to fulfil regulatory obligations introduced by EU and national law to ensure the reliable, affordable and sustainable supply of electricity. For example, DSOs need consumer data to perform their grid management tasks, and energy suppliers need access to consumer data for reasons including billing purposes and consumer switching (ie when the consumer decides to change supplier). These are traditional processes involved in the supply of electricity and have been regulated for a long time.

The second category refers to accessing consumer data to enable new energy services that go beyond the mere supply of electricity, such as personalised offers, demand response programmes or energy management systems. The increased availability of consumer data, owing in particular to the roll-out of smart metering systems,²² has enabled the emergence of new energy services that help consumers in ‘monitoring their consumption patterns, consuming green energy, activating their flexibility, generating energy locally, driving electric vehicles, etc.’²³ These services allow consumers to manage their energy use and be more active in the electricity market and the energy transition.²⁴ There is also a potential to enable services across different economic sectors on the basis of energy data.²⁵ To be able to offer these services to the consumers, service providers need access to consumer data, including smart meter data, which in the EU are typically managed by or on behalf of DSOs.²⁶ This new use of data reflects the growing impact of the data economy in the electricity sector, and it is gaining momentum in EU policy, especially against the background of the so-called ‘twin green and digital transitions’, ie at the intersection of the European Green Deal and the Digital Decade Policy Program put forward by the European Commission.²⁷

Acknowledging the importance of consumer data, the Recast Electricity Directive explicitly requires member states to lay down rules for access to these data by eligible parties and sets a number of requirements that those rules must meet.²⁸ Such an emphasis on access to consumer data was absent in the preceding legislation adopted under the Third Energy Package. Directive 2009/72/EC²⁹ (hereinafter ‘Electricity Directive 2009’) had already encouraged member states to embrace and support the use of ICT, such as smart grids and smart metering, to foster decentralised generation and energy efficiency.³⁰ However, the Electricity Directive 2009 provided limited provisions regarding how the new streams of data resulting from these technologies should be managed and accessed. Regarding consumer data, the 2009 Directive stated that member states should take measures to ensure that consumers could have at their disposal their consumption data and give any energy supplier access to their metering data free of charge.³¹

In the review of the Electricity Directive 2009 in preparation for the Clean Energy Package,³² data management (including access to consumer data)³³ was seen as one of the main factors behind the ‘slow deployment of new services, low levels of service and questionable market performance on retail markets’ in the EU electricity sector.³⁴ The Impact Assessment prepared by the European Commission for the recast of the Electricity Directive 2009 acknowledged that in order to realise the benefits offered by digitalisation in the electricity sector, a framework for non-discriminatory data management was needed. This was in order to make ‘the right information immediately available to the right market actors, while at the same time ensuring a high level of data protection’.³⁵ In the view of the Commission, this called for legislative action at the EU level.

The approach ultimately adopted in the Recast Electricity Directive regarding data management entails that member states are free to have their own model for data management and exchange,³⁶ ie the Directive does not require member states to adopt a predetermined model.³⁷ Regardless of the specific model chosen, member states are responsible for organising data management so as to ensure non-discriminatory, efficient and secure data access, and the highest level of cybersecurity and data protection.³⁸ The rules concerning access to consumer data shall be transparent and ensure the impartiality of the parties responsible for data management (hereinafter ‘the data managers’), which are obliged to give access to consumer data to eligible parties, in accordance with the data access rules adopted in each member state.³⁹

The Recast Electricity Directive does not define the meaning of ‘eligible parties’. In the original legislative proposal prepared by the European Commission, art 23, para 1 stated that ‘eligible parties’ shall include ‘at least customers, suppliers, transmission and distribution system operators, aggregators, energy service companies, and other parties which provide energy or other services to customers’.⁴⁰ Since this provision is not included in the adopted text of the Directive, it is up to the member states to decide which parties are eligible to have access to consumer data.

The consumer data covered by the Directive include ‘metering and consumption data, data required for customer switching, demand response and other services’.⁴¹ In that sense, the scope of the provisions concerning data access in the Recast Electricity Directive is broader than that of the 2009 Directive, which only referred to access to metering data by suppliers.

From the types of data mentioned in the Directive, metering data and consumption data receive most attention. The Directive does not provide specific definitions for these two types of data, but from its provisions⁴² it seems that ‘metering data’ is a broad notion referring to data generated by smart meters,⁴³ including information on how much electricity is consumed (consumption data) and how much electricity is fed into the grid, in the case of active customers (also known as ‘prosumers’).

The rules applicable to access to smart meter data are laid down in art 20 of the Recast Electricity Directive. According to these provisions, consumers are entitled to receive (at no additional cost) validated historical consumption data⁴⁴ and non-validated near-real time consumption data,⁴⁵ the latter ‘in order to support automated energy efficiency programmes, demand response and other services’.⁴⁶ Article 20, literal (e) specifies that, at the request of the consumers, consumption data and data on the electricity fed into the grid shall be made available to them, following the provisions of the implementing acts adopted pursuant to art 24 of the Directive. This article gave powers to the European Commission to adopt implementing acts on ‘interoperability requirements and non-discriminatory and transparent procedures for access to data referred to in Article 23(1)’.⁴⁷ The goal of these implementing acts is promoting competition in the EU retail market for electricity and avoiding excessive administrative costs for the eligible parties seeking access to data in multiple member states.⁴⁸

Under the Recast Electricity Directive, access to consumer data can take two forms: the data can be made available directly to the consumer through a communication interface or remote access, and the data can be made available to a third party acting on behalf of the consumer.⁴⁹ The last subsection of art 20 specifies that consumers should be able to ‘retrieve their metering data or transmit them to another party at no additional cost and in accordance with their right to data portability under Union data protection rules’.

The right to data portability was introduced by the GDPR (art 20). It entitles data subjects to receive (a copy of) the personal data concerning them that have been provided by them to a data controller,⁵⁰ in a ‘structured, commonly used and machine-readable format’, and to transmit the data to another controller. Where technically feasible, consumers can request that the data are transmitted directly from the original controller to a new controller.⁵¹ This right is aimed at empowering data subjects by facilitating their ability to ‘move, copy or transmit personal data easily from one IT environment to another (whether to their own systems, the systems of trusted third parties or those of new data controllers)’.⁵² Several commentators note that the Recast Electricity Directive can be seen as complementing the GDPR, by introducing a mandatory implementation of the right to data portability for smart meter data.⁵³

2.2. Relationship between the rules on access to consumer data and the GDPR

The GDPR is an EU regulation applicable since May 2018. Its aim is to safeguard the right to personal data protection, while making it possible for personal data to be processed by and flow freely between member states.⁵⁴ This regulation requires individuals and organisations that process personal data as controllers⁵⁵ or processors⁵⁶ to implement technical and organisational measures to comply with data protection rules and principles.

The GDPR is a general legal framework for the protection of personal data in the EU. It applies to all personal data processing activities and sectors that are not explicitly excluded from its scope.⁵⁷ The GDPR applies to the processing of consumer data in the electricity sector to the extent that the data in question qualify as personal data following the definition in the GDPR, ie any information that relates to identified or identifiable natural persons (named ‘data subjects’ in the GDPR).⁵⁸ The GDPR defines ‘processing’ as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means’, including ‘retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available’.⁵⁹ Hence, giving and receiving access to data relating to consumers who are natural persons are activities that qualify as processing of personal data.

The Recast Electricity Directive clearly acknowledges that the GDPR applies whenever personal data are processed under the provisions of the Directive. This is reasonable because the Directive was prepared and adopted after the entry into force of the GDPR in May 2016. It is also understandable considering that the electricity sector is becoming ever more dependent on the use and exchange of consumer data, which involve personal data and thus must be processed following the GDPR.⁶⁰

Several recitals and provisions of the Recast Electricity Directive refer explicitly to the data protection legislation. For example, Recital 91 of the Recast Electricity Directive states that its provisions should be interpreted and applied in accordance with the rights and principles enshrined in the Charter of Fundamental Rights of the European Union, in particular the right to the protection of personal data.⁶¹ Moreover, this recital highlights that it is essential that any processing of personal data pursuant to the Directive complies with the GDPR, something that is reiterated in the provisions concerning smart metering,⁶² and the provisions concerning data management and access to consumer data.⁶³ Another important link with the GDPR is evidenced by the explicit reference to the right to data portability in art 20 of the Recast Electricity Directive, referred to above.

As noted in section 2.1 of this contribution, one of the goals of the legislative reform that resulted in the adoption of the Recast Electricity Directive was to introduce rules to enhance data access while ensuring personal data protection. The result in the adopted Directive was, however, more modest. It is true that the Directive establishes a clear link with the GDPR by stating explicitly that the latter is applicable whenever personal data are processed, including in the context of access to consumer data.⁶⁴ However, the Directive offers little guidance on how to apply both frameworks in parallel in the context of access to consumer data. This is understandable, considering that each member state can adopt its own model for data management and exchange, and the divergences across models make it more difficult to introduce guidelines at EU level. In this context, it is for the member states to ensure the alignment between the data access rules they adopt in transposition of the Recast Electricity Directive and the GDPR.

The parallel application of the rules for access to consumer data under the Recast Electricity Directive and the rules of the GDPR for what concerns personal data entails an entwining of the roles, rights and obligations arising from both legal regimes. For example, electricity consumers whose data are accessed are also data subjects, and as such, are entitled to the protection and rights arising from both the Recast Electricity Directive and the GDPR. The managers of electricity data might qualify as data controllers or processors under the GDPR, depending on the legal and factual context in which they operate,⁶⁵ which is given by the data management model adopted by each member state.⁶⁶ Eligible parties (including ‘third parties’⁶⁷) who want to access consumer data can qualify as recipients⁶⁸ when they receive the data from the data manager, and become data controllers in respect of the processing carried out for their own purposes after they receive the data from the data manager. Hence, data managers giving access to consumer data and eligible parties obtaining access to these data will have to follow the obligations and requirements arising from both the Recast Electricity Directive and the GDPR.⁶⁹

As noted by Lavrijssen, Espinosa Apráez and ten Caten, the interplay of the provisions for access to consumer data in the Recast Electricity Directive and the rules for the processing of personal data in the GDPR also leads to interactions and possible overlaps in competences of the supervisory authorities of each regime.⁷⁰ The Recast Electricity Directive (as well as the preceding legislation) requires member states to appoint an independent national regulatory authority (NRA) tasked with the monitoring and enforcement of the legal regime applicable to the electricity sector, as well as with the adoption or implementation of certain regulations.⁷¹ Specifically concerning the topic of this article, NRAs are responsible for ‘ensuring non-discriminatory access to customer consumption data’,⁷² which means that NRAs are competent to oversee how data managers provide access to consumer data to eligible parties.

On the other hand, the GDPR requires member states to appoint an independent supervisory authority known as the ‘data protection authority’ (DPA), responsible for monitoring and contributing to the consistent application of the GDPR.⁷³ To be able to fulfil their duties, DPAs are given investigative, corrective, and authorisation and advisory powers.⁷⁴ Since access to data of consumers who are natural persons constitutes processing of personal data, the data managers and the eligible parties obtaining access to these data fall under the supervision of the national DPAs.

The two aspects here mentioned – on the one hand, the entwining of the roles, rights and obligations arising from both legal regimes and, on the other hand, interactions and possible overlaps between the competences of the two supervisory authorities – play an important role in the Personalised Offer case, as will be shown in the next section.

3. The Personalised Offer case

This section will introduce the facts of the ‘Personalised Offer case’, a case taken from the Dutch electricity sector which shows the complexities of data sharing at the intersection between the GDPR and sectoral rules for access to consumer data in the electricity sector. The case is constructed around a ruling of the Dutch Trade and Industry Appeals Tribunal (hereinafter ‘CBb’).⁷⁵ The events on which this case is based took place between July 2017 and January 2020. The facts here presented are extracted from publicly available documents, including the ruling of the CBb, Dutch legal sources and documents published by the actors involved in the facts of the case. The legal context here described is given by the laws and regulations in force at the time of the events of the case and, where relevant, at the time of writing of this article.⁷⁶

3.1. Background of the case

In the Netherlands, the management of consumer data is largely the responsibility of the DSOs, who, at the time of the events of the case, had jointly delegated their data management tasks to Energie Data Services Nederland (EDSN). In the Netherlands, following the Electricity Act 1998,⁷⁷ DSOs are legally responsible for installing, operating and collecting the data from smart meters and are obliged to share smart meter data with suppliers for the purposes of billing, changes of residence and switching of suppliers.⁷⁸ In addition, DSOs must give access to smart meter data to third parties (eg providers of energy services) if the consumer gives consent to do so, following the rules of the GDPR.⁷⁹ This is explicitly regulated in the Dutch Electricity Act.

Besides smart meter data, DSOs also manage central data registers that are crucial for the functioning of the electricity market, including the ‘Connection register’ (aansluitingenregister –‘C-AR’) and the ‘End of contract register’ (contracteindegegevensregister – ‘CER’). The management of these data registers is regulated not in the Dutch Electricity Act, but in the Information Code Electricity and Gas (ICEG).⁸⁰ The ICEG is an administrative act or ‘generally binding regulation’⁸¹ adopted by the Dutch NRA for the energy sector, the Authority for Consumers and Markets (ACM),⁸² on the basis of a proposal submitted by market parties engaged in the transport, supply or metering of electricity.⁸³ The ICEG lays down the conditions that apply to the exchange, recording, use and storage of data in the energy sector.⁸⁴

The C-AR and CER were originally created as a ‘single source of truth’ to facilitate coordination between DSOs and suppliers in the context of the administrative processes that keep the retail electricity market running, eg invoicing, switching suppliers, moving in or out of a house.⁸⁵ The exchange of data for these processes is part of the regulatory obligations of DSOs and suppliers. Next to this regulated use of data, a new use of data from the C-AR and CER registers was found: the data could also be retrieved by potential new suppliers to prepare personalised offers for consumers.

A personalised offer⁸⁶ entails that consumers who want a new energy contract can receive offers from energy suppliers, tailored to their actual needs and preferences.⁸⁷ In that sense, personalised offers facilitate consumers making more informed choices, allowing consumers to compare offers from different suppliers and facilitating switching of suppliers. To prepare a personalised offer, energy suppliers need data on the consumer, including the regional location and capacity of the connection in the household, annual energy consumption, the end date of the current energy contract and the contractual notice period.⁸⁸ This information is in principle known to the consumers, and they can manually provide it to the energy suppliers (eg by filling it in through the website of the supplier or through a price comparison website). However, it is also possible for energy suppliers to retrieve this information directly from the C-AR and CER managed by the DSOs, with the consent of the consumers (obtained eg during a phone call or in person at a shop).⁸⁹ At the time of the events of the Personalised Offer case here analysed, the latter option was considered more convenient for consumers and suppliers.

Since the data needed to prepare the personalised offers are information relating to identifiable natural persons (the consumers), they qualify as personal data and must be processed in accordance with the GDPR. From the perspective of the GDPR, in the Personalised Offer case, the DSOs were the controllers of the personal data stored in the C-AR and CER.⁹⁰ Once the data (in fact, a copy of the data) were transferred to the requesting supplier to prepare a personalised offer, this supplier became the controller of the received data.⁹¹

The data exchange for the purposes of personalised offers was initially not regulated in the ICEG or any other national regulation, and it did not fall per se under the data exchanges necessary to comply with legal obligations of the DSOs or the suppliers. However, after a huge data theft incident involving C-AR and CER data of two million Dutch households in 2016,⁹² the market parties of the energy sector and the ACM deemed it necessary to lay down formal rules to regulate this data exchange in the ICEG. Following a proposal submitted by representatives of the market parties, in October 2018 the ACM adopted an administrative decision to amend the ICEG (hereinafter, ‘the Decision’)⁹³ aimed at ‘improving the security of (personal) data that are registered and exchanged for small-scale consumption connections’.⁹⁴ This Decision introduced several articles into the ICEG, including two articles requiring DSOs to share consumer data from the C-AR and CER with the suppliers for the purposes of preparing personalised offers, provided that the consumer had given his/her consent.⁹⁵

In January 2020, the Dutch DSOs (through their branch association Netbeheer Nederland) announced that they would stop giving suppliers access to consumer data for the purposes of making personalised offers.⁹⁶ This announcement was motivated by a court ruling issued by the CBb on 14 January 2020. The ruling annulled the articles of the ICEG that obliged DSOs to share data from the C-AR and CER with suppliers for the preparation of personalised offers. In the absence of a clear legal basis for sharing (personal) data from the central registers with the suppliers, DSOs decided to stop giving access to these data.⁹⁷ In practice, this meant that in order to prepare personalised offers, suppliers could no longer retrieve data from the central registers and had to rely solely on the information actively provided by the consumers themselves. This made the preparation of the personalised offers more cumbersome for both consumers and suppliers and created the risk of penalties for anticipated contract termination if the information provided by the consumers was not accurate.⁹⁸

The next several subsections will elaborate on the argumentation behind the CBb ruling and the circumstances that led to this court decision, which provide rich insights into the challenges of aligning the GDPR with the sectoral rules for access to consumer data. From a data protection perspective, the CBb ruling deals with one of the core principles laid down in the GDPR, the one requiring that personal data are processed ‘lawfully, fairly and in a transparent manner’.⁹⁹ In particular, the ruling concerns the lawfulness of personal data processing, which is addressed more specifically in art 6 of the GDPR. Paragraph 1 of this article states that the processing of personal data is lawful only if at least one of six grounds applies. Such grounds are specified in literals (a) to (f) of the said provision and include the consent of the data subject,¹⁰⁰ as well as necessity of the processing in specific situations.¹⁰¹ The CBb ruling focuses on the ground of necessity to comply with a legal obligation to which the data controller is subject (art 6, para 1, (c)).

3.2. Origins of the legal controversy and the CBb ruling

Following the abovementioned data theft incident, in May 2017, representatives of the Dutch energy sector submitted a proposal to amend the ICEG and introduce provisions clarifying the responsibilities of market parties and strengthening checks regarding the processing of personal data in the context of data exchanges.¹⁰²

3.2.1. The advice from the Dutch DPA

Since the amendments to the ICEG entailed the processing of personal data, the ACM requested the advice of the Dutch DPA, the Autoriteit Persoonsgegevens (hereinafter, ‘AP’) as part of the rule-making process.¹⁰³ One of the main points raised by the AP in its advice was that the proposed amendments to the ICEG were intended to create a ground for the processing of personal data, specifically, a legal obligation¹⁰⁴ for DSOs to share consumers’ personal data with energy suppliers. In the view of the AP, this was beyond the legal scope of the ICEG as defined by the Dutch Electricity Act, because the ICEG was intended to set conditions for data processing, which is fundamentally different from creating a legal ground for personal data processing.¹⁰⁵ Besides, the AP argued that it is not reasonable that the processing of personal data by the energy sector can be justified and legitimised in a code prepared by the sector itself and adopted by the ACM.

In the view of the AP, the legal grounds for data processing should be laid down in the Electricity Act or in an administrative act (order in council or ministerial regulation) based thereon.¹⁰⁶ Only the conditions, ie ‘the manner in which the data processing is practically applied’, can be laid down in the ICEG.¹⁰⁷ In the view of the AP, introducing legal grounds to process personal data in the ICEG resulted in ‘an unbalanced and unclear regime with regard to the processing of personal data in the energy sector’.¹⁰⁸ The AP thus recommended ACM take a closer look at the issue of the grounds for processing of personal data in the ICEG, and advised against adopting the draft of the Decision that ACM sent for review.

3.2.2. The decision adopted by the ACM

The ACM followed the advice from the AP only to a certain extent. The energy regulator adopted the Decision introducing the two articles that required DSOs to share consumer data from the C-AR and CER with the suppliers, for the purposes of making personalised offers. From the explanatory notes of the Decision, it seems that the DSOs (as data controllers) had intended to rely on the data sharing obligations to be introduced in the ICEG as the lawful ground to share C-AR and CER data in compliance with the GDPR.¹⁰⁹ However, citing the aforementioned advice of the AP as well as legislative explanatory memoranda concerning the scope of the ICEG,¹¹⁰ the ACM specified that the ICEG did not provide a lawful basis to process consumers’ personal data under art 6, para 1 (c) of the GDPR (necessity to comply with a legal obligation).

The ACM deviated from the AP’s advice in one important point. Instead of further investigating what could be the appropriate ground for the processing of personal data in this case (because, in its view, this was beyond its competences), the ACM stated that it was the responsibility of the DSOs to find the appropriate lawful basis to implement the data sharing obligations introduced in the ICEG by the Decision.¹¹¹

3.2.3. The position of the DSOs and other market parties

NEDU and Netbeheer Nederland, acting as representatives of the energy market parties, had already expressed their disagreement with the approach of the ACM during the procedure that preceded the adoption of the Decision,¹¹² and later when they submitted appeals against the Decision, requesting the annulment of said articles of the ICEG.

In the view of NEDU and Netbeheer Nederland, the ICEG could and should be considered an appropriate legal basis to introduce an obligation to share data with the suppliers for the purposes of the Personalised Offers. This was especially true, they argued, because DSOs in the Netherlands (due to strict unbundling requirements) are not allowed to engage in activities other than those entrusted to them by law.¹¹³ In addition, it is relevant to note that art 79 of the Dutch Electricity Act imposes upon DSOs an obligation to ensure that confidential information they hold is not made available to third parties, unless a statutory provision provides otherwise.¹¹⁴ In this sense, the legal context of the Dutch electricity sector explains why DSOs wanted the ICEG to enshrine a legal obligation to provide data for the personalised offers in the first place.

Netbeheer Nederland also expressed that the Decision of the ACM left DSOs at a crossroads. DSOs would either have to comply with the ACM’s Decision and share the data with the suppliers, even if they could not invoke another valid ground for personal data processing from the list in art 6 of the GDPR, risking corrective measures from the AP (data protection authority); or they would have to refrain from sharing the data with the suppliers in order to avoid processing data without a basis in the GDPR, risking enforcement actions from the ACM (the energy regulator).¹¹⁵ These and other arguments were the basis for the appeals submitted by NEDU and Netbeheer Nederland before the CBb.

3.2.4. The CBb ruling

The ruling deciding the appeals focuses mainly on one charge, namely that ACM interpreted the GDPR incorrectly, by concluding in its Decision that the ICEG does not form the basis for a legal obligation within the meaning of art 6, para 1 (c) of the GDPR.¹¹⁶

The CBb ruling starts by acknowledging that the ACM was right in asserting that the Electricity Act 1998 does not allow the introduction of a legal obligation to process (in this case, give access to) personal data in the ICEG.¹¹⁷ In the jargon of the GDPR, this means that, according to the CBb, the ICEG cannot be seen as the basis of a legal obligation to process personal data.¹¹⁸ The CBb based this conclusion on the same parliamentary documents about the ICEG and the advice from the AP cited by the ACM in the explanatory notes of the appealed Decision referred to above.

Nevertheless, the CBb decided to annul the articles of the Decision regulating the transmission of consumer data for the purposes of personalised offers. In the Tribunal’s view, despite the explanatory statements, with the contested articles ACM did impose a legal obligation to process (in this case, to share) personal data upon the DSOs, in contravention of the Dutch Electricity Act 1998. That was the case because ACM formulated the attacked articles in a mandatory and unconditional manner, obliging DSOs to provide data to the suppliers, regardless of the existence of a ground for data processing following art 6 of the GDPR.¹¹⁹ This was the reasoning of the CBb to annul the articles concerning the data exchange for the purposes of a customised offer in the ICEG.

3.2.5. Consequences of the CBb ruling

As already anticipated, the immediate consequence of the ruling was that DSOs decided to stop giving suppliers access to consumer data from the C-AR and the CER, making the preparation of personalised offers more cumbersome for suppliers and consumers. The impact of this ruling is considerable and goes beyond this specific case, casting doubts regarding the alignment between the GDPR and the current system of rules concerning data exchanges in the Dutch electricity sector, in particular concerning the grounds for legitimate personal data processing.¹²⁰ Although the CBb ruling only annulled two specific articles from the ICEG about one particular data exchange, its reasoning refers to and can be applied to the ICEG as a whole, raising the crucial question of whether there are other exchanges of personal data in the Dutch electricity sector that have no legal basis other than the ICEG itself.

At the moment of writing, the Dutch Ministry of Economic and Climate Affairs (responsible for the energy sector) is preparing a bill for a new Energy Act.¹²¹ It is expected that the new legislation (partly intended to transpose the Recast Electricity Directive) will include a re-design of the rules for data management and data exchange in the energy sector in the Netherlands.¹²² Concerning the topic of this paper, the latest bill includes provisions that aim at clarifying the obligations of DSOs concerning the sharing of data with eligible parties and thereby the lawful ground(s) for data processing for certain market processes. The first contours of the proposed legislation were published after the CBb ruling here analysed, in July 2020. Although not explicitly acknowledged, it seems plausible that the Personalised Offer case influenced the renewed attention given to data protection and the grounds for personal data processing in the bill.

The next section will zoom out from the specific facts of the Personalised Offer case and will draw lessons concerning the interplay between the Recast Electricity Directive and the GDPR. Suggestions to enhance the alignment between the two legal regimes here studied will be also presented in the next section.

4. Lessons from the Personalised Offer case

The case described above provides rich insights into how the two legal frameworks here analysed interact in practice and allows us to distil lessons that can guide member states in ensuring consistent application of the two frameworks. The issues here identified are of relevance not only for the Netherlands, but also for other member states. This is the case considering that all member states must lay down rules for access to consumer data following the Recast Electricity Directive and ensure that access to consumer data takes place in compliance with EU personal data protection legislation. In addition, DSOs have a prominent role as data managers not only in the Netherlands, but also in many other member states.¹²³

With the entry into force of the Recast Electricity Directive, member states should have started to introduce or update the legal framework for access to consumer data.¹²⁴ The upcoming adoption of the implementing acts concerning interoperability requirements and procedures for access to consumer data (pursuant to art 24 of the Directive mentioned above) might require that member states introduce further adjustments or specifications to their national data access rules. In addition, the ‘ exchange of data between different actors while respecting privacy and data protection’ is one of the focus points of the action plan put forward by the European Commission to further the digitalisation of the energy system in the EU in the coming years.¹²⁵ All the above presents an opportunity to (re)examine how it will be ensured that access to consumer data can take place in compliance with the GDPR.

The next sections focus on two main lessons that arise from the ‘Personalised Offer’ case: on the one hand, the importance of ensuring substantive alignment between the rules for access to consumer data adopted by member states and the GDPR; and, on the other hand, the need to strengthen cooperation mechanisms between the supervisory authorities from each regime.

4.1. Enhancing substantive alignment between the data access rules adopted by member states and the GDPR

When regulating access to consumer data following the Recast Electricity Directive, member states should take into account that the obligations and requirements arising from such rules cannot be seen in isolation from the obligations and requirements arising from the GDPR. As explained in section 2 of this contribution, the managers of consumer data are also data controllers or processors in respect of personal data and are bound by the GDPR as much as they are bound by the data access rules.

Compliance with the GDPR is not and ‘add-on’ but a precondition to access consumers’ personal data in the electricity sector. Member states should not disregard this when regulating access to consumer data following the Recast Electricity Directive. As observed in the Personalised Offer case with the decision of the DSOs to stop sharing data with the suppliers, legal uncertainty regarding whether data can be shared in compliance with the GDPR might end up hindering data sharing in the electricity market.

In the explanatory statements of ACM’s Decision, the energy regulator asserted that the DSOs (as data controllers under the GDPR) were the ones responsible for finding the appropriate grounds for personal data processing to comply with the data sharing obligations introduced to the ICEG with the Decision. Moreover, the explanatory statements also stated that ACM was not obliged to test the feasibility of the amendments to the ICEG against the GDPR, only against the energy legislation.¹²⁶

This contribution argues that data managers, in their roles as data controllers or processors, should not be the sole parties responsible to determine how consumer data will be exchanged in compliance with the GDPR. Leaving the issue at the entire discretion of the data managers might be problematic from the perspective of non-discriminatory access to consumer data. This is especially important in member states in which data are managed by DSOs and (unlike in the Netherlands) the national unbundling requirements do not prevent them from being active in other segments of the market, for instance, as energy suppliers.¹²⁷ In such countries, if there is no clear guidance on how the requirements in the GDPR will be applied in the context of access to consumer data, there is a risk that DSOs (as data managers) will apply stricter data protection requirements when competitors request access to data.

Hence, there is a role to be played by member states (legislators or competent authorities designated to regulate data sharing) to ensure that eligible parties can access consumer data under transparent and non-discriminatory conditions, as well as to ensure the right to the protection of personal data of consumers/data subjects.

Ensuring alignment between the two legal frameworks here analysed requires more than just introducing an explicit reference to the applicability of the GDPR in the data access rules. The GDPR is a general legal framework with many open-ended provisions, intended to be applied in a broad range of sectors where personal data are processed. Consequently, the provisions in the GDPR are not per se tailored to the specific needs and dynamics of the electricity sector, eg in terms of types of data, the specific risks involved in the processing of such data, and the actors involved in the exchange of data – and vice versa, the sectoral legislation of the electricity market is not primarily designed for the protection of personal data. The exchanges of data in this sector encompass data that do and do not qualify as personal data and must serve policy objectives beyond the protection of personal data. Hence, the substantive alignment of these two legal frameworks cannot be taken for granted.

There are several ways in which member states can contribute to the alignment between the GDPR and the rules for access to consumer data in the electricity sector. One such way concerns the possibility that member states have of specifying the rules in the GDPR by adopting national legal provisions that set out ‘the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful’.¹²⁸ In this regard, member states could clarify, for example, whether certain data exchanges need to be legitimised by a legal obligation, and if there are cases in which the consent of or a request from the consumer is a precondition for the data exchange.

An alternative or complementary approach could be that member states require that data managers draw up codes of conduct, in which they specify the application of the GDPR in the context of access to consumer data. Article 40 of the GDPR provides that associations or other bodies representing categories of controllers or processors can prepare codes of conduct ‘intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors’.¹²⁹ As acknowledged by the European Data Protection Board, codes of conduct are instruments that contribute to legal certainty ‘by providing practical solutions to problems identified by particular sectors in relation to common processing activities’.¹³⁰ Besides assisting data managers to comply and demonstrate compliance with the GDPR, drawing up codes of conduct where the data managers explain how they interpret and apply the requirements of the GDPR when providing access to consumer data can contribute to fulfil the transparency and non-discriminatory requirements laid down in art 23 of the Recast Electricity Directive.

4.2. The need to strengthen formal cooperation mechanisms between data protection authorities and energy regulators

As anticipated in section 2 of this article and illustrated by the Dutch case described in section 3, the powers of the DPAs and the NRAs are likely to come into contact with each other, as both authorities are competent to oversee access to consumer data, from their respective regulatory fields. The fact that multiple supervisory authorities are competent to supervise the conduct of the same market actors is not per se a problem, because each authority pursues the objectives of its respective regulatory framework. However, cooperation¹³¹ between the supervisory authorities is crucial to ensure consistent application of the two frameworks.

In the Dutch case, it was observed that each supervisory authority had a different approximation to the issue of legitimate grounds for data processing in the context of the amendments to the ICEG. The advice from the AP questioned the legitimacy of the system of rules in the electricity sector, arguing (among others) that the ICEG cannot be used to legitimise the processing of personal data because its provisions are adopted following proposals submitted by the same market actors that process personal data. In addition, the AP urged the ACM to not adopt the proposed text and consider further how the exchanges of personal data to be regulated in the ICEG would be legitimised, taking into consideration that the ground of legal obligation could not be invoked. The ACM took into account the advice of the AP only partially and adopted the Decision without examining further the issue of grounds for legitimate processing of personal data, arguing that this should be taken care of by the DSOs, leading to the crossroads situation described earlier in this contribution.

DPAs and NRAs are experts in their respective fields, and it is understandable that they do not have sufficient expertise in the working of each other’s field. Since access to consumer data is a topic where data protection legislation and electricity market legislation intersect, it is important for the consistent application of these two frameworks that DPAs and NRAs can properly cooperate, to complement each other’s expertise and, where appropriate, take joint enforcement actions.

As noted by Lavrijssen Espinosa Apráez and ten Caten, neither the GDPR nor the Recast Electricity Directive provides clear mechanisms for cooperation between the DPAs and NRAs.¹³² The Recast Electricity Directive mostly focuses on cooperation between NRAs from different member states, the European Commission and the Agency for the Cooperation of Energy Regulators (ACER).¹³³ Regarding cooperation between NRAs and other national authorities, the Directive merely mentions that the NRAs should exercise their powers in close cooperation with other national authorities, mainly competition authorities and consumer protection authorities.¹³⁴ In the GDPR there are mechanisms to enable cooperation between DPAs of different member states,¹³⁵ but nothing is said about cooperation between DPAs and other supervisory authorities such as NRAs. Against this background, there is a role to be played by member states in ensuring that national legal frameworks facilitate the cooperation of these authorities.

The overlap of competences from different supervisory authorities is not a new issue and surely not one happening exclusively in the electricity sector. The convergence of different regulatory domains that is taking place in the context of digital markets (in particular concerning competition, consumer protection and personal data protection law) is also illustrative of this phenomenon.¹³⁶ This has led to initiatives to enhance cooperation between the supervisory authorities from each domain, at both the EU and the member state level. These initiatives can serve as a reference to develop cooperation mechanisms between DPAs and NRAs.

At the EU level, one example of such initiatives is the ‘Digital Clearing House’, a platform bringing together regulatory authorities, policymakers and other stakeholders, aimed at achieving ‘better and more coherent protection of individuals in an era of big data and artificial intelligence’.¹³⁷ The Digital Clearing House is a voluntary network of regulatory authorities from the competition, data protection and consumer protection domains, that emerged following a recommendation from the European Data Protection Supervisor (EDPS) in 2016.¹³⁸

At the member state level, an interesting example is found in the Netherlands. In October 2021, the Dutch DPA (AP), the ACM (as Authority for Consumers and Markets), the Authority for the Financial Markets and the Dutch Media Authority launched the ‘Digital Regulation Cooperation Platform’.¹³⁹ The cooperation between the different authorities is aimed at strengthening oversight in the digital and online environment, by means of exchanging knowledge and experiences, making joint investments in expertise and skills, and exploring avenues to cooperate in enforcement procedures (eg taking joint action).¹⁴⁰ A similar initiative exists in the former EU member state the United Kingdom, where the Competition and Markets Authority, the communications regulator (OfCom) and the DPA (Information Commissioner’s Office) launched a Digital Regulation Cooperation Forum.¹⁴¹

Another more formal alternative for cooperation is exemplified by bilateral cooperation protocols. In the Netherlands, for example, the DPA (AP) has entered into cooperation agreements with supervisory authorities from different regulatory fields that intersect with the protection of personal data – eg financial services, healthcare, competition law and consumer protection.¹⁴² The cooperation protocols include, among other things, provisions regarding periodic meetings between the supervisory authorities, the appointment of contact persons, the exchange of information and guidelines on how to proceed in cases of concurrent powers.¹⁴³

These initiatives to further cooperation between different regulators involved in the supervision of digital markets might serve as a reference for member states to devise legal mechanisms for cooperation between energy regulators and DPAs, or to include energy regulators in existing cooperation networks. National legislators can lay down the legal basis and general objectives of such cooperation, and the supervisory authorities can develop the specific arrangements to materialise it. Besides creating a normative framework to enable cooperation between energy regulators and DPAs, it is important that member states make available sufficient resources to allow these authorities to actually cooperate.

5. Conclusions

The growing interest in consumer data in the context of the EU data economy and the energy transition has led to the inclusion of provisions in the Recast Electricity Directive requiring member states to lay down clear rules for access to such data. Consumer data can also qualify as personal data, thereby triggering the application of the GDPR alongside the data access rules.

Although the Recast Electricity Directive explicitly acknowledges that the exchange of consumers’ personal data should be done in accordance with the GDPR, it offers little guidance regarding how this can be achieved. Hence, there is a role to be played by member states to organise and regulate efficient and non-discriminatory access to consumer data in a way that the protection of personal data is ensured.

This article analysed a case from the Dutch electricity sector (the Personalised Offer case), which illustrated the challenges of applying simultaneously the GDPR and the sectoral rules for access to consumer data. The overall conclusion to take from this analysis is that member states (in particular, legislators and national supervisory authorities) should take steps to avoid legal uncertainty and ensure the consistent application of both frameworks, making it possible for consumer data to be accessed while safeguarding personal data protection.

Even if the case is based on the specific regulatory context of the Netherlands at the time of the events, the issues here identified can also play a role (mutatis mutandi) in other member states, taking into account that DSOs have an important involvement in data management in many countries, and the fact that all member states have to appoint DPAs and NRAs.

Two main lessons from the case were discussed in section 4: firstly, the importance of ensuring substantive alignment between the rules for access to consumer data adopted by member states and the GDPR; and, secondly, the need to strengthen cooperation mechanisms between the supervisory authorities from each regime, namely NRAs and DPAs. Since the Recast Electricity Directive does not deal with the issues here identified, member states ought to be proactive when regulating access to consumer data and not limit themselves to making explicit reference to the applicability of the GDPR. Concrete suggestions of what could be done to strengthen substantive alignment between the two legal frameworks here analysed and cooperation of the concurrent supervisory authorities were also provided in section 4.

The research here presented focused on extracting lessons from the Dutch case concerning the two main issues already explained. Of course, this does not exclude that there might be other challenges arising from the interplay of the GDPR and EU electricity legislation.¹⁴⁴

An interesting avenue for further research would be to examine to what extent member states pay attention to the interplay between the two frameworks when transposing the Recast Electricity Directive, and whether measures are taken to ensure substantive alignment and cooperation between the supervisory authorities. A question that may follow from such exploration (if it turns out that member states follow divergent interpretations or approaches) is to what extent further harmonisation of data protection in the electricity sector is necessary to ensure equivalent protection of personal data across the EU and/or to avoid obstructions to the internal market for electricity. A similar question was proposed already in 2012 by the European Data Protection Supervisor in its Opinion concerning the roll-out of smart meters under the Third Energy Package and the Data Protection Directive (Directive 95/46/EC).¹⁴⁵ Observing how member states deal with the challenges of applying the current data protection and electricity legislation can provide the input to answer this important question.

Acknowledgements

The author thanks Martijn Jonker (Alliander) for his help in identifying and understanding the sources of information needed to construct the case analysed in this paper, and for his detailed explanations of the Dutch electricity sector. The author also thanks Prof. Dr Saskia Lavrijssen, Prof. Dr Martijn Groenleer, Dr Inge Graef, Dr Irene Kamara, and Mara Paun for reading and commenting on earlier versions of this article. Many thanks also to the anonymous reviewers for their constructive feedback. Any views expressed in this article and any errors or omissions remain the responsibility of the author.

Disclosure statement

No potential conflict of interest was reported by the author.

Additional information

Funding

This work was supported by the Responsive Innovations programme of Next Generation Infrastructures (NGInfra) and the Dutch Research Council (Nederlandse Organisatie voor Wetenschappelijk Onderzoek – NWO), project number: 439.16.807.

Notes

1 On the digitalisation of the electricity sector, see Nicolò Rosetto and Valerie Reif, ‘Digitalization of the Electricity Infrastructure: A Key Enabler for the Decarbonization and Decentralization of the Power Sector’ in Juan Montero and Matthias Finger (eds), A Modern Guide to the Digitalization of Infrastructure (Edward Elgar 2021) <https://doi.org/10.4337/9781839106057> accessed 28 January 2022

2 For further reading on the different types of data used in the electricity sector, see Rosetto and Reif (n 1) at 9.2.2

3 For further reading on the liberalisation, and more generally, the (evolution of the) regulation of the electricity market in the EU, see Leigh Hancher and Pierre Larouche, ‘The Coming of Age of EU Regulation of Network Industries and Services of General Economic Interest’ in Paul Craig and Gráinne De Búrca (eds), The Evolution of EU Law (2nd edn, Oxford University Press 2011); Leonardo Meeus and Valerie Reif, Why Did We Start with Electricity Markets in Europe? (Edward Elgar 2020) <www.elgaronline.com/view/9781789905465.00013.xml> accessed 26 October 2022

This article has been corrected with minor changes. These changes do not impact the academic content of the article.

4 See section 2.1

5 See European Commission, ‘Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions “Digitalising the Energy System – EU Action Plan”’ (European Commission 2022) COM/2022/552 final <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52022DC0552&qid=1666369684560> accessed 29 October 2022; European Commission, ‘Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions “A European Strategy for Data”’ (European Commission 2020) COM/2020/66 final <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0066>

6 See section 2.1

7 Directive (EU) 2019/944 of the European Parliament and of the Council of 5 June 2019 on common rules forthe internal market for electricity and amending Directive 2012/27/EU, OJ L 158/125 [hereinafter 'Recast Electricity Directive'], art 23

8 Art 23 of the Recast Electricity Directive does not use the term ‘consumer’ but ‘final customer’. ‘Final customer’ is a broad notion encompassing both natural and legal persons, defined in the Directive as ‘a customer who purchases electricity for own use’ (art 2(1), Directive (EU) 2019/944). The term ‘consumer’ will be used in this contribution instead of ‘final customer’ for practical reasons. Firstly, even if the Recast Electricity Directive does not list ‘consumer’ as one of the definitions in art 2, it does use the expression throughout its text. In fact, art 23 is under ch III of the Directive, entitled ‘CONSUMER EMPOWERMENT AND PROTECTION’. Secondly, the term ‘consumer’ is defined in EU legislation on consumer protection as any natural person acting for purposes outside their trade, business, craft or profession (see eg Directive 2005/29/EC concerning unfair business-to-consumer commercial practices in the internal market and Directive 2011/83/EU on consumer rights). This research focuses on the interplay between electricity market legislation and personal data protection legislation, the latter applicable to the processing of data relating to natural persons. Hence, the term ‘consumer’ seems more precise and suitable than that of ‘final customer’ for the purposes of this contribution

9 Art 23, para 1, Recast Electricity Directive

10 Art 23, para 2, Recast Electricity Directive

11 Art 23, para 3, Recast Electricity Directive

12 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L119/1

13 In this regard, see Saskia Lavrijssen, Brenda Espinosa Apráez and Thijs ten Caten, ‘The Legal Complexities of Processing and Protecting Personal Data in the Electricity Sector’ (2022) 15 Energies 1088 <www.mdpi.com/1996-1073/15/3/1088> accessed 1 April 2022

14 See section 2.2

15 Kaisa Huhta, ‘Smartening Up While Keeping Safe? Advances in Smart Metering and Data Protection under EU Law’ (2020) 38 Journal of Energy & Natural Resources Law 5 <https://doi.org/10.1080/02646811.2019.1622244>

16 Inge Graef, Jasper van den Boom and Martin Husovec, ‘Spill-Overs in Data Governance: Uncovering the Uneasy Relationship Between the GDPR’s Right to Data Portability and EU Sector-Specific Data Access Regimes’ (2020) 9 Journal of European Consumer and Market Law 3 <https://kluwerlawonline.com/journalarticle/Journal+of+European+Consumer+and+Market+Law/9.1/EuCML2020002>

17 ‘The first tension lies in the fact that some of the innovations facilitated by smart metering in the energy sector rely on technologies that might not be entirely compatible with the GDPR. A second tension follows from the existence of separate but interrelated regimes for access to data of the consumer/data subject in the two legal instruments here analysed. The third tension relates to a possible overlap of competences between the supervisory authorities of both regimes’. Lavrijssen, Espinosa Apráez and ten Caten (n 13) 1

18 College van Beroep voor het Bedrijfsleven, ruling of 14 January 2020, cases 18/2783 and 18/2846, NJB 2020/245, ECLI:NL:CBB:2020:3 <https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:CBB:2020:3> accessed 10 May 2022 [hereinafter ‘CBb ruling’]

19 See section 3.1. of this article for further explanation of what a ‘personalised offer’ entails

20 For further explanation, see section 4 of this article

21 See eg Copenhagen Economics and VVA Europe, ‘Impact Assessment Support Study on: “Policies for DSOs, Distribution Tariffs and Data Handling”’ (Publications Office of the European Union 2016) 37–38. <https://ec.europa.eu/energy/sites/ener/files/documents/ce_vva_dso_final_report_vf.pdf> accessed 10 May 2022; EURELECTRIC, ‘The Power Sector Goes Digital – Next Generation Data Management for Energy Consumers’ (EURELECTRIC 2016) 8 <www.eurelectric.org/media/2029/joint_retail_dso_data_report_final_11may_as-2016-030-0258-01-e.pdf> accessed 10 May 2022 (37–38)

22 Art 2 (23) Recast Electricity Directive: ‘“smart metering system” means an electronic system that is capable of measuring electricity fed into the grid or electricity consumed from the grid, providing more information than a conventional meter, and that is capable of transmitting and receiving data for information, monitoring and control purposes, using a form of electronic communication’

23 Council of European Energy Regulators, ‘CEER Report on Innovative Business Models and Consumer Protection Challenges’ (CEER 2021) C20-CRM-DS-03–03 13 <www.ceer.eu/documents/104400/-/-/44055630-31dc-d3da-386a-a6edfec24eb1> accessed 10 May 2022

24 See Recital 5 of the Recast Electricity Directive

25 See eg the Green Loans initiative in the Netherlands in Data Sharing Coalition, ‘Green Loans’ <https://datasharingcoalition.eu/use-cases/sharing-energy-information-with-mortgage-providers-to-include-in-mortgage-applications> accessed 4 January 2022

26 European Commission, ‘Commission Staff Working Document – Impact Assessment Accompanying the Document Proposal for a Directive of the European Parliament and of the Council on Common Rules for the Internal Market in Electricity (Recast) [and Others]’ (European Commission 2016) SWD (2016) 410 final 455 <https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52016SC0410&from=EN> accessed 10 May 2022 (Part 5/5)

27 See for further reading European Commission, ‘Digitalising the Energy System – EU Action Plan COM/2022/552 Final’ (n 5); European Commission, ‘A European Strategy for Data, COM/2020/66 Final’ (n 5)

28 Recast Electricity Directive, art 23

29 Directive 2009/72/EC of the European Parliament and of the Council of 13 July 2009 concerning common rules for the internal market in electricity and repealing Directive 2003/54/EC, OJ L 211, 14.8.2009, 55–93

30 See recital 27 and art 3, para 11 of the Electricity Directive 2009

31 Electricity Directive 2009, Annex I, 1(h)

32 The Clean Energy package is a set of legislative measures proposed by the European Commission in 2016, aimed to help ‘[moving] away from fossil fuels towards cleaner energy – and, more specifically, to deliver on the EU’s Paris Agreement commitments for reducing greenhouse gas emissions’. See European Commission, ‘Clean Energy for All Europeans Package’ (Energy, n.d.) <https://energy.ec.europa.eu/topics/energy-strategy/clean-energy-all-europeans-package_en> accessed 10 May 2022

33 A data management model can be understood as the ‘technical model through which data is sourced, validated, stored, protected and processed, and through which it can be accessed’. Council of European Energy Regulators, ‘Review of Current and Future Data Management Models’ (CEER 2016) CEER Report C16-RMF-89–03 9 <www.ceer.eu/documents/104400/-/-/1fbc8e21-2502-c6c8-7017-a6df5652d20b> accessed 10 May 2022. In this sense, data management is the broader notion that encompasses different data processes, including data access

34 Title of Problem Area IV in the Impact Assessment of the Electricity Directive 2019, European Commission, ‘Impact Assessment Recast Electricity Directive SWD (2016) 410 Final’ (n 26) (Part 1/5) 70

35 European Commission, ‘Impact Assessment Recast Electricity Directive SWD (2016) 410 Final’ (n 26) 5 (Part 1/5)

36 For an overview of the types of data management models that member states have adopted in the past, see Council of European Energy Regulators (n 33); European Commission, Directorate General for Energy and others, ‘Format and Procedures for Electricity (and Gas) Data Access and Exchange in Member States’ (Publications Office of the European Union 2020) <https://data.europa.eu/doi/10.2833/719689> accessed 7 June 2021

37 This was, however, one of the options considered by the European Commission in the Impact Assessment of the Recast Electricity Directive; see European Commission, ‘Impact Assessment Recast Electricity Directive SWD (2016) 410 Final’ (n 26) 457 (Part 5/5)

38 The Recast Electricity Directive, art 23, para 3 specifies that the processing of personal data pursuant to the Electricity Directive 2019 shall be carried out in accordance with the GDPR

39 Recast Electricity Directive, art 23, para 2, and recital 57

40 European Commission, ‘Proposal for a Directive of the European Parliament and of the Council on Common Rules for the Internal Market in Electricity (Recast)’ (2017) COM(2016) 864 final/2 2016/0380(COD) <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52016PC0864R%2801%29> accessed 10 May 2022

41 Recast Electricity Directive, art 23, para 1

42 See in particular Recast Electricity Directive, art 20

43 See Council of European Energy Regulators (n 23) 35

44 Regarding access to complementary information on historical consumption, see Recast Electricity Directive, Annex I, section 4

45 ‘Near real time’ means ‘a short time period, usually down to seconds or up to the imbalance settlement period in the national market’; Recast Electricity Directive, art 2(26)

46 Recast Electricity Directive, art 20(a)

47 Art 24, para 2. The implementing acts must be adopted following the comitology procedure referred to in art 68, para 2 of the Electricity Directive 2019. At the time of revising this paper (October 2022), the implementing acts on interoperability and procedures for access to data have not been adopted yet. It is expected that the first implementing act(s) will be adopted in the third quarter of 2022. See European Commission, ‘Digitalising the Energy System – EU Action Plan COM/2022/552 Final’ (n 5) 21

48 Recast Electricity Directive, art 24, para 1. The interoperability requirements and procedures introduced by the implementing acts must be based on national practices (art 24, para 3)

49 Recast Electricity Directive, art 20, literal (e)

50 Following the guidelines on the right to data portability issued by the Article 29 Working Party (a former EU advisory body in the area of personal data protection, replaced by the European Data Protection Board under the GDPR) data ‘provided by the data subject’ include data that have been actively provided by the data subject, as well as data that have been ‘observed from the activities of users such as raw data processed by a smart meter or other types of connected objects’. Article 29 Data Protection Working Party, ‘Guidelines on the Right to Data Portability (Adopted on 13 December 2016, as Last Revised and Adopted on 5 April 2017)’ (2017) WP 242 rev.01 9–10 <https://ec.europa.eu/newsroom/article29/items/611233/en> accessed 11 May 2022

51 For further reading on the right to data portability, see Article 29 Data Protection Working Party, 'Guidelines on the Right to Data Portability' (n 50); Paul De Hert and others, ‘The Right to Data Portability in the GDPR: Towards User-Centric Interoperability of Digital Services’ (2018) 34 Computer Law & Security Review 193 <www.sciencedirect.com/science/article/pii/S0267364917303333> accessed 11 May 2022; Inge Graef, Martin Husovec and Nadezhda Purtova, ‘Data Portability and Data Control: Lessons for an Emerging Concept in EU Law’ (2018) 19 German Law Journal 1359 <www.cambridge.org/core/journals/german-law-journal/article/data-portability-and-data-control-lessons-for-an-emerging-concept-in-eu-law/5904FB88DDC1B9E6EC651A7F89058433> accessed 11 May 2022; Graef, van den Boom and Husovec (n 16)

52 Article 29 Data Protection Working Party, 'Guidelines on the Right to Data Portability' (n 50) 4

53 See eg Graef, van den Boom and Husovec (n 16); Richard Feasey and Alexandre de Streel, ‘Data Sharing for Digital Markets Contestability: Towards a Governance Framework’ (CERRE 2020) <https://cerre.eu/publications/data-sharing-digital-markets-competition-governance> accessed 11 May 2022; Heike Schweitzer and Robert Welker, ‘A Legal Framework for Access to Data – A Competition Policy Perspective’ in German Federal Ministry of Justice and Consumer Protection and Max Planck Institute for Innovation and Competition (eds), Data Access, Consumer Interests and Public Welfare (1st edn, Nomos Verlagsgesellschaft mbH & Co KG 2021) <https://doi.org/10.5771/9783748924999-103> accessed 11 May 2022

54 Art 1 and recital 170, GDPR

55 A controller is a natural or legal person, public authority or agency which (alone or jointly with others) determines the purposes and means of the processing of personal data, or which has been nominated as controller by EU or member state law. See art 4 (7) GDPR

56 ‘Processor’ means ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’, rt 4 (8) GDPR

57 For the material and territorial scope of the GDPR, see art 2 and 3 of that Regulation

58 Art 4 (1), GDPR. As defined by the cited article, ‘an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’, art 4 (1) GDPR. For an explanation of why the processing of data collected by smart meters is subject to personal data protection legislation, see Article 29 Data Protection Working Party, ‘Opinion 12/2011 on Smart Metering’ (2011) WP 183 12 <https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp183_en.pdf> accessed 11 May 2022

59 Art 4 (2) GDPR

60 Lavrijssen, Espinosa Apráez and ten Caten (n 13)

61 Art 8 of the Charter of Fundamental Rights of the European Union [2012] OJ C 326/391

62 See art 20, (c), (e) and (f), Recast Electricity Directive

63 See in particular art 23, para 2 and 3 and art 34 of the Recast Electricity Directive

64 In practice, the added value of this reference is limited. Even without the clarification in the Directive, any processing of personal data falls under the scope of the GDPR, as defined by the Regulation itself

65 For an analysis of the factors that determine the roles of controller and processor, see European Data Protection Board, ‘Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR’ (EDPB 2021) Version 2.0 <https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf> accessed 11 May 2022

66 In this regard, see Huhta (n 15) 15–16

67 The providers of services based on energy data are usually considered ‘third parties’ because they are not part of the traditional relationship behind the supply of energy (consumer–supplier–DSO)

68 Art 4 (9) GDPR: ‘“recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed […]’

69 For an overview of the different roles, rights and obligations stemming from the Recast Electricity Directive and the GDPR, see Lavrijssen, Espinosa Apráez and ten Caten (n 13)

70 Lavrijssen, Espinosa Apráez and ten Caten (n 13)

71 See ch VII of the Recast Electricity Directive

72 As well as ‘the provision, for optional use, of an easily understandable harmonised format at national level for consumption data, and prompt access for all customers to such data pursuant to art 23 and 24 [of the Recast Electricity Directive]’, art 59, para 1 (t), Recast Electricity Directive

73 Ch VI GDPR

74 Art 58 GDPR

75 CBb 14 January (2020) cases 18/2783 and 18/2846, NJB 2020/245, ECLI:NL:CBB:2020:3

76 Legal developments followed up to April 2022. Please note that new legislation is underway, and it is expected that important changes regarding data management and data exchange will be introduced. See the latest version of the Bill for an Energy Act (in Dutch: Wetsvoorstel Energiewet) published in November 2021 by Ministerie van Economische Zaken en Klimaat, ‘Wetsvoorstel Energiewet (UHT)’ (Rijksoverheid.nl, 26 November 2021) <www.rijksoverheid.nl/documenten/publicaties/2021/11/26/wetsvoorstel-energiewet-uht> accessed 11 May 2022

77 Wet van 2 juli 1998, houdende regels met betrekking tot de productie, het transport en de levering van elektriciteit (Elektriciteitswet 1998) [hereinafter ‘Electricity Act 1998’] <https://wetten.overheid.nl/BWBR0009755/2021-07-01> (accessed 11 May 2022)

78 Electricity Act 1998, art 26ab, para 1 and 2

79 Electricity Act 1998, art 26ab, para 4

80 Besluit van de Autoriteit Consument en Markt van 21 april 2016, met kenmerk ACM/DC/2016/202148, houdende de vaststelling van de voorwaarden als bedoeld in artikel 54, eerste lid, van de Elektriciteitswet 1998 en artikel 22, eerste lid, van de Gaswet (Informatiecode elektriciteit en gas) <https://wetten.overheid.nl/BWBR0037934/2022-05-18> (accessed 27 May 2022)

81 In Dutch: ‘algemeen verbindend voorschrift’

82 The ACM is the regulatory authority for the energy sector, but it also has competences in other economic sectors (telecommunications, transport, postal services and healthcare), as well as two other regulatory domains: competition law and consumer protection law. For an overview of the competences of the ACM, see Authority for Consumers & Markets, ‘Our Duties’ (ACM.nl, n.d.) <www.acm.nl/en/about-acm/mission-vision-strategy/our-tasks> accessed 11 May 2022

83 Pursuant to art 53 and 54 of the Electricity Act 1998. At the time of the events of the case, it was the Vereniging Nederlandse Energie Data Uitwisseling (NEDU), an association of companies representing the different market roles of the energy sector in the Netherlands, which prepared the proposals to amend the Information Code

84 Note that it is likely that under the future Dutch Energy Act the data management rules will be laid down in the Act itself and/or in ministerial regulations. Hence, the role of the Information Code might significantly change once the new legislation is adopted in the Netherlands. See the Bill for an Energy Act in Ministerie van Economische Zaken en Klimaat (n 76)

85 These registers were created as part of the implementation of the New Market Model (Nieuwmarkt Model) in the Netherlands in 2013. This model is a supplier-centric model, which entails that the main point of contact for the consumer is the energy supplier. Before the adoption of this model, both DSOs and suppliers were the point of contact for consumers for different parts of the administrative processes. For example, the consumers had to pay separate invoices to the DSO and the supplier for the grid costs and the supply costs, respectively. Or, if mistakes were made in the context of a switch of supplier, there were three parties involved in correcting mistakes (the old supplier, the new supplier and the DSO). See ‘Nieuw Marktmodel (NMM) voor de energiesector’ (DeEnergieGids.nl, n.d.) <www.deenergiegids.nl/overstappen/nieuw-marktmodel-energiesector> accessed 11 May 2022

86 In Dutch: ‘aanbod op maat’

87 See in this regard the document published by ACM, Authority for Consumers & Markets, ‘Provision of Information in the Consumer Energy Market’ (2016) <www.acm.nl/en/publications/publication/15991/Provision-of-information-in-the-consumer-energy-market> accessed 10 May 2022 section 3.3.3

88 See the explanatory note number 44 of the Besluit van de Autoriteit Consument en Markt van 16 oktober 2018, kenmerk ACM/UIT/498344 tot wijziging van de voorwaarden als bedoeld in de artikelen 31 en 54, eerste lid van de Elektriciteitswet 1998 en de artikelen 12b en 22 van de Gaswet betreffende het verbeteren van de beveiliging van data (codebesluit dataveiligheid) [hereinafter ‘the Decision’] <https://zoek.officielebekendmakingen.nl/stcrt-2018-60760.html> accessed 11 May 2022

89 Autoriteit Consument en Markt, ‘Aanbod op maat: een begrijpelijk aanbod van de energieleverancier’ (ACM Consuwijzer) <www.consuwijzer.nl/vergelijken-en-overstappen/energie/aanbod-op-maat> accessed 29 October 2022

90 See explanatory note number 45 of the Decision

91 See the proposal to change the Information Code submitted by NEDU (and Netbeheer Nederland) before ACM, on 29 May 2017, NEDU and Netbeheer Nederland, ‘Codewijzigingsvoorstel Dataveiligheid’ (2017) 1 <www.acm.nl/sites/default/files/old_publication/publicaties/17449_codewijzigingsvoorstel-dataveiligheid-2017-06-08.pdf> accessed 11 May 2022

92 See Netbeheer Nederland, ‘Uit Net NL: Sector Stelt Data En Marktwerking Veilig’ (Netbeheer Nederland, 5 October 2017) <www.netbeheernederland.nlnieuws/uit-net-nl-sector-stelt-data-en-markt-werking-veilig-1196> accessed 11 May 2022

93 See the Decision

94 Explanatory note number 24 of the Decision

95 Art 2.2.b4 and 2.5a.4

96 See the press release published by Netbeheer Nederland, ‘Geen Klantgegevens Meer Centraal Beschikbaar Voor Aanbod Op Maat’ (Netbeheer Nederland, 27 January 2020) <www.netbeheernederland.nlnieuws/geen-klantgegevens-meer-centraal-beschikbaar-voor-aanbod-op-maat--1333> accessed 11 May 2022

97 Netbeheer Nederland, ‘Geen Klantgegevens Meer Centraal Beschikbaar Voor Aanbod Op Maat’ (n 96)

98 See eg Pricewise, ‘Wat Is Het Contract Einde Register (CER)?’ (Pricewise.nl, n.d.) <www.pricewise.nl/energie-vergelijken/cer> accessed 11 May 2022

99 Principle of ‘lawfulness, fairness and transparency’, art 5 (a), GDPR

100 Art 6, para 1 (a), GDPR

101 Art 6, para 1, GDPR, literals (b) to (f) stipulate that the processing of personal data is lawful when it is necessary for: (b) the performance of a contract or to take steps to enter into a contract; (c) compliance with a legal obligation to which the controller is subject; (d) protecting the vital interests of the data subject or another natural person; (e) the performance of a task carried out in the public interest or the exercise of official authority by the data controller; (f) legitimate interests pursued by the controller or a third party

102 See NEDU and Netbeheer Nederland (n 91)

103 Request for advice from the ACM to the AP dated 4 July 2017, Authority for Consumers & Markets, ‘Adviesaanvrag Codevoorstel Dataveiligheid’ <www.acm.nl/nl/publicaties/adviesaanvraag-aan-de-autoriteit-persoonsgegevens> accessed 11 May 2022

104 Art 6, para 1 (c) GDPR

105 Advice from the AP dated 23 October 2017, Autoriteit Persoonsgegevens, ‘Advies van de Autoriteit Persoonsgegevens over Het Codevoorstel Dataveiligheid’ 2 <www.acm.nl/nl/publicaties/advies-van-de-autoriteit-persoonsgegevens-over-het-codevoorstel-dataveiligheid> accessed 11 May 2022

106 To support this claim, the AP refers to the fact that the processing of smart meter data is regulated by law (in the Dutch Electricity Act) and not in the ICEG. Autoriteit Persoonsgegevens, ‘Advies van de Autoriteit Persoonsgegevens’ (n 105) 2–3

107 Autoriteit Persoonsgegevens, ‘Advies van de Autoriteit Persoonsgegevens’ (n 105) 3 (free translation)

108 Autoriteit Persoonsgegevens, ‘Advies van de Autoriteit Persoonsgegevens’ (n 105) 2 (free translation)

109 From the analysis of the documents on which this case is based, it can be concluded that for the ACM and the AP the consent granted by the consumers to the suppliers to retrieve their (personal) data for a personalised offer could not serve as a lawful basis for the DSOs to share these personal data with the suppliers. In other words, the retrieval of data by the suppliers and the transmission of data by the DSOs were seen as two separate data processing activities, each of which needed a separate ground for data processing. See in particular Autoriteit Persoonsgegevens, ‘Advies van de Autoriteit Persoonsgegevens’ (n 105) and the explanatory notes of the Decision

110 Explanatory memoranda of legislative amendments to the Electricity Act 1998 concerning the ICEG. These documents stated that the ICEG does not provide a basis for the exchange of data (only a description of how data is exchanged (Tweede Kamer, Kamerstukken II, 2007–2008, 31374, no 3, p 24), and that the ICEG itself is not intended to provide a generic legal basis for the exchange and processing of personal data (Tweede Kamer, Kamerstukken II, 2009–2010, 32374, no 3, p 5). The latter explanatory memorandum also states that the ICEG regulates ‘how data is processed within the sector with a view to an unambiguously used model, and not that data should be/may be processed’. Free translation, emphasis added

111 See explanatory note number 50 of the Decision. The ACM also stated in the same explanatory note: ‘ACM will not further consider which other basis from the GDPR the network operators can use. It has not been found that network operators cannot rely on any other basis under art 6, para 1 of the GDPR. ACM therefore has no reason to assume that the code proposal is not feasible’ (free translation)

112 See the documents with the position of NEDU (dated 4 July 2018) and Netbeheer Nederland (dated 11 July 2018), NEDU, ‘Zienswijze NEDU Op Ontwerp Codebesluit Dataveiligheid’ <www.acm.nl/nl/publicaties/zienswijze-nedu-op-ontwerp-codebesluit-dataveiligheid> accessed 13 May 2022; Netbeheer Nederland, ‘Zienswijze Netbeheer Nederland Op Ontwerp Codebesluit Dataveiligheid’ <www.acm.nl/nl/publicaties/zienswijze-netbeheer-nederland-op-ontwerp-codebesluit-dataveiligheid> accessed 13 May 2022

113 See Netbeheer Nederland, ‘Zienswijze Netbeheer Nederland Op Ontwerp Codebesluit Dataveiligheid’ (n 112) 4. In this regard, art 17 of the Electricity Act 1998 states: ‘A network operator does not perform any activities other than those necessary for the proper performance of the duties assigned to it by or pursuant to the law’. Free translation

114 In this regard, see also Lexo Zardiashvili and Francien Dechesne, ‘Consumer Control of Energy Data: The Need for the Consent Management Mechanism in the Energy Sector of the Netherlands and Roadblocks Related to Its Implementation’ (Leiden University 2019) <https://scholarlypublications.universiteitleiden.nl/access/item%3A2983934/view> accessed 13 May 2022, section ‘Data Confidentiality and access’

115 Netbeheer Nederland, ‘Zienswijze Netbeheer Nederland Op Ontwerp Codebesluit Dataveiligheid’ (n 112) 3

116 CBb ruling [4.1]

117 CBb ruling [4.2]

118 Art 6, para 3 of the GDPR stipulates that to invoke a legal obligation as the lawful ground for the processing of personal data, the basis for the processing shall be laid down by EU or member state law

119 CBb ruling [4.3]

120 See Netbeheer Nederland, ‘Zienswijze Netbeheer Nederland Op Ontwerp Codebesluit Dataveiligheid’ (n 112) 4

121 For the latest published version of the bill, see Ministerie van Economische Zaken en Klimaat (n 76)

122 See ch 4 of the bill for an Energy Act, Ministerie van Economische Zaken en Klimaat (n 76)

123 As noted in section 2.1 of this article

124 The transposition deadline for the provisions concerning access to consumer data, in particular art 20, 23 and 24 of the Recast Electricity Directive, was 31 December 2020 (see art 71 of the said Directive)

125 See European Commission, ‘Digitalising the Energy System - EU Action Plan COM/2022/552 Final’ (n 5) 2

126 See also explanatory note number 81 of the Decision

127 In this regard, the Impact Assessment published by the European Commission together with the proposal for a Recast Electricity Directive stated: ‘As most DSOs are also energy suppliers, safeguards are necessary to prevent them using privileged access to consumer data – especially smart metering data – to gain a competitive advantage in their supply operations’. European Commission, ‘Impact Assessment Recast Electricity Directive SWD (2016) 410 Final’ (n 26) (Part 1/5) 76

128 Recital 10, GDPR. This Recital also recognises that ‘Member States have several sector-specific laws in areas that need more specific provisions’. See also art 6, para 2 of the GDPR

129 Art 40, para 1 and 2, GDPR

130 European Data Protection Board, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’ (EDPB 2019) Version 2.0 9 <https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-12019-codes-conduct-and-monitoring-bodies-0_en> accessed 13 May 2022

131 The term ‘cooperation’ is used here in a broad sense, to refer to situations in which different supervisory authorities work together in various degrees of interaction. This term is used because it is employed in the same way in the two legal frameworks here analysed, as will be explained below. However, note that the public administration literature makes a distinction among ‘cooperation’, ‘coordination’ and ‘collaboration’. For example, in McNamara (2012) these three notions are seen as a continuum. At one end of the spectrum there is ‘cooperation’, ie when agencies ‘[choose] to work together, within existing structures and policies, to serve individual interests. In the middle there is ‘coordination’, ie the ‘interaction between participants in which formal linkages are mobilized because some assistance from others is needed to achieve organizational goals’. And at the other end of the continuum is ‘collaboration’, ie the ‘interaction between participants who work together to pursue complex goals based on shared interests and a collective responsibility for interconnected tasks which cannot be accomplished individually’. Madeleine McNamara, ‘Starting to Untangle the Web of Cooperation, Coordination, and Collaboration: A Framework for Public Managers’ (2012) 35 International Journal of Public Administration 389, 391 <https://doi.org/10.1080/01900692.2012.655527> accessed 13 May 2022

132 Lavrijssen, Espinosa Apráez and ten Caten (n 13)

133 See eg art 58 (a) and art 59, para 1 (f) of the Recast Electricity Directive

134 See eg art 58 (g) and art 59, para 2 and 3 (b)

135 See ch VII of the GDPR

136 Yakovleva, Geursen and Arnbak use the expression ‘kaleidoscopic enforcement’ to refer to ‘situations where several competent authorities can, independently, carry out enforcement actions against the same practice, or where an authority competent to carry out enforcement in one area of law can borrow the concepts of another area to advance its own goals’. Svetlana Yakovleva, Wessel Geursen and Axel Arnbak, ‘Kaleidoscopic Data-Related Enforcement in the Digital Age’ (2020) 57 Common Market Law Review 1461 <www.kluwerlawonline.com/api/Product/CitationPDFURL?file=Journals/COLA/COLA2020744.pdf> accessed 13 May 2022. On the convergence of different regulatory domains in the context of digital markets see among others Natali Helberger, Frederik Zuiderveen Borgesius and Agustin Reyna, ‘The Perfect Match? A Closer Look at the Relationship between EU Consumer Law and Data Protection Law’ [2017] Common Market Law Review 1427 <www.kluwerlawonline.com/api/Product/CitationPDFURL?file=Journals/COLA/COLA2017118.pdf> accessed 11 May 2022; Inge Graef and Sean van Berlo, ‘Towards Smarter Regulation in the Areas of Competition, Data Protection and Consumer Law: Why Greater Power Should Come with Greater Responsibility’ (2021) 12 European Journal of Risk Regulation 674 <www.cambridge.org/core/journals/european-journal-of-risk-regulation/article/towards-smarter-regulation-in-the-areas-of-competition-data-protection-and-consumer-law-why-greater-power-should-come-with-greater-responsibility/8B00EFC66EA7F599DB9B700B1720ABAD> accessed 13 May 2022

137 ‘Digital Clearinghouse’ (Digital Clearinghouse, n.d.) <www.digitalclearinghouse.org> accessed 13 May 2022

138 European Data Protection Supervisor, ‘EDPS Opinion on Coherent Enforcement of Fundamental Rights in the Age of Big Data’ (EDPS 2016) Opinion 8/2016 <https://edps.europa.eu/sites/edp/files/publication/16-09-23_bigdata_opinion_en.pdf> accessed 13 May 2022

139 In Dutch: Samenwerkingsplatform Digitale Toezichthouders (SDT). See Autoriteit Persoonsgegevens, ‘Dutch Regulators Strengthen Oversight of Digital Activities by Intensifying Cooperation’ (Autoriteit Persoonsgegevens, 13 October 2021) <https://autoriteitpersoonsgegevens.nl/en/news/dutch-regulators-strengthen-oversight-digital-activities-intensifying-cooperation> accessed 13 May 2022

140 For example, in early 2022, the members of the Digital Regulation Cooperation Platform announced that they will launch a study to investigate to what extent businesses, organisations and governments provide clear and sufficient information to internet users regarding how their data are used. The findings of the study will be used by the members of the Platform to jointly ‘draw up basic principles for effective, online transparency’, and to signal to the Dutch legislator whether the existing legal frameworks need to be adapted to prevent or counter harmful practices. Authority for Consumers & Markets, ‘Dutch Regulators Press for Better Information about Online Use of Internet Users’ Data’ (ACM, 2 March 2022) <www.acm.nl/en/publications/dutch-regulators-press-better-information-about-online-use-internet-users-data> accessed 13 May 2022

141 Competition and Markets Authority and others, ‘The Digital Regulation Cooperation Forum’ (GOV.UK, 10 March 2021) <www.gov.uk/government/collections/the-digital-regulation-cooperation-forum> accessed 11 May 2022

142 The legal basis for this is provided by the Uitvoeringswet Algemene verordening gegevensbescherming (UAVG) of 16 May 2018, the act adopted to implement and specify certain aspects of the GDPR in the Netherlands. art, 19 para 1 of the UAVG authorises the AP to establish cooperation protocols with other supervisory authorities ‘[I]n the interest of efficient and effective supervision of the processing of personal data’ (free translation)

143 See for example, the latest cooperation protocol between the AP and the ACM, for topics in which their powers converge, including competition law, consumer protection and sector-specific market supervision, Samenwerkingsprotocol tussen Autoriteit Consument en Markt en Autoriteit Persoonsgegevens, dated 18 June 2020 (Staatscourant 2020, 36741) <https://zoek.officielebekendmakingen.nl/stcrt-2020-36741.html> accessed 13 May 2022. Interestingly, by the time of the events of the Personalised Offer case, there was also a Collaboration Protocol in force: Samenwerkingsprotocol tussen Autoriteit Consument en Markt en Autoriteit Persoonsgegevens, dated 11 October 2016 (Staatscourant 2016, 58078) <https://zoek.officielebekendmakingen.nl/stcrt-2016-58078.html> accessed 13 May 2022. However, this Protocol is not mentioned by the ACM in its Decision or in the request for advice to the AP. This might be related to the fact that the Protocol seems to be mostly intended to cover cooperation in enforcement actions, and in the Personalised Offer case, the issue at hand was not an enforcement action but the adoption of data access rules for the electricity sector

144 For example, on the questions arising from applying simultaneously the rules for personal data portability in the GDPR and the rules for access to smart meter data in the Recast Electricity Directive, see Graef, van den Boom and Husovec (n 16); Lavrijssen, Espinosa Apráez and ten Caten (n 13). See also the report on consumer control of energy (personal) data and the roadblocks for implementing consent management mechanisms in the Netherlands by Zardiashvili and Dechesne (n 114)

145 European Data Protection Supervisor, ‘Opinion of the European Data Protection Supervisor on the Commission Recommendation on Preparations for the Roll-out of Smart Metering Systems’ (EDPS 2012) section 3.2 <https://edps.europa.eu/sites/edp/files/publication/12-06-08_smart_metering_en.pdf> accessed 13 May 2022