Amidst the UK’s data-driven focus on reaching Net Zero, smart appliances are an important tool for providing consumers the ability to control their energy usage. However, when monitoring the supply and usage of energy, these devices have the ability to generate a user data, including personal information.
As part of the Energy Act, which became law on 26th October 2023, Parliament has opened to door to future cyber security and data protection requirements for ‘energy smart appliances’. This includes any ‘load controllers’ or devices for controlling the consumption of energy. Ofgem has announced an intention to begin work on developing this area of regulation in ‘early 2024’. This article analyses the impact of the Energy Act for regulating these assets, systems and data, and what types of controls we could expect to see.
What does the Energy Act regulate?
Part 9, Chapter 1 of the Energy Act proposes to regulate ‘energy smart appliances’, within the UK’s energy infrastructure and consumer’s homes. An ‘energy smart appliance’, as per Ofgem’s definition, is “an internet-connected appliance that can adjust its electricity usage automatically based on signals received remotely”. This includes devices for monitoring the energy usage of fridges, heating equipment, and charging points for electric vehicles, and are essential for those aiming to control costs.
The key benefit of these technologies is that they enable customers to engage with ‘demand-side response’, a key part of the transition to Net Zero. Demand-side response involves energy consumers reducing the demand they place on the electricity grid by changing their consumption habits – i.e. how and when they use electricity. Having control over energy usage can bring efficiency and cost benefits for consumers. However, it can open the door to data collection on residents’ consumption and energy usage, and manipulation by threat actors. As a result, the Energy Act has clarified that future regulations will include technical requirements and standards for data privacy and cyber security.
What data protection rules could the energy industry expect?
With respect to energy smart appliances, Department for Energy Security and Net Zero (DESNZ) has only revealed the content of such potential regulations at a high level. In 2022, it ran a consultation on the cyber security of such devices, in which it outlined that its regulatory goals were to “avoid the unnecessary collection or transmission of personal data”, “minimise the amount of personal data shared with third parties” and “ensure personal data is transmitted and stored securely”. It has also indicated the importance for energy smart appliances to display or otherwise provide information about the data they collect to energy consumers.
Any such controls may also be borrowed from the approach taken by the Department for Science, Innovation and Technology (DSIT) under the recently-passed Product Security and Telecommunications Infrastructure Act (PSTI Act), which regulates internet-connected technologies for consumer (but not industrial) usage. However, some energy smart appliances, such as charging points and smart meters are ‘excepted’ from the Act’s scope. The PSTI Act introduces mandatory controls such as minimum password requirements, obligations for manufacturers to make information on reporting security vulnerabilities available, and requirements for manufacturers to inform consumers on ongoing software updates. It is possible that similar standards under the PSTI Act are also adopted as part of the regulation for energy smart appliances.
On top of this, DESNZ has also outlined in its policy brief that its regulations could include requiring certain appliances, such as electric heating appliances and EV charging points, to have a “smart functionality” and even going as far as to ban the sale of non-smart devices. This approach is likely to run into some hurdles, based on the resistance faced by the smart metering roll-out due to consumers opposed to data collection and “surveillance” within their homes. As a result, to ease their acceptance, heat network organisations deploying such systems should take steps to provide sufficient communications and outreach to consumers over the purpose of such devices and any data they collect.
Realistically, we could expect these requirements to translate into cyber and data protection requirements mandated for the industry. Manufacturers would be obliged to comply with these requirements and build cyber security standards into the products that they develop. It would then principally be the responsibility of energy suppliers, heat network operators, local authorities and other engaged organisations to conduct the relevant due diligence when procuring these products for use in their networks and consumer premises.
When can we expect these regulations to happen?
With respect to smart energy appliances, DESNZ expects to begin consultations on technical cyber security and privacy standards for these devices in 2024. According to its policy brief, this will occur in phases, with the first appliances sold already being required to meet cyber security requirements. This will be followed by a prohibition on the sale of non-smart appliances and then, in the mid- to late-2020s, all devices with a smart functionality must meet the security and data protection standards as a requirement.
For the time being, local authorities, energy suppliers and other entities procuring such systems should assess devices for privacy and security features alongside best practice and the high-level controls under the PSTI Act before any technical standards.
