On 10 December 2018, the Parliament accepted the Government Proposal (HE 144/2018) regarding the transition to a centralised information exchange system for the electricity retail market. To this end, a centralised information exchange unit, datahub, will be established to serve electricity suppliers, distribution system operators (“DSOs”), and electricity customers – and their service providers. The transition is carried out by amending the Electricity Market Act (588/2013, the “Act”) and other related acts. The amendments also establish a new centralised system of imbalance settlement.
Transition to the centralised exchange of information is scheduled to take place in spring 2021 and the exact time will be confirmed by a separate Government Decree. However, most of the new provisions are intended to enter into force as soon as possible and the exact time will be confirmed when the amendments receive presidential confirmation. The prompt entry into force of the amendments underlines the fact that the electricity retail market participants must continue preparations and investments for the deployment of the new system.
In Finland, there are approximately 80 DSOs and 70 electricity suppliers that serve 3.5 million electricity metering points, equipped with smart meters. Estimated to take place in the early 2020s, moving from one-hour intervals to 15-minute intervals in electricity metering will further increase the generation and transfers of metering and end-user data. The establishment of datahub will, therefore, concern a vast amount of data exchange and related systems. The amended provisions also seek to ensure implementation of parts of the recast electricity directive, which gained political acceptance on 18 December 2018.
The following includes our insights and key observations regarding the new legislation as well as our views on necessary next steps, which concerned electricity retail market participants should take.
Shifting from a decentralised system to a centralised one
Key processes of the electricity retail market, such as transfers of data from electricity metering as well as customers moving and switching electricity suppliers, require hundreds of millions of communications per year between relevant market participants. Currently, exchange of information is conducted on a bilateral and decentralised basis where individual electricity suppliers and DSOs exchange information directly between each other. The decentralised system requires separate direct connections between each actor, although in practice, information has been transferred using the connectivity services of a limited number of service providers.
Under the new provisions of the Act, electricity suppliers and DSOs, as defined in the Act, will be obligated to use datahub for all exchange of metering and end-user data as part of electricity trade. Datahub is operated by the state majority-owned Finnish electricity transmission system operator (the “TSO”) Fingrid. Since datahub will be in a monopoly position, its service conditions and pricing methods must be confirmed beforehand by the Energy Authority, which is in charge of the supervision of the unit’s operations. It is desirable that the Energy Authority sufficiently consults relevant market participants and interested parties prior to confirming conditions.
Required next steps
The new centralised information exchange system is intended to be operational in spring 2021. Accordingly, the necessary information systems must be completed and fully tested, which requires concerned electricity retail market participants to take action and make necessary investments regarding their information and communication systems well in advance. Electricity suppliers and DSOs’ obligation to use the services of the centralised information exchange system includes the obligation to ensure that their systems are compatible with those of datahub.
As regards to existing electricity suppliers and DSOs, the amendment includes a timetable, according to which compatibility of information and communication systems must be ensured. Preparations shall be carried out in cooperation with the TSO, i.e. Fingrid. Electricity suppliers and DSOs must also establish a plan of action for their organisations within three months of the entry into force of the amendments and submit it to the Energy Authority and Fingrid for approval. New actors entering the market after the deployment of the centralised system must ensure compatibility of systems before they commence their activities as electricity suppliers or DSOs.
Failure to comply with the obligation to use the services of the centralised information exchange systems, including the obligation to ensure compatibility, is subject to a penalty payment.
Processing of personal data is inevitable, careful planning is required
The new provisions will require electricity suppliers and DSOs to use datahub in carrying out key market processes. Datahub will accordingly carry out maintenance of location, customer, and contract data, storing and transferring metering data to market participants, carrying out imbalance settlements, and management of processes relating to customers moving and switching electricity providers. This centralised exchange of information will entail processing of personal data such as customer data, electricity consumption data, location data, and information on service choices.
EU’s General Data Protection Regulation (the “GDPR”) and the recently adopted Finnish Data Protection Act (enters into force on 1 January 2019) contain the general provisions regarding processing of personal data. However, specific provisions on the processing of data in electricity retail market processes were deemed necessary since, in most data exchange in these processes, it is unfeasible in practice to distinguish between processing of personal data from that of non-personal data. To this end, the amended Electricity Market Act contains amended provisions on the legal basis for processing of personal data in electricity retail market processes and datahub as well as on obligations to disclose data. The amendment also includes provisions regarding end-users’ rights to their own metering and consumption data, the use of personal identity numbers, legal bases for disclosure of data attributable to end-users, and obligations relating to data security.
These specific provisions supplement and adjust the general data protection legislation and they are permissible due to the so-called margin of manoeuvre provided by the GDPR to national legislators. Therefore, electricity retail market participants will have to make sure their data processing activities comply with the specific new provisions of the Act and the general data protection legislation as applicable. For instance, the provisions of the Act do not govern how market participants process personal data for other purposes than for processes of the electricity trade. Where an electricity undertaking wishes to process data in order to develop its services or generate data on electricity consumption for other commercial purposes, such processing must comply also with the GDPR and the Finnish Data Protection Act. The new provisions do not aim at limiting the use of metering and consumption data for such other purposes. Standardised information exchange supports the development of data-based services.
What about data security obligations in the electricity market?
Participants of the electricity retail market should especially take notice of data security obligations and sanction risks arising from different applicable regimes. In accordance with EU’s so-called NIS-directive ((EU) 2016/1148), the Electricity Market Act has since May 2018 imposed data security and risk management obligations, and related incident reporting requirements for system operators. System operators must notify the Energy Authority without delay of significant disruptions to the data security of its information and communication systems, which may significantly interrupt electricity distribution. The Energy Authority may decide on communicating the disruption to the general public.
The newly accepted amendment regarding datahub introduces various new provisions regarding data security. Fingrid as the datahub operator shall ensure the adequate level of data security of the centralised information exchange system and carry out risk management. Similarly to above, Fingrid shall notify the Energy Authority without delay of significant disruptions to datahub’s services or the systems used therein. Moreover, electricity undertakings (such as electricity suppliers and DSOs) shall ensure the adequate level of data security of their services and systems. Failure to comply with the new data security obligations is subject to a penalty payment.
The GDPR imposes similar data security requirements, in so far as electricity market participants process personal data. As discussed above, personal data processed in the electricity retail market include customer and consumption data. Moreover, electricity suppliers and DSOs may continue to maintain their own customer and metering databases regardless of the establishment of datahub. Processing such personal data will be subject to the GDPR and related legislation. According to the GDPR, a controller must document all personal data breaches and notify the data protection authority (the Data Protection Ombudsman in Finland) within 72 hours, unless the breach is unlikely to result in a risk for individuals. The sanction risk imposed by considerable administrative fines and other corrective powers under the GDPR has been the hot topic in discussions surrounding the regulation.
It will require a case-by-case analysis within electricity undertakings how a data security incident is categorised and which of the described obligations are triggered. Undertakings should properly establish internal procedures and systems for such analysis.
Eyes on agreements
The obligation to use datahub for information exchange will have considerable contractual effects on electricity suppliers and DSOs. Data processing in electricity undertakings is often outsourced to service providers who provide automatic meter reading, customer service, marketing, communications networks, and ICT services. Similarly, it is possible for electricity suppliers and DSOs to authorise external service providers to carry out communications and contacts with datahub.
In these situations the relevant electricity undertaking must ensure that adequate agreements regarding the service, processing of personal data therein, and attribution of responsibility are in place while observing requirements for such agreements under the GDPR. It is our view that in many cases electricity suppliers and DSOs will have to amend existing ICT service and similar agreements to incorporate communication and contact with datahub and required functionalities into the scope of the service agreements.
The new provisions of the Act also include an amended secrecy obligation and exploitation prohibition for electricity undertakings regarding trade secrets and certain other significant information obtained in their activities under the Act. Information exchange in the electricity retail market generally entails processing of trade secrets and, therefore, market participants must take necessary measures to comply with the applicable secrecy obligation. These requirements must be observed also in agreements between market participants and their external service providers through adequate confidentiality clauses.
Electricity undertakings should also observe possibly applicable limitations arising from procurement legislation on entering into or modifying contractual relationships. The so-called Public Procurement Act for Special Sectors (1398/2016) obligates entities engaging in certain activities as defined in the act to put their procurements and contracts out to tender.
In short, electricity undertakings should focus on using agreements to protect their commercial interests and ensure compliance with regulations.
The transition to a centralised information exchange is related to broader developments in the electricity market. A key example is the project to create a smart electricity system to serve as platform in a cost-effective and customer-centred way. The aim is to open demand response to competition and enable new participants to enter electricity markets. The so-called smart grid working group published its final report on 24 October 2018, which presented suggestions for new provisions, new technical systems, and smart devices for the electricity market.
Similarly, one of the significant motives for the centralised information exchange and datahub was to create better opportunities for the development of smart networks, services, and devices for the electricity market through the establishment of the standardised interface in datahub. Finland is also planning to roll-out second generation smart meters.
Furthermore, transition to centralised information exchange is also an objective of the national energy and climate strategy to 2030. Efficient and standardised data transmission supports balancing electricity demand and production and promotes the development of energy efficiency and energy management services.
The establishment of datahub for the electricity retail market is taking place in other Nordic countries as well. It is clear that Finland should be at the forefront of the advancement of smart electricity systems and, in any case, at the same stage as other Nordic countries. Establishment of a datahub is underway in Sweden with the launch of Elmarknadshubb and Norway with Elhub. The first version of the Danish Datahub was deployed already in 2013.
We are happy to discuss the implications of the legislation as well as keep you updated on other related legislative processes. Please do not hesitate to contact us for more information and guidance on the matter.
Special thanks to the co-author of this insight Oskari Paasikivi, D&I Trainee 2018.