The CNIL spends the second in the thorny Linky dossier. The gendarme of personal data announced on Tuesday that he had put EDF and Engie on notice for non-compliance with certain conditions for obtaining consent concerning data from communicating meters. The Authority criticizes the two electricity suppliers for not having brought their customer data collection devices into compliance with the GDPR within the time allowed.
The Authority criticizes the two companies for shortcomings in the procedures for collecting the consent of their customers regarding the collection of consumption data from their Linky smart meters and an excessive retention period for consumption data.
The CNIL nevertheless noted that the two companies are in the process of putting themselves in the nails of the GDPR, in what it has called “a global trajectory of compliance” via the designation of a delegate for the protection of data and the maintenance of a processing register. This is why its verdict was ultimately less harsh than expected since it put the two electricity managers on notice to regularize their situation vis-à-vis the GDPR within three months from February 10. .
Three months to comply with the GDPR
In detail, the two companies are accused of a failure to collect the consent of its users with regard to the processing of their electricity consumption data. “The CNIL noted that if the EDF and ENGIE companies do collect consent from their users, this consent is neither specific nor sufficiently informed with regard to consumption data by the hour or half an hour”, thus informed the authority, which also recalls that the collection of consent must be carried out for each objective pursued by the collection of data, which is not the case here.
In addition, the two suppliers are also penalized for not ensuring enough to inform their customers about what is hidden behind the collection of their data. This is far from enough informed consent for the CNIL, which also accuses the two managers of incorrect formulations in the explanation of the use of their customers’ data.
The two companies were also punished for a period of data retention deemed excessive. These are kept for a minimum of five years for EDF and three to eight years for Engie. However, “; electricity suppliers are only required to provide customers with their consumption history for a period of three years following the date of consent,” recalls the gendarme of personal data, who thus sent a severe call to order to the two electricity suppliers. It is up to the latter to put themselves in the nails of the GDPR, under penalty of being exposed to fines which can theoretically go up to 4% of their income.