Create a definitive guide to the legal and regulatory framework for data privacy and security

Lack of clarity on the application of federal, state, and utility data privacy and security requirements can lead energy data stakeholders to take an overly risk-averse approach to sharing grid and customer data. Participants suggested that a definitive guide to applicable legal and regulatory requirements would be particularly helpful to local and tribal governments, which often have limited information and expertise on energy data issues. The Energy Commission and the Public Utilities Commission could prepare or commission a regulatory guide to help these governments, small DER providers, and state regulators understand how data generation and sharing are limited by current law and policy.

Create a forum for stakeholders to achieve consensus on ways to resolve security and privacy concerns affecting data access

The forum could allow a broader group of stakeholders—including energy regulators, utilities, DER providers, local and tribal governments, consumer advocates, data security experts, climate change planners, and others – to gain insight into investor-owned and public utilities’ system configurations and security needs (whereas many currently feel that decisions are made in a ‘black box’), increase understanding of the use cases and actual data needs of DER providers, and help utilities to better coordinate decision-making. It could also help participants identify and adopt best practices (and address risks) from the tech sector. In particular, this conversation could focus on the substantive goals of achieving a clean and resilient grid and include the voices of community and environmental stakeholders not often involved in energy data decision-making.

Re-examine the 15/15 rule for customer data aggregation (which sets numerical minimums for data-sharing) to consider an approach based on differential privacy (which can protect sensitive data regardless of sample size)

The Public Utilities Commission follows a “15/15” rule for the public release of aggregated customer energy data, in which all reports containing aggregated customer data must include at least 15 customers’ data, and no individual customer’s data may represent more than 15 percent of a given customer class within the sample. Participants emphasized that while the rule was properly intended to protect individual account information, in practice— with the availability of modern software and anonymization capabilities—it may prove too restrictive, limiting utilities’ and DER providers’ ability to work with smaller, more granular datasets. The Public Utilities Commission could explore whether to adopt a new data aggregation rule based on differential privacy principles, which protect sensitive underlying data by introducing small amounts of distortion or inaccuracy into a dataset, delivering statistically accurate results on the relevant metrics while obscuring sensitive identifying information.

Enhance the scope of its 2011 privacy decision (which sets many of the current terms for collection, use, and disclosure of customer energy usage data) to expand customer data rights with regard to billing data and other customer-specific information, thereby facilitating more flexible grid applications

The Public Utilities Commission’s 2011 privacy decision, which sets many of the terms for collection, use, and disclosure of customer energy data, focused narrowly on advanced metering infrastructure usage data, which are central to the flexible functions of a clean and resilient grid. However, participants indicated that the decision’s rules concerning usage data (i.e., kilowatt-hour values over time) leave significant gaps and uncertainties about the treatment of non-usage data that is becoming increasingly important to distributed energy resources of all types. The Public Utilities Commission could revisit and expand the 2011 decision to systematically classify all types of customer data (such as billing information) for their accessibility/portability, determine whether utilities should create different data sets based on data required for certain DER applications, and grant customers clearer rights to share a more complete set of their data with third parties for any type of DER.

Enhance enforcement of existing requirements for data exchange and usage

Some utilities have failed to meet data sharing and management requirements or targets set by the Energy Commission and Public Utilities Commission, with inadequate commission tracking and enforcement compounding the problems. Examples included flaws in Green Button Connect data access platforms, imposition of additional terms and conditions for access, delayed registration applications, and slow-moving proceedings on applications to improve the platforms; intermittent access to home area networks and Integrated Capacity Analysis maps; and frequent data system outages which were only corrected after substantial and costly advocacy from outside parties. The Energy Commission and Public Utilities Commission could create new, high-level data management positions to enforce existing rules and coordinate and demonstrate the importance of enforcement activities.

Appropriate funds for the California Energy Commission and California Public Utilities Commission to hire and retain more energy data experts

Recent legislation and regulatory decisions on data privacy and generation—including AB 802’s building energy benchmarking program and SB 1476’s privacy requirements—have had the effect of giving state regulators increasing levels of responsibility for data sharing and management. The benefits of greater data centralization and uniform rules of access are counterbalanced, however, by the challenge of handling the massive quantities of data generated by the modern grid. Shifting from a passive or reactive role to an active data management role requires new hiring and organizational adjustment at the Energy Commission and Public Utilities Commission, including the creation and/or expansion of divisions focused entirely on energy data.

Continue to modernize their information technology systems and expand internal staff capacity

Electric utilities are responsible for some of the most complex, high-risk, and data-intensive infrastructure in the state—increasingly resembling information technology companies more than their traditional role as managers of physical infrastructure. Yet many utilities have IT systems that are either out of date or unmatched to the data management task of the grid of the future, with particular implications for bug tracking and interoperability. With authorization and guidance from the Public Utilities Commission and/or Energy Commission, utilities could be enabled to invest in IT systems for broad data needs on cooperative timelines, to ensure that they can exchange data in formats that function for technology and data firms, that they can respond appropriately to user and customer concerns and feedback, and that the data remain secure and appropriately protected.

Adopt performance-based regulation that rewards effective data-sharing

Investor-owned utilities justify rates and revenue in large part based on the capital cost of major generation and transmission infrastructure investments, with potentially limited financial incentives to invest in flexible grid assets or in supporting the grid, customer, and DER performance data that support them. To develop an optimally efficient decarbonized grid, utilities could have an incentive structure that also rewards investments in data sharing and management. The Public Utilities Commission could introduce performance-based regulation that links utility returns and shareholder value to resilient decarbonization performance goals, including goals for data generation, sharing, and adherence to privacy and security best practices.

Expand upon existing regulatory proceedings or initiate a new proceeding to identify objectives, use cases, and cost considerations and direct achievement of specific related targets for progress in data exchange

While reforming investor-owned utility financial incentives could facilitate a significant increase in advanced energy data investments, participants suggested that on certain high-priority data issues the Public Utilities Commission could exercise its rulemaking authority to drive immediate action. The commission could expand an existing proceeding or initiate a targeted proceeding to address these issues.