The challenges of sharing data at the intersection of EU data protection and electricity market legislation: lessons from the Netherlands

This article examines the interplay between the General Data Protection Regulation and the rules for access to consumer data introduced by the Recast Electricity Directive (2019/944). It brings insights from practice regarding the complexities of applying these two legal frameworks simultaneously by analysing a case from the Dutch electricity market. The case is constructed around a court decision that led Dutch distribution system operators to stop sharing consumers’ ‘personal data with suppliers for the purposes of preparing ‘personalised offers’. The article extracts lessons that can help EU member states when laying down or revising existing legal frameworks for access to consumer data on two main fronts: substantial alignment between data protection legislation and electricity market legislation, and the importance of strengthening cooperation between data protection authorities and energy regulators.


Introduction
The implementation of information communication technologies (ICT) in electricity systems (a phenomenon known as 'digitalisation') is deeply transforming the electricity sector.Multiple digital technologies have been and continue to be deployed to collect, transmit and analyse growing amounts of data across the entire electricity supply chain, from production to retail. 1 The data collected and processed in the electricity sector include network data, market data, consumer data and even external data such as weather data. 2 The structure of the electricity sector in the European Union (EU), shaped by a long and gradual process of liberalisation, 3 makes the exchange of data crucial for the correct functioning of this market.Liberalisation, and in particular the introduction of an unbundling regime, broke up vertically integrated energy companies and introduced free competition in the production and supply segments of the electricity supply chain, separating these activities from the operation of the grid (entrusted to transmission and distribution system operators), which is treated and regulated as a natural monopoly.In addition, the roll-out of smart electricity meters encouraged by EU legislation has generated new streams of data, which are usually collected and managed by distribution system operators (DSOs) but need to be accessed by other market parties such as energy suppliers and other service providers. 4Against this background, the electricity sector is formed by a constellation of actors who need data from each other to make possible the supply of electricity and to enable new energy services.
Among the multiple types of data used in the electricity sector, consumer data are receiving special attention in recent legislative developments.As a result of the increasing digitalisation of the electricity sector in the EU and the crucial role of energy data in the EU agenda to stimulate the data economy,5 there is a growing interest in access to consumer data in the electricity sector and beyond. 6Access to consumer data by consumers themselves and by other eligible parties is seen as key to allow consumers to manage their energy consumption, participate in the electricity market and the energy transition, and benefit from services based on energy data.
The growing importance of access to consumer data is acknowledged by the Directive (EU) 2019/944 (hereinafter the 'Recast Electricity Directive').This legislation requires member states to lay down rules regarding data management and exchange, 7 in particular rules on access to consumer data, 8 which include 'metering and See European Commission, 'Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions "Digitalising the Energy System -EU Action Plan"' (European Commission 2022) COM/2022/552 final <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52022DC0552&qid= 1666369684560> accessed 29 October 2022; European Commission, 'Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions "A European Strategy for Data"' (European Commission 2020) COM/ 2020/66 final <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0066> Art 23 of the Recast Electricity Directive does not use the term 'consumer' but 'final customer'.'Final customer' is a broad notion encompassing both natural and legal persons, defined in the Directive as 'a customer who purchases electricity for own use' (art 2(1), Directive (EU) 2019/944).The term 'consumer' will be used in this contribution instead of 'final customer' for practical reasons.Firstly, even if the Recast Electricity Directive does not list 'consumer' as one of the definitions in art 2, it does use the expression throughout its text.In fact, art 23 is under ch III of the Directive, entitled 'CONSUMER EMPOWERMENT AND PROTECTION'.Secondly, the term 'consumer' is defined in EU legislation on consumer protection as any natural person acting for purposes outside their trade, business, craft or profession (see eg Directive 2005/29/EC concerning unfair business-to-consumer commercial practices in the internal market and Directive 2011/83/EU on consumer rights).This research focuses on the interplay between electricity market legislation and personal data protection legislation, the latter applicable to the processing of data relating to natural persons.Hence, the term 'consumer' seems more precise and suitable than that of 'final customer' for the purposes of this contribution consumption data as well as data required for customer switching, demand response and other services'. 9he Recast Electricity Directive also requires member states to 'organise the management of data in order to ensure efficient and secure data access and exchange, as well as data protection and data security'. 10Concerning data protection, the Directive stipulates that when personal data are processed (including giving or obtaining access to personal data), this should be done in compliance with Regulation (EU) 2016/679, 11 known as the General Data Protection Regulation (GDPR). 12Against this backdrop, the sharing of consumer data in the electricity sector is to be governed by two simultaneously applicable regimes: on the one hand, the sectoral rules laid down by member states in transposition of the Recast Electricity Directive; and, on the other hand, the general framework for personal data processing enshrined in the GDPR.
These two frameworks have different scopes, legal bases in EU law, policy objectives, levels of implementation and supervisory authorities. 13Moreover, these two legal frameworks define different roles, obligations, and rights that apply simultaneously to the same actors. 14The parallel application of these two legal frameworks raises questions, as noted by emerging legal scholarship on this topic.
Huhta explores how the objectives of both regimes can be reconciled through legal interpretation, even if they seem to embody opposing interests: on the one hand, the extensive use of smart meter data encouraged by the Recast Electricity Directive, and, on the other hand, the view of processing and transferring personal data as a potential threat to the right to data protection, embedded in the GDPR. 15The core of her analysis, however, focuses on possible grounds for personal data processing in the context of smart metering, without delving into questions related to access to consumer data.
Graef, Husovec and van den Boom do study the provisions for access to consumer data in the Recast Electricity Directive (as well other sectoral data access regimes in EU legislation), but focus specifically on exploring the spillovers that may result from its interaction with the right to data portability introduced by the GDPR. 16They find that the interplay between these frameworks can affect how they are interpreted, in the sense that the reach of the provisions of one framework may expand or contract when read together with the other framework.
A recent study by Lavrijssen, Espinosa Apráez and ten Caten also looks at the interplay between the GDPR and the Recast Electricity Directive.Their contribution provides an overview of the different actors, principles and obligations arising from each legal regime, and identifies three possible tensions between the two frameworks. 17These tensions, however, are not fully developed in the study, leaving room for further exploration.
The aforementioned studies analyse the interplay between the GDPR and the provisions concerning data access in the Recast Electricity Directive but do so in abstracto.With the aim of expanding the body of knowledge on the challenges of applying these two frameworks simultaneously, this article brings insights from practice, by examining a case from the Dutch electricity sector (hereinafter, 'the Personalised Offer case').
The Personalised Offer case is constructed around the context, content and consequences of a ruling issued by a Dutch court, the Trade and Industry Appeals Tribunal (in Dutch: College van Beroep voor het Bedrijfsleven), in early 2020. 18The ruling put forward an interpretation concerning one of the lawful grounds for personal data processing under the GDPR (necessity to comply with a legal obligation), that led Dutch DSOs to stop giving energy suppliers access to consumers' personal data to prepare personalised offers. 19ven though the case took place before the adoption of the Recast Electricity Directive, its analysis is still relevant -firstly, because it refers to the interaction between the GDPR and the sectoral rules for access to consumer data in force in the Netherlands at the time of the events, providing rich insight into the challenges of applying horizontal and sectoral frameworks regulating data sharing; secondly, and more importantly, the issues arising from the case are not addressed by the Recast Electricity Directive.
The question that underlies this research is the following: what lessons can be drawn from the Personalised Offer case regarding the interplay of the GDPR and the rules for access to consumer data in the electricity sector?The aim of the article is twofold.Firstly, this article reflects on what occurred in the Dutch case and shows that the lack of alignment between the legal regime for access to consumer data in the electricity sector and data protection legislation might end up hindering data sharing in the electricity sector and/or jeopardising the protection of personal data.Secondly, the article posits that member states have an important role to play in contributing to the consistent application of the two legal frameworks, and 17 'The first tension lies in the fact that some of the innovations facilitated by smart metering in the energy sector rely on technologies that might not be entirely compatible with the GDPR.A second tension follows from the existence of separate but interrelated regimes for access to data of the consumer/data subject in the two legal instruments here analysed.The third tension relates to a possible overlap of competences between the supervisory authorities of both regimes'.Lavrijssen, Espinosa Apráez and ten Caten (n 13) 1 18 College van Beroep voor het Bedrijfsleven, ruling of 14 January 2020, cases 18/2783 and 18/2846, NJB 2020/245, ECLI:NL:CBB:2020:3 <https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:CBB:2020:3> accessed 10 May 2022 [hereinafter 'CBb ruling'] 19 See section 3.1.of this article for further explanation of what a 'personalised offer' entails introduces a number of suggestions in that regard, focusing on two main issues: ensuring substantive alignment between the two legal frameworks, and the importance of having clear cooperation mechanisms between the energy regulators and the data protection authorities. 20This research is carried out following the methodological approach of doctrinal legal research, based on an analysis of EU and Dutch legal sources (specified throughout the article), as well as legal scholarship on data protection and access to consumer data in the electricity sector.
The paper is structured as follows: section 2 will provide an overview of the provisions governing access to consumer data in the Recast Electricity Directive and will elaborate on their relationship with the GDPR.Section 3 describes the facts of the Personalised Offer case.Section 4 will identify the lessons from the case, and make suggestions to enhance the alignment between the two legal regimes here studied.Section 5 concludes.

The regime for access to consumer data under the Recast Electricity
Directive and its relationship with the GDPR 2.1.Access to consumer data under the Recast Electricity Directive In the electricity sector a distinction is usually made between access to data necessary to fulfil regulatory obligations and access to data necessary for additional energy services. 21The first category refers to the exchange of data for processes that are necessary for the correct functioning of the electricity systems and the continuous supply of electricity.Under this category, actors such as DSOs and energy suppliers must collect and exchange consumer data to fulfil regulatory obligations introduced by EU and national law to ensure the reliable, affordable and sustainable supply of electricity.For example, DSOs need consumer data to perform their grid management tasks, and energy suppliers need access to consumer data for reasons including billing purposes and consumer switching (ie when the consumer decides to change supplier).These are traditional processes involved in the supply of electricity and have been regulated for a long time.
The second category refers to accessing consumer data to enable new energy services that go beyond the mere supply of electricity, such as personalised offers, demand response programmes or energy management systems.The increased availability of consumer data, owing in particular to the roll-out of smart metering systems, 22 has enabled the emergence of new energy services that help consumers in 'monitoring their consumption patterns, consuming green energy, activating their flexibility, generating energy locally, driving electric vehicles, etc.' 23 These services allow consumers to manage their energy use and be more active in the electricity market and the energy transition. 24There is also a potential to enable services across different economic sectors on the basis of energy data. 25To be able to offer these services to the consumers, service providers need access to consumer data, including smart meter data, which in the EU are typically managed by or on behalf of DSOs. 26This new use of data reflects the growing impact of the data economy in the electricity sector, and it is gaining momentum in EU policy, especially against the background of the so-called 'twin green and digital transitions', ie at the intersection of the European Green Deal and the Digital Decade Policy Program put forward by the European Commission. 27cknowledging the importance of consumer data, the Recast Electricity Directive explicitly requires member states to lay down rules for access to these data by eligible parties and sets a number of requirements that those rules must meet. 28Such an emphasis on access to consumer data was absent in the preceding legislation adopted under the Third Energy Package.Directive 2009/72/EC 29 (hereinafter 'Electricity Directive 2009') had already encouraged member states to embrace and support the use of ICT, such as smart grids and smart metering, to foster decentralised generation and energy efficiency. 30However, the Electricity Directive 2009 provided limited provisions regarding how the new streams of data resulting from these technologies should be managed and accessed.Regarding consumer data, the 2009 Directive stated that member states should take measures to ensure that consumers could have at their disposal their consumption data and give any energy supplier access to their metering data free of charge. 31n the review of the Electricity Directive 2009 in preparation for the Clean Energy Package, 32 33 was seen as one of the main factors behind the 'slow deployment of new services, low levels of service and questionable market performance on retail markets' in the EU electricity sector. 34The Impact Assessment prepared by the European Commission for the recast of the Electricity Directive 2009 acknowledged that in order to realise the benefits offered by digitalisation in the electricity sector, a framework for non-discriminatory data management was needed.This was in order to make 'the right information immediately available to the right market actors, while at the same time ensuring a high level of data protection'. 35In the view of the Commission, this called for legislative action at the EU level.
The approach ultimately adopted in the Recast Electricity Directive regarding data management entails that member states are free to have their own model for data management and exchange, 36 ie the Directive does not require member states to adopt a predetermined model. 37Regardless of the specific model chosen, member states are responsible for organising data management so as to ensure non-discriminatory, efficient and secure data access, and the highest level of cybersecurity and data protection. 38The rules concerning access to consumer data shall be transparent and ensure the impartiality of the parties responsible for data management (hereinafter 'the data managers'), which are obliged to give access to consumer data to eligible parties, in accordance with the data access rules adopted in each member state. 39he Recast Electricity Directive does not define the meaning of 'eligible parties'.In the original legislative proposal prepared by the European Commission, art 23, para 1 stated that 'eligible parties' shall include 'at least customers, suppliers, transmission and distribution system operators, aggregators, energy service companies, and other parties which provide energy or other services to customers'. 40 Journal of Energy & Natural Resources Law 409 is not included in the adopted text of the Directive, it is up to the member states to decide which parties are eligible to have access to consumer data.
The consumer data covered by the Directive include 'metering and consumption data, data required for customer switching, demand response and other services'. 41n that sense, the scope of the provisions concerning data access in the Recast Electricity Directive is broader than that of the 2009 Directive, which only referred to access to metering data by suppliers.
From the types of data mentioned in the Directive, metering data and consumption data receive most attention.The Directive does not provide specific definitions for these two types of data, but from its provisions 42 it seems that 'metering data' is a broad notion referring to data generated by smart meters, 43 including information on how much electricity is consumed (consumption data) and how much electricity is fed into the grid, in the case of active customers (also known as 'prosumers').
The rules applicable to access to smart meter data are laid down in art 20 of the Recast Electricity Directive.According to these provisions, consumers are entitled to receive (at no additional cost) validated historical consumption data 44 and non-validated near-real time consumption data, 45 the latter 'in order to support automated energy efficiency programmes, demand response and other services'. 46Article 20, literal (e) specifies that, at the request of the consumers, consumption data and data on the electricity fed into the grid shall be made available to them, following the provisions of the implementing acts adopted pursuant to art 24 of the Directive.This article gave powers to the European Commission to adopt implementing acts on 'interoperability requirements and non-discriminatory and transparent procedures for access to data referred to in Article 23(1)'. 47The goal of these implementing acts is promoting competition in the EU retail market for electricity and avoiding excessive administrative costs for the eligible parties seeking access to data in multiple member states. 48nder the Recast Electricity Directive, access to consumer data can take two forms: the data can be made available directly to the consumer through a communication interface or remote access, and the data can be made available to a third party acting on behalf of the consumer. 49The last subsection of art 20 specifies that consumers should be able to 'retrieve their metering data or transmit them to 41 Recast Electricity Directive, art 23, para 1 42 See in particular Recast Electricity Directive, art 20 43 See Council of European Energy Regulators (n 23) 35 44 Regarding access to complementary information on historical consumption, see Recast Electricity Directive, Annex I, section 4 45 'Near real time' means 'a short time period, usually down to seconds or up to the imbalance settlement period in the national market'; Recast Electricity Directive, art 2(26) 46 Recast Electricity Directive, art 20(a) 47 Art 24, para 2. The implementing acts must be adopted following the comitology procedure referred to in art 68, para 2 of the Electricity Directive 2019.At the time of revising this paper (October 2022), the implementing acts on interoperability and procedures for access to data have not been adopted yet.It is expected that the first implementing act(s) will be adopted in the third quarter of 2022.See European Commission, 'Digitalising the Energy System -EU Action Plan COM/2022/552 Final' (n 5) 21 48 Recast Electricity Directive, art 24, para 1.The interoperability requirements and procedures introduced by the implementing acts must be based on national practices (art 24, para 3) 49 Recast Electricity Directive, art 20, literal (e) another party at no additional cost and in accordance with their right to data portability under Union data protection rules'.
The right to data portability was introduced by the GDPR (art 20).It entitles data subjects to receive (a copy of) the personal data concerning them that have been provided by them to a data controller, 50 in a 'structured, commonly used and machine-readable format', and to transmit the data to another controller.Where technically feasible, consumers can request that the data are transmitted directly from the original controller to a new controller. 51This right is aimed at empowering data subjects by facilitating their ability to 'move, copy or transmit personal data easily from one IT environment to another (whether to their own systems, the systems of trusted third parties or those of new data controllers)'. 52Several commentators note that the Recast Electricity Directive can be seen as complementing the GDPR, by introducing a mandatory implementation of the right to data portability for smart meter data. 53

Relationship between the rules on access to consumer data and the GDPR
The GDPR is an EU regulation applicable since May 2018.Its aim is to safeguard the right to personal data protection, while making it possible for personal data to be processed by and flow freely between member states. 54This regulation requires individuals and organisations that process personal data as controllers 55 or processors 56 to 50 Following the guidelines on the right to data portability issued by the Article 29 Working Party (a former EU advisory body in the area of personal data protection, replaced by the European Data Protection Board under the GDPR) data 'provided by the data subject' include data that have been actively provided by the data subject, as well as data that have been 'observed from the activities of users such as raw data processed by a smart meter or other types of connected objects'.The GDPR is a general legal framework for the protection of personal data in the EU.It applies to all personal data processing activities and sectors that are not explicitly excluded from its scope. 57The GDPR applies to the processing of consumer data in the electricity sector to the extent that the data in question qualify as personal data following the definition in the GDPR, ie any information that relates to identified or identifiable natural persons (named 'data subjects' in the GDPR). 58The GDPR defines 'processing' as 'any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means', including 'retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available'. 59Hence, giving and receiving access to data relating to consumers who are natural persons are activities that qualify as processing of personal data.
The Recast Electricity Directive clearly acknowledges that the GDPR applies whenever personal data are processed under the provisions of the Directive.This is reasonable because the Directive was prepared and adopted after the entry into force of the GDPR in May 2016.It is also understandable considering that the electricity sector is becoming ever more dependent on the use and exchange of consumer data, which involve personal data and thus must be processed following the GDPR. 60everal recitals and provisions of the Recast Electricity Directive refer explicitly to the data protection legislation.For example, Recital 91 of the Recast Electricity Directive states that its provisions should be interpreted and applied in accordance with the rights and principles enshrined in the Charter of Fundamental Rights of the European Union, in particular the right to the protection of personal data. 61Moreover, this recital highlights that it is essential that any processing of personal data pursuant to the Directive complies with the GDPR, something that is reiterated in the provisions concerning smart metering, 62 and the provisions concerning data management and access to consumer data. 63Another important link with the GDPR is evidenced by the explicit reference to the right to data portability in art 20 of the Recast Electricity Directive, referred to above.
As noted in section 2.1 of this contribution, one of the goals of the legislative reform that resulted in the adoption of the Recast Electricity Directive was to introduce rules to enhance data access while ensuring personal data protection.The result in the adopted Directive was, however, more modest.It is true that the Directive establishes a 57 For the material and territorial scope of the GDPR, see art 2 and 3 of that Regulation 58 Art 4 (1), GDPR.As defined by the cited article, 'an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person', art 4 (1) GDPR.For an explanation of why the processing of data collected by smart meters is subject to personal data protection clear link with the GDPR by stating explicitly that the latter is applicable whenever personal data are processed, including in the context of access to consumer data. 64owever, the Directive offers little guidance on how to apply both frameworks in parallel in the context of access to consumer data.This is understandable, considering that each member state can adopt its own model for data management and exchange, and the divergences across models make it more difficult to introduce guidelines at EU level.In this context, it is for the member states to ensure the alignment between the data access rules they adopt in transposition of the Recast Electricity Directive and the GDPR.
The parallel application of the rules for access to consumer data under the Recast Electricity Directive and the rules of the GDPR for what concerns personal data entails an entwining of the roles, rights and obligations arising from both legal regimes.For example, electricity consumers whose data are accessed are also data subjects, and as such, are entitled to the protection and rights arising from both the Recast Electricity Directive and the GDPR.The managers of electricity data might qualify as data controllers or processors under the GDPR, depending on the legal and factual context in which they operate, 65 which is given by the data management model adopted by each member state. 66Eligible parties (including 'third parties' 67 ) who want to access consumer data can qualify as recipients 68 when they receive the data from the data manager, and become data controllers in respect of the processing carried out for their own purposes after they receive the data from the data manager.Hence, data managers giving access to consumer data and eligible parties obtaining access to these data will have to follow the obligations and requirements arising from both the Recast Electricity Directive and the GDPR. 69s noted by Lavrijssen, Espinosa Apráez and ten Caten, the interplay of the provisions for access to consumer data in the Recast Electricity Directive and the rules for the processing of personal data in the GDPR also leads to interactions and possible overlaps in competences of the supervisory authorities of each regime. 70The Recast Electricity Directive (as well as the preceding legislation) requires member states to appoint an independent national regulatory authority (NRA) tasked with the monitoring and enforcement of the legal regime applicable to the electricity sector, as well as with the adoption or implementation of certain regulations. 71Specifically concerning the topic of this article, NRAs are responsible for 'ensuring non-discriminatory access 64 In practice, the added value of this reference is limited.Even without the clarification in the Directive, any processing of personal data falls under the scope of the GDPR, as defined by the Regulation itself 65 For an analysis of the factors that determine the roles of controller and processor, see European Data Protection Board, 'Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR' (EDPB 2021) Version 2.0 <https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf>accessed 11 May 2022 66 In this regard, see Huhta (n 15) 15-16 67 The providers of services based on energy data are usually considered 'third parties' because they are not part of the traditional relationship behind the supply of energy (consumer-supplier-DSO) 68 Art 4 (9) GDPR: '"recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed […]' 69 For an overview of the different roles, rights and obligations stemming from the Recast Electricity Directive and the GDPR, see Lavrijssen, Espinosa Apráez and ten Caten (n 13) 70 Lavrijssen, Espinosa Apráez and ten Caten (n 13) 71 See ch VII of the Recast Electricity Directive to customer consumption data', 72 which means that NRAs are competent to oversee how data managers provide access to consumer data to eligible parties.
On the other hand, the GDPR requires member states to appoint an independent supervisory authority known as the 'data protection authority' (DPA), responsible for monitoring and contributing to the consistent application of the GDPR. 73To be able to fulfil their duties, DPAs are given investigative, corrective, and authorisation and advisory powers. 74Since access to data of consumers who are natural persons constitutes processing of personal data, the data managers and the eligible parties obtaining access to these data fall under the supervision of the national DPAs.
The two aspects here mentionedon the one hand, the entwining of the roles, rights and obligations arising from both legal regimes and, on the other hand, interactions and possible overlaps between the competences of the two supervisory authoritiesplay an important role in the Personalised Offer case, as will be shown in the next section.

The Personalised Offer case
This section will introduce the facts of the 'Personalised Offer case', a case taken from the Dutch electricity sector which shows the complexities of data sharing at the intersection between the GDPR and sectoral rules for access to consumer data in the electricity sector.The case is constructed around a ruling of the Dutch Trade and Industry Appeals Tribunal (hereinafter 'CBb'). 75The events on which this case is based took place between July 2017 and January 2020.The facts here presented are extracted from publicly available documents, including the ruling of the CBb, Dutch legal sources and documents published by the actors involved in the facts of the case.The legal context here described is given by the laws and regulations in force at the time of the events of the case and, where relevant, at the time of writing of this article. 76

Background of the case
In the Netherlands, the management of consumer data is largely the responsibility of the DSOs, who, at the time of the events of the case, had jointly delegated their data management tasks to Energie Data Services Nederland (EDSN).In the Netherlands, following the Electricity Act 1998, 77 DSOs are legally responsible for installing, operating and collecting the data from smart meters and are obliged to share smart meter data with suppliers for the purposes of billing, changes of residence and switching of suppliers. 78In addition, DSOs must give access to smart meter data to third parties (eg providers of energy services) if the consumer gives consent to do so, following the rules of the GDPR. 79This is explicitly regulated in the Dutch Electricity Act.
Besides smart meter data, DSOs also manage central data registers that are crucial for the functioning of the electricity market, including the 'Connection register' (aansluitingenregister -'C-AR') and the 'End of contract register' (contracteindegegevensregister -'CER').The management of these data registers is regulated not in the Dutch Electricity Act, but in the Information Code Electricity and Gas (ICEG). 80The ICEG is an administrative act or 'generally binding regulation' 81 adopted by the Dutch NRA for the energy sector, the Authority for Consumers and Markets (ACM), 82 on the basis of a proposal submitted by market parties engaged in the transport, supply or metering of electricity. 83The ICEG lays down the conditions that apply to the exchange, recording, use and storage of data in the energy sector. 84he C-AR and CER were originally created as a 'single source of truth' to facilitate coordination between DSOs and suppliers in the context of the administrative processes that keep the retail electricity market running, eg invoicing, switching suppliers, moving in or out of a house. 85The exchange of data for these processes is part of the regulatory obligations of DSOs and suppliers.Next to this regulated use of data, a new use of data from the C-AR and CER registers was found: the data could also be retrieved by potential new suppliers to prepare personalised offers for consumers. 78 Vereniging Nederlandse Energie Data Uitwisseling (NEDU), an association of companies representing the different market roles of the energy sector in the Netherlands, which prepared the proposals to amend the Information Code 84 Note that it is likely that under the future Dutch Energy Act the data management rules will be laid down in the Act itself and/or in ministerial regulations.Hence, the role of the Information Code might significantly change once the new legislation is adopted in the Netherlands.See the Bill for an Energy Act in Ministerie van Economische Zaken en Klimaat (n 76) 85 These registers were created as part of the implementation of the New Market Model (Nieuwmarkt Model) in the Netherlands in 2013.This model is a supplier-centric model, which entails that the main point of contact for the consumer is the energy supplier.Before the adoption of this model, both DSOs and suppliers were the point of contact for consumers for different parts of the administrative processes.For example, the consumers had to pay separate invoices to the DSO and the supplier for the grid costs and the supply costs, respectively.Or, if mistakes were made in the context of a switch of supplier, there were three parties involved in correcting mistakes (the old supplier, the new supplier and the DSO).See 'Nieuw Marktmodel (NMM) voor de energiesector' (DeEnergie-Gids.nl,n.d.) <www.deenergiegids.nl/overstappen/nieuw-marktmodel-energiesector>accessed 11 May 2022

Journal of Energy & Natural Resources Law 415
A personalised offer 86 entails that consumers who want a new energy contract can receive offers from energy suppliers, tailored to their actual needs and preferences. 87n that sense, personalised offers facilitate consumers making more informed choices, allowing consumers to compare offers from different suppliers and facilitating switching of suppliers.To prepare a personalised offer, energy suppliers need data on the consumer, including the regional location and capacity of the connection in the household, annual energy consumption, the end date of the current energy contract and the contractual notice period. 88This information is in principle known to the consumers, and they can manually provide it to the energy suppliers (eg by filling it in through the website of the supplier or through a price comparison website).However, it is also possible for energy suppliers to retrieve this information directly from the C-AR and CER managed by the DSOs, with the consent of the consumers (obtained eg during a phone call or in person at a shop). 89At the time of the events of the Personalised Offer case here analysed, the latter option was considered more convenient for consumers and suppliers.
Since the data needed to prepare the personalised offers are information relating to identifiable natural persons (the consumers), they qualify as personal data and must be processed in accordance with the GDPR.From the perspective of the GDPR, in the Personalised Offer case, the DSOs were the controllers of the personal data stored in the C-AR and CER. 90Once the data (in fact, a copy of the data) were transferred to the requesting supplier to prepare a personalised offer, this supplier became the controller of the received data. 91he data exchange for the purposes of personalised offers was initially not regulated in the ICEG or any other national regulation, and it did not fall per se under the data exchanges necessary to comply with legal obligations of the DSOs or the suppliers.However, after a huge data theft incident involving C-AR and CER data of two million Dutch households in 2016, 92 the market parties of the energy sector and the ACM deemed it necessary to lay down formal rules to regulate this data exchange in the ICEG.Following a proposal submitted by representatives of the market parties, in October 2018 the ACM adopted an administrative decision to amend the ICEG (hereinafter, 'the Decision') 93 aimed at 'improving the security of (personal) data that are registered and exchanged for small-scale consumption connections'. 94his Decision introduced several articles into the ICEG, including two articles requiring DSOs to share consumer data from the C-AR and CER with the suppliers for the purposes of preparing personalised offers, provided that the consumer had given his/ her consent. 95n January 2020, the Dutch DSOs (through their branch association Netbeheer Nederland) announced that they would stop giving suppliers access to consumer data for the purposes of making personalised offers. 96This announcement was motivated by a court ruling issued by the CBb on 14 January 2020.The ruling annulled the articles of the ICEG that obliged DSOs to share data from the C-AR and CER with suppliers for the preparation of personalised offers.In the absence of a clear legal basis for sharing (personal) data from the central registers with the suppliers, DSOs decided to stop giving access to these data. 97In practice, this meant that in order to prepare personalised offers, suppliers could no longer retrieve data from the central registers and had to rely solely on the information actively provided by the consumers themselves.This made the preparation of the personalised offers more cumbersome for both consumers and suppliers and created the risk of penalties for anticipated contract termination if the information provided by the consumers was not accurate. 98he next several subsections will elaborate on the argumentation behind the CBb ruling and the circumstances that led to this court decision, which provide rich insights into the challenges of aligning the GDPR with the sectoral rules for access to consumer data.From a data protection perspective, the CBb ruling deals with one of the core principles laid down in the GDPR, the one requiring that personal data are processed 'lawfully, fairly and in a transparent manner'. 99In particular, the ruling concerns the lawfulness of personal data processing, which is addressed more specifically in art 6 of the GDPR.Paragraph 1 of this article states that the processing of personal data is lawful only if at least one of six grounds applies.Such grounds are specified in literals (a) to (f) of the said provision and include the consent of the data subject, 100 as well as necessity of the processing in specific situations. 101The CBb ruling focuses on the 93  ground of necessity to comply with a legal obligation to which the data controller is subject (art 6, para 1, (c)).

Origins of the legal controversy and the CBb ruling
Following the abovementioned data theft incident, in May 2017, representatives of the Dutch energy sector submitted a proposal to amend the ICEG and introduce provisions clarifying the responsibilities of market parties and strengthening checks regarding the processing of personal data in the context of data exchanges.102

THE ADVICE FROM THE DUTCH DPA
Since the amendments to the ICEG entailed the processing of personal data, the ACM requested the advice of the Dutch DPA, the Autoriteit Persoonsgegevens (hereinafter, 'AP') as part of the rule-making process. 103One of the main points raised by the AP in its advice was that the proposed amendments to the ICEG were intended to create a ground for the processing of personal data, specifically, a legal obligation104 for DSOs to share consumers' personal data with energy suppliers.In the view of the AP, this was beyond the legal scope of the ICEG as defined by the Dutch Electricity Act, because the ICEG was intended to set conditions for data processing, which is fundamentally different from creating a legal ground for personal data processing. 105esides, the AP argued that it is not reasonable that the processing of personal data by the energy sector can be justified and legitimised in a code prepared by the sector itself and adopted by the ACM.
In the view of the AP, the legal grounds for data processing should be laid down in the Electricity Act or in an administrative act (order in council or ministerial regulation) based thereon. 106Only the conditions, ie 'the manner in which the data processing is practically applied', can be laid down in the ICEG. 107In the view of the AP, introducing legal grounds to process personal data in the ICEG resulted in 'an unbalanced and unclear regime with regard to the processing of personal data in the energy sector'. 108The AP thus recommended ACM take a closer look at the issue of the grounds for processing of personal data in the ICEG, and advised against adopting the draft of the Decision that ACM sent for review.

THE DECISION ADOPTED BY THE ACM
The ACM followed the advice from the AP only to a certain extent.The energy regulator adopted the Decision introducing the two articles that required DSOs to share consumer data from the C-AR and CER with the suppliers, for the purposes of making personalised offers.From the explanatory notes of the Decision, it seems that the DSOs (as data controllers) had intended to rely on the data sharing obligations to be introduced in the ICEG as the lawful ground to share C-AR and CER data in compliance with the GDPR.109However, citing the aforementioned advice of the AP as well as legislative explanatory memoranda concerning the scope of the ICEG, 110 the ACM specified that the ICEG did not provide a lawful basis to process consumers' personal data under art 6, para 1 (c) of the GDPR (necessity to comply with a legal obligation).
The ACM deviated from the AP's advice in one important point.Instead of further investigating what could be the appropriate ground for the processing of personal data in this case (because, in its view, this was beyond its competences), the ACM stated that it was the responsibility of the DSOs to find the appropriate lawful basis to implement the data sharing obligations introduced in the ICEG by the Decision.111

THE POSITION OF THE DSOS AND OTHER MARKET PARTIES
NEDU and Netbeheer Nederland, acting as representatives of the energy market parties, had already expressed their disagreement with the approach of the ACM during the procedure that preceded the adoption of the Decision,112 and later when they submitted appeals against the Decision, requesting the annulment of said articles of the ICEG.
In the view of NEDU and Netbeheer Nederland, the ICEG could and should be considered an appropriate legal basis to introduce an obligation to share data with the suppliers for the purposes of the Personalised Offers.This was especially true, they argued, because DSOs in the Netherlands (due to strict unbundling requirements) are not allowed to engage in activities other than those entrusted to them by law. 113In addition, it is relevant to note that art 79 of the Dutch Electricity Act imposes upon DSOs an obligation to ensure that confidential information they hold is not made available to third parties, unless a statutory provision provides otherwise. 114In this sense, the legal context of the Dutch electricity sector explains why DSOs wanted the ICEG to enshrine a legal obligation to provide data for the personalised offers in the first place.
Netbeheer Nederland also expressed that the Decision of the ACM left DSOs at a crossroads.DSOs would either have to comply with the ACM's Decision and share the data with the suppliers, even if they could not invoke another valid ground for personal data processing from the list in art 6 of the GDPR, risking corrective measures from the AP (data protection authority); or they would have to refrain from sharing the data with the suppliers in order to avoid processing data without a basis in the GDPR, risking enforcement actions from the ACM (the energy regulator). 115These and other arguments were the basis for the appeals submitted by NEDU and Netbeheer Nederland before the CBb.

THE CBB RULING
The ruling deciding the appeals focuses mainly on one charge, namely that ACM interpreted the GDPR incorrectly, by concluding in its Decision that the ICEG does not form the basis for a legal obligation within the meaning of art 6, para 1 (c) of the GDPR. 116he CBb ruling starts by acknowledging that the ACM was right in asserting that the Electricity Act 1998 does not allow the introduction of a legal obligation to process (in this case, give access to) personal data in the ICEG. 117In the jargon of the GDPR, this means that, according to the CBb, the ICEG cannot be seen as the basis of a legal obligation to process personal data. 118The CBb based this conclusion on the same parliamentary documents about the ICEG and the advice from the AP cited by the ACM in the explanatory notes of the appealed Decision referred to above.
Nevertheless, the CBb decided to annul the articles of the Decision regulating the transmission of consumer data for the purposes of personalised offers.In the Tribunal's view, despite the explanatory statements, with the contested articles ACM did impose a legal obligation to process (in this case, to share) personal data upon the DSOs, in contravention of the Dutch Electricity Act 1998.That was the case because ACM formulated the attacked articles in a mandatory and unconditional manner, obliging DSOs to provide data to the suppliers, regardless of the existence of a ground for data processing following art 6 of the GDPR. 119This was the reasoning of the CBb to annul the articles concerning the data exchange for the purposes of a customised offer in the ICEG.

CONSEQUENCES OF THE CBB RULING
As already anticipated, the immediate consequence of the ruling was that DSOs decided to stop giving suppliers access to consumer data from the C-AR and the CER, making the preparation of personalised offers more cumbersome for suppliers and consumers.The impact of this ruling is considerable and goes beyond this specific case, casting doubts regarding the alignment between the GDPR and the current system of rules concerning data exchanges in the Dutch electricity sector, in particular concerning the grounds for legitimate personal data processing. 120Although the CBb ruling only annulled two specific articles from the ICEG about one particular data exchange, its reasoning refers to and can be applied to the ICEG as a whole, raising the crucial question of whether there are other exchanges of personal data in the Dutch electricity sector that have no legal basis other than the ICEG itself.
At the moment of writing, the Dutch Ministry of Economic and Climate Affairs (responsible for the energy sector) is preparing a bill for a new Energy Act. 121 It is expected that the new legislation (partly intended to transpose the Recast Electricity Directive) will include a re-design of the rules for data management and data exchange in the energy sector in the Netherlands. 122Concerning the topic of this paper, the latest bill includes provisions that aim at clarifying the obligations of DSOs concerning the sharing of data with eligible parties and thereby the lawful ground(s) for data processing for certain market processes.The first contours of the proposed legislation were published after the CBb ruling here analysed, in July 2020.Although not explicitly acknowledged, it seems plausible that the Personalised Offer case influenced the renewed attention given to data protection and the grounds for personal data processing in the bill.
The next section will zoom out from the specific facts of the Personalised Offer case and will draw lessons concerning the interplay between the Recast Electricity Directive and the GDPR.Suggestions to enhance the alignment between the two legal regimes here studied will be also presented in the next section.

Lessons from the Personalised Offer case
The case described above provides rich insights into how the two legal frameworks here analysed interact in practice and allows us to distil lessons that can guide member states in ensuring consistent application of the two frameworks.The issues here identified are of relevance not only for the Netherlands, but also for other member states.This is the case considering that all member states must lay down rules for access to consumer data following the Recast Electricity Directive and ensure that access to consumer data takes place in compliance with EU personal data protection legislation.In addition, DSOs have a prominent role as data managers not only in the Netherlands, but also in many other member states. 123ith the entry into force of the Recast Electricity Directive, member states should have started to introduce or update the legal framework for access to consumer data. 124he upcoming adoption of the implementing acts concerning interoperability requirements and procedures for access to consumer data (pursuant to art 24 of the Directive mentioned above) might require that member states introduce further adjustments or specifications to their national data access rules.In addition, the ' exchange of data between different actors while respecting privacy and data protection' is one of the focus points of the action plan put forward by the European Commission to further the digitalisation of the energy system in the EU in the coming years. 125All the above presents an opportunity to (re)examine how it will be ensured that access to consumer data can take place in compliance with the GDPR.
The next sections focus on two main lessons that arise from the 'Personalised Offer' case: on the one hand, the importance of ensuring substantive alignment between the rules for access to consumer data adopted by member states and the GDPR; and, on the other hand, the need to strengthen cooperation mechanisms between the supervisory authorities from each regime.

4.1.
Enhancing substantive alignment between the data access rules adopted by member states and the GDPR When regulating access to consumer data following the Recast Electricity Directive, member states should take into account that the obligations and requirements arising from such rules cannot be seen in isolation from the obligations and requirements arising from the GDPR.As explained in section 2 of this contribution, the managers of consumer data are also data controllers or processors in respect of personal data and are bound by the GDPR as much as they are bound by the data access rules.
Compliance with the GDPR is not and 'add-on' but a precondition to access consumers' personal data in the electricity sector.Member states should not disregard this when regulating access to consumer data following the Recast Electricity Directive.As observed in the Personalised Offer case with the decision of the DSOs to stop sharing data with the suppliers, legal uncertainty regarding whether data can be shared in compliance with the GDPR might end up hindering data sharing in the electricity market.
In the explanatory statements of ACM's Decision, the energy regulator asserted that the DSOs (as data controllers under the GDPR) were the ones responsible for finding the appropriate grounds for personal data processing to comply with the data sharing obligations introduced to the ICEG with the Decision.Moreover, the explanatory statements also stated that ACM was not obliged to test the feasibility of the amendments to the ICEG against the GDPR, only against the energy legislation. 126his contribution argues that data managers, in their roles as data controllers or processors, should not be the sole parties responsible to determine how consumer data will be exchanged in compliance with the GDPR.Leaving the issue at the entire discretion of the data managers might be problematic from the perspective of non-discriminatory access to consumer data.This is especially important in member states in which data are managed by DSOs and (unlike in the Netherlands) the national unbundling requirements do not prevent them from being active in other segments of the market, for instance, as energy suppliers. 127In such countries, if there is no clear guidance on how the requirements in the GDPR will be applied in the context of access to consumer data, there is a risk that DSOs (as data managers) will apply stricter data protection requirements when competitors request access to data.
Hence, there is a role to be played by member states (legislators or competent authorities designated to regulate data sharing) to ensure that eligible parties can access consumer data under transparent and non-discriminatory conditions, as well as to ensure the right to the protection of personal data of consumers/data subjects.
Ensuring alignment between the two legal frameworks here analysed requires more than just introducing an explicit reference to the applicability of the GDPR in the data access rules.The GDPR is a general legal framework with many openended provisions, intended to be applied in a broad range of sectors where personal data are processed.Consequently, the provisions in the GDPR are not per se tailored to the specific needs and dynamics of the electricity sector, eg in terms of types of data, the specific risks involved in the processing of such data, and the actors involved in the exchange of dataand vice versa, the sectoral legislation of the electricity market is not primarily designed for the protection of personal data.The exchanges of data in this sector encompass data that do and do not qualify as personal data and must serve policy objectives beyond the protection of personal data.Hence, the substantive alignment of these two legal frameworks cannot be taken for granted.
There are several ways in which member states can contribute to the alignment between the GDPR and the rules for access to consumer data in the electricity sector.One such way concerns the possibility that member states have of specifying the rules in the GDPR by adopting national legal provisions that set out 'the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful'. 128In this regard, member states could clarify, for example, whether certain data exchanges need to be legitimised by a legal obligation, and if there are cases in which the consent of or a request from the consumer is a precondition for the data exchange.
An alternative or complementary approach could be that member states require that data managers draw up codes of conduct, in which they specify the application of the GDPR in the context of access to consumer data.Article 40 of the GDPR provides that associations or other bodies representing categories of controllers or processors can prepare codes of conduct 'intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors'. 129As acknowledged by the European Data Protection Board, codes of conduct are instruments that contribute to legal certainty 'by providing practical solutions to problems identified by particular sectors in relation to common processing activities'. 130esides assisting data managers to comply and demonstrate compliance with the GDPR, drawing up codes of conduct where the data managers explain how they interpret and apply the requirements of the GDPR when providing access to consumer data can contribute to fulfil the transparency and non-discriminatory requirements laid down in art 23 of the Recast Electricity Directive.

The need to strengthen formal cooperation mechanisms between data protection authorities and energy regulators
As anticipated in section 2 of this article and illustrated by the Dutch case described in section 3, the powers of the DPAs and the NRAs are likely to come into contact with each other, as both authorities are competent to oversee access to consumer data, from their respective regulatory fields.The fact that multiple supervisory authorities are competent to supervise the conduct of the same market actors is not per se a problem, because each authority pursues the objectives of its respective regulatory framework.However, cooperation 131 between the supervisory authorities is crucial to ensure consistent application of the two frameworks. 128Recital 10, GDPR.This Recital also recognises that 'Member States have several sector-specific laws in areas that need more specific provisions'.See also art 6, para 2 of the GDPR 129 Art 40, para 1 and 2, GDPR 130 131 The term 'cooperation' is used here in a broad sense, to refer to situations in which different supervisory authorities work together in various degrees of interaction.This term is used because it is employed in the same way in the two legal frameworks here analysed, as will be explained below.However, note that the public administration literature makes a distinction among 'cooperation', 'coordination' and 'collaboration'.For example, in McNamara (2012) these three notions are seen as a continuum.At one end of the spectrum there is 'cooperation', ie when agencies '[choose] to work together, within existing structures and policies, to serve individual interests.In the middle there is 'coordination', ie the 'interaction between participants in which formal linkages are mobilized because some assistance from others is needed to achieve organizational goals'.And at the other end of the continuum is 'collaboration', ie the 'interaction between participants who work together to pursue complex goals based on shared interests and a collective responsibility for interconnected tasks which cannot be accomplished individually'.Madeleine McNamara, 'Starting to Untangle the Web of In the Dutch case, it was observed that each supervisory authority had a different approximation to the issue of legitimate grounds for data processing in the context of the amendments to the ICEG.The advice from the AP questioned the legitimacy of the system of rules in the electricity sector, arguing (among others) that the ICEG cannot be used to legitimise the processing of personal data because its provisions are adopted following proposals submitted by the same market actors that process personal data.In addition, the AP urged the ACM to not adopt the proposed text and consider further how the exchanges of personal data to be regulated in the ICEG would be legitimised, taking into consideration that the ground of legal obligation could not be invoked.The ACM took into account the advice of the AP only partially and adopted the Decision without examining further the issue of grounds for legitimate processing of personal data, arguing that this should be taken care of by the DSOs, leading to the crossroads situation described earlier in this contribution.
DPAs and NRAs are experts in their respective fields, and it is understandable that they do not have sufficient expertise in the working of each other's field.Since access to consumer data is a topic where data protection legislation and electricity market legislation intersect, it is important for the consistent application of these two frameworks that DPAs and NRAs can properly cooperate, to complement each other's expertise and, where appropriate, take joint enforcement actions.
As noted by Lavrijssen Espinosa Apráez and ten Caten, neither the GDPR nor the Recast Electricity Directive provides clear mechanisms for cooperation between the DPAs and NRAs. 132The Recast Electricity Directive mostly focuses on cooperation between NRAs from different member states, the European Commission and the Agency for the Cooperation of Energy Regulators (ACER). 133Regarding cooperation between NRAs and other national authorities, the Directive merely mentions that the NRAs should exercise their powers in close cooperation with other national authorities, mainly competition authorities and consumer protection authorities. 134In the GDPR there are mechanisms to enable cooperation between DPAs of different member states, 135 but nothing is said about cooperation between DPAs and other supervisory authorities such as NRAs.Against this background, there is a role to be played by member states in ensuring that national legal frameworks facilitate the cooperation of these authorities.
The overlap of competences from different supervisory authorities is not a new issue and surely not one happening exclusively in the electricity sector.The convergence of different regulatory domains that is taking place in the context of digital markets (in particular concerning competition, consumer protection and personal data protection law) is also illustrative of this phenomenon.This has led to initiatives to enhance cooperation between the supervisory authorities from each domain, at both the EU and the member state level.These initiatives can serve as a reference to develop cooperation mechanisms between DPAs and NRAs.At the EU level, one example of such initiatives is the 'Digital Clearing House', a platform bringing together regulatory authorities, policymakers and other stakeholders, aimed at achieving 'better and more coherent protection of individuals in an era of big data and artificial intelligence'. 137The Digital Clearing House is a voluntary network of regulatory authorities from the competition, data protection and consumer protection domains, that emerged following a recommendation from the European Data Protection Supervisor (EDPS) in 2016. 138t the member state level, an interesting example is found in the Netherlands.In October 2021, the Dutch DPA (AP), the ACM (as Authority for Consumers and Markets), the Authority for the Financial Markets and the Dutch Media Authority launched the 'Digital Regulation Cooperation Platform'. 139The cooperation between the different authorities is aimed at strengthening oversight in the digital and online environment, by means of exchanging knowledge and experiences, making joint investments in expertise and skills, and exploring avenues to cooperate in enforcement procedures (eg taking joint action). 140A similar initiative exists in the former EU member state the United Kingdom, where the Competition and Markets Authority, the communications regulator (OfCom) and the DPA Another more formal alternative for cooperation is exemplified by bilateral cooperation protocols.In the Netherlands, for example, the DPA (AP) has entered into cooperation agreements with supervisory authorities from different regulatory fields that intersect with the protection of personal dataeg financial services, healthcare, competition law and consumer protection. 142The cooperation protocols include, among other things, provisions regarding periodic meetings between the supervisory authorities, the appointment of contact persons, the exchange of information and guidelines on how to proceed in cases of concurrent powers. 143hese initiatives to further cooperation between different regulators involved in the supervision of digital markets might serve as a reference for member states to devise legal mechanisms for cooperation between energy regulators and DPAs, or to include energy regulators in existing cooperation networks.National legislators can lay down the legal basis and general objectives of such cooperation, and the supervisory authorities can develop the specific arrangements to materialise it.Besides creating a normative framework to enable cooperation between energy regulators and DPAs, it is important that member states make available sufficient resources to allow these authorities to actually cooperate.

Conclusions
The growing interest in consumer data in the context of the EU data economy and the energy transition has led to the inclusion of provisions in the Recast Electricity Directive requiring member states to lay down clear rules for access to such data.Consumer data can also qualify as personal data, thereby triggering the application of the GDPR alongside the data access rules.
Although the Recast Electricity Directive explicitly acknowledges that the exchange of consumers' personal data should be done in accordance with the GDPR, it offers little guidance regarding how this can be achieved.Hence, there is 141 Competition and Markets Authority and others, 'The Digital Regulation Cooperation Forum' (GOV.UK, 10 March 2021) <www.gov.uk/government/collections/the-digital-regulationcooperation-forum>accessed 11 May 2022 142 The legal basis for this is provided by the Uitvoeringswet Algemene verordening gegevensbescherming (UAVG) of 16 May 2018, the act adopted to implement and specify certain aspects of the GDPR in the Netherlands.art, 19 para 1 of the UAVG authorises the AP to establish cooperation protocols with other supervisory authorities '[I]n the interest of efficient and effective supervision of the processing of personal data' (free translation) 143 See for example, the latest cooperation protocol between the AP and the ACM, for topics in which their powers converge, including competition law, consumer protection and sector-specific market supervision, Samenwerkingsprotocol tussen Autoriteit Consument en Markt en Autoriteit Persoonsgegevens, dated 18 June 2020 (Staatscourant 2020, 36741) <https://zoek.officielebekendmakingen.nl/stcrt-2020-36741.html> accessed 13 May 2022.Interestingly, by the time of the events of the Personalised Offer case, there was also a Collaboration Protocol in force: Samenwerkingsprotocol tussen Autoriteit Consument en Markt en Autoriteit Persoonsgegevens, dated 11 October 2016 (Staatscourant 2016, 58078) <https://zoek.officielebekendmakingen.nl/stcrt-2016-58078.html> accessed 13 May 2022.However, this Protocol is not mentioned by the ACM in its Decision or in the request for advice to the AP.This might be related to the fact that the Protocol seems to be mostly intended to cover cooperation in enforcement actions, and in the Personalised Offer case, the issue at hand was not an enforcement action but the adoption of data access rules for the electricity sector Journal of Energy & Natural Resources Law 427 a role to be played by member states to organise and regulate efficient and nondiscriminatory access to consumer data in a way that the protection of personal data is ensured.This article analysed a case from the Dutch electricity sector (the Personalised Offer case), which illustrated the challenges of applying simultaneously the GDPR and the sectoral rules for access to consumer data.The overall conclusion to take from this analysis is that member states (in particular, legislators and national supervisory authorities) should take steps to avoid legal uncertainty and ensure the consistent application of both frameworks, making it possible for consumer data to be accessed while safeguarding personal data protection.
Even if the case is based on the specific regulatory context of the Netherlands at the time of the events, the issues here identified can also play a role (mutatis mutandi) in other member states, taking into account that DSOs have an important involvement in data management in many countries, and the fact that all member states have to appoint DPAs and NRAs.
Two main lessons from the case were discussed in section 4: firstly, the importance of ensuring substantive alignment between the rules for access to consumer data adopted by member states and the GDPR; and, secondly, the need to strengthen cooperation mechanisms between the supervisory authorities from each regime, namely NRAs and DPAs.Since the Recast Electricity Directive does not deal with the issues here identified, member states ought to be proactive when regulating access to consumer data and not limit themselves to making explicit reference to the applicability of the GDPR.Concrete suggestions of what could be done to strengthen substantive alignment between the two legal frameworks here analysed and cooperation of the concurrent supervisory authorities were also provided in section 4.
The research here presented focused on extracting lessons from the Dutch case concerning the two main issues already explained.Of course, this does not exclude that there might be other challenges arising from the interplay of the GDPR and EU electricity legislation. 144n interesting avenue for further research would be to examine to what extent member states pay attention to the interplay between the two frameworks when transposing the Recast Electricity Directive, and whether measures are taken to ensure substantive alignment and cooperation between the supervisory authorities.A question that may follow from such exploration (if it turns out that member states follow divergent interpretations or approaches) is to what extent further harmonisation of data protection in the electricity sector is necessary to ensure equivalent protection of personal data across the EU and/or to avoid obstructions to the internal market for electricity.A similar question was proposed already in 2012 by the European Data Protection Supervisor in its Opinion concerning the roll-out of smart meters under the Third Energy Package and the Data Protection Directive (Directive 95/46/EC). 145Observing how member states deal with the challenges of applying the current data protection and electricity legislation can provide the input to answer this important question.
) 2019/944 of the European Parliament and of the Council of 5 June 2019 on common rules forthe internal market for electricity and amending Directive 2012/27/EU, OJ L 158/125 [hereinafter 'Recast Electricity Directive'], art 23 8

9
Art 23, para 1, Recast Electricity Directive 10 Art 23, para 2, Recast Electricity Directive 11 Art 23, para 3, Recast Electricity Directive 12 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L119/1 13 In this regard, see Saskia Lavrijssen, Brenda Espinosa Apráez and Thijs ten Caten, 'The Legal Com- 15Kaisa Huhta, 'Smartening Up While Keeping Safe?Advances in Smart Metering and Data Protection under EU Law' (2020) 38 Journal of Energy & Natural Resources Law 5 <https://doi.org/10.1080/02646811.2019.1622244>16 Inge Graef, Jasper van den Boom and Martin Husovec, 'Spill-Overs in Data Governance: Uncovering the Uneasy Relationship Between the GDPR's Right to Data Portability and EU Sector-Specific Data Access Regimes' (2020) 9 Journal of European Consumer and Market Law 3 <https:// kluwerlawonline.com/journalarticle/Journal+of+European+Consumer+and+Market+Law/9.1/EuCML2020002> Since this provision June 2021 37 This was, however, one of the options considered by the European Commission in the Impact Assessment of the Recast Electricity Directive; see European Commission, 'Impact Assessment Recast Elec- 38icity Directive SWD (2016) 410 Final' (n 26) 457 (Part 5/5)38The Recast Electricity Directive, art 23, para 3 specifies that the processing of personal data pursuant to the Electricity Directive 2019 shall be carried out in accordance with the GDPR39Recast Electricity Directive, art 23, para 2, and recital 57 40 European Commission, 'Proposal for a Directive of the European Parliament and of the Council on Common Rules for the Internal Market in Electricity (Recast)' (2017) COM(2016) 864 final/2 2016/0380(COD) <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX% 3A52016PC0864R%2801%29> accessed 10 May 2022 Heike Schweitzer and Robert Welker, 'A Legal Framework for Access to Data -A Competition Policy Perspective' in German Federal Ministry of Justice and Consumer Protection and Max Planck Institute for Innovation and Competition (eds), Data Access, Consumer Interests and Public Article 29 Data Protection Working Party, 'Guidelines on the Right to Data Portability (Adopted on 13 December 2016, as Last Revised and Adopted on 5 April 2017)' (2017) WP 242 rev.01 9-10 <https://ec.europa.eu/newsroom/article29/items/611233/en> accessed 11 May 2022 51 For further reading on the right to data portability, see Article 29 Data Protection Working Party, 'Guidelines on the Right to Data Portability' (n 50); Paul De Hert and others, 'The Right to Data Portability in the GDPR: Towards User-Centric Interoperability of Digital Services' (2018) 34 Computer Law & Security Review 193 <www.sciencedirect.com/science/article/pii/S0267364917303333> accessed 11 May 2022; Inge Graef, Martin Husovec and Nadezhda Purtova, 'Data Portability and Data Control: Lessons for an Emerging Concept in EU Law' (2018) 19 German Law Journal 1359 <www.cambridge.org/core/journals/german-law-journal/article/dataportability-and-data-control-lessons-for-an-emerging-concept-in-eu-Welfare(1st edn, Nomos Verlagsgesellschaft mbH & Co KG 2021) <https://doi.org/10.5771/9783748924999-103> accessed 11 May 2022 54 Art 1 and recital 170, GDPR 55 A controller is a natural or legal person, public authority or agency which (alone or jointly with others) determines the purposes and means of the processing of personal data, or which has been nominated as controller by EU or member state law.See art 4 (7) GDPR 56 'Processor' means 'a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller', rt 4 (8) GDPR Journal of Energy & Natural Resources Law 411 implement technical and organisational measures to comply with data protection rules and principles.
101Art 6, para 1, GDPR, literals (b) to (f) stipulate that the processing of personal data is lawful when it is necessary for: (b) the performance of a contract or to take steps to enter into a contract; (c) compliance with a legal obligation to which the controller is subject; (d) protecting the vital interests of the data subject or another natural person; (e) the performance of a task carried out in the public interest or the exercise of official authority by the data controller; (f) legitimate interests pursued by the controller or a third party Journal of Energy & Natural Resources Law 417 European Data Protection Board, 'Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies Geursen and Axel Arnbak, 'Kaleidoscopic Data-Related Enforcement in the Digital Age' (2020) 57 Common Market Law Review 1461 <www.kluwerlawonline.com/api/Product/CitationPDFURL? file=Journals\COLA\COLA2020744.pdf>accessed 13 May 2022.On the convergence of different regulatory domains in the context of digital markets see among others Natali Helberger, Frederik Zuiderveen Borgesius and Agustin Reyna, 'The Perfect Match?A Closer Look at the Relationship between EU Consumer Law and Data Protection Law' [2017] Common Market Law Review 1427 <www.kluwerlawonline.com/api/Product/CitationPDFURL?file=Journals\COLA\COLA2017118.pdf> accessed 11 May 2022; Inge Graef and Sean van Berlo, 'Towards Smarter Regulation in the Areas of Competition, Data Protection and Consumer Law: Why Greater Power Should Come with Greater Responsibility' (2021) 12 European Journal of Risk Regulation 674 <www.cambridge.org/core/journals/european-journal-of-risk-regulation/article/towards-smarter-regulation-in-the-areas-ofcompetition-data-protection-and-consumer-law-why-greater-power-should-come-with-greaterresponsibility/8B00EFC66EA7F599DB9B700B1720ABAD> accessed 13 May 2022 137 'Digital Clearinghouse' (Digital Clearinghouse, n.d.) <www.digitalclearinghouse.org>accessed 13 May 2022 138 European Data Protection Supervisor, 'EDPS Opinion on Coherent Enforcement of Fundamental Rights in the Age of Big Data' (EDPS 2016) Opinion 8/2016 <https://edps.europa.eu/sites/edp/files/publication/16-09-23_bigdata_opinion_en.pdf>accessed 13 May 2022 139 In Dutch: Samenwerkingsplatform Digitale Toezichthouders (SDT).See Autoriteit Persoonsgegevens, 'Dutch Regulators Strengthen Oversight of Digital Activities by Intensifying Cooperation' (Autoriteit Persoonsgegevens, 13 October 2021) <https://autoriteitpersoonsgegevens.nl/en/news/dutchregulators-strengthen-oversight-digital-activities-intensifying-cooperation>accessed 13 May 2022 140 For example, in early 2022, the members of the Digital Regulation Cooperation Platform announced that they will launch a study to investigate to what extent businesses, organisations and governments provide clear and sufficient information to internet users regarding how their data are used.The findings of the study will be used by the members of the Platform to jointly 'draw up basic principles for effective, online transparency', and to signal to the Dutch legislator whether the existing legal frameworks need to be adapted to prevent or counter harmful practices.Authority for Consumers & Markets, 'Dutch Regulators Press for Better Information about Online Use of Internet Users' Data' (ACM, 2 March 2022) <www.acm.nl/en/publications/dutch-regulators-press-better-information-about-onlineuse-internet-users-data>accessed 13 May 2022 (Information Commissioner's Office) launched a Digital Regulation Cooperation Forum. 141