Greenhouse Gas Data Confidentiality Takes Two Steps Forward
Earlier this year, the EPA issued a notice of proposed rulemaking that would amend provisions in its Greenhouse Gas Reporting Rule altering data collection including expanding the confidentiality of data collected. Then last month, California Governor Gavin Newsom signed the Delete Act overhauling the State’s data broker law.
At a time when the world’s most valuable resource is no longer oil but data, we recently blogged about this new and emergent space in Do You Own Your GHG Emission Data? And considering the Trillions (.. yes, T, Trillions) of dollars involved we also blogged, Tenants Monetizing Their Greenhouse Gas Emission Data.
Best in class companies recognize it is time for business to own their own GHG data.
Today under its Greenhouse Gas Reporting Rule, EPA requires the reporting of GHG emission data by more than 7,500 businesses whose emissions exceed 25,000 metric tons of CO2e per year including fuel and industry gas suppliers.
EPA previously admitted in a Federal Register notice, “due to the large numbers of entities reporting” GHG data, it cannot timely address data security and privacy concerns over confidential business information because the information the Agency has “.. must be available to the public.” But then in Food Marketing Institute v. Argus Leader Media, the Supreme Court ruled where commercial information is both customarily and actually treated as private by its owner and provided to the government under an assurance of privacy, the information is “confidential” within the meaning of 5 U. S. C. §552(b)(4), the Freedom of Information Act’s Exemption 4.
In response to that Supreme Court decision, EPA revised its approach to confidentiality. The Greenhouse Gas Reporting Rule requires reporting of numerous data elements to characterize, quantify, and verify GHG emissions and related information, and on May 22, 2023, EPA published the proposed rule, Revisions and Confidentiality Determinations for Data Elements Under the Greenhouse Gas Reporting Rule.
When final, it will remain EPA’s reporting platform, but it will be business data and businesses will own it.
Then on October 10, 2023, the California Delete Act that had been SB 362, became law, bolstering the state’s existing data broker registry law by, in part, requiring more disclosure by companies that regularly and systematically collect, analyze, and share or sell the personal information of consumers and proprietary information of businesses. This includes data brokers that collect and profit, including utility data and other GHG emission relevant data, from this data without having any direct relationship with the utility consumer or business whose information they amass.
Of note, the updated California law also expands rights to have data deleted and requires the state to create an accessible deletion mechanism that allows, through a single request, to request that every data broker to delete personal or business information, including utility data, held by the data broker.
And the risk associated with this utility and associated data is dramatic in scope and vulnerabilities all of which are exacerbated when the data is not held confidentially. There have been media accounts in recent months about cybercriminals, malware, and more, who appreciate the dollar value that passes hands in the utility sector, about nation state actors who may want to cause disruptions, and hackers who oppose a utilities agenda (from a substation location to GHG reductions), and more. Because utilities are geographically diverse by nature there are untold points of entry for malicious activity. And the sector’s broad and expanding use of technology from wireless smart meters, to aggregating customer data for sale to government actors, all of it often managed by third parties, create heightened risk for businesses that simply need access to electric and gas power. A building owner ‘air gapping’ or transmitting data via a third party provider of its utility operational technology systems is important but does not provide adequate security for its utility and associated GHG data.
And while GHG data confidentiality has taken two steps forward with these enactments it takes one big step backward when despite that EPA will going forward treat as confidential information in EPA’s GHG large emitter program it inexplicably does not afford similar protections to businesses inputting data in the EPA Energy Star Portfolio Manager program in clear violation of federal law as made clear by the U.S. Supreme Court in the Argus Leader case. As increasing numbers of state and local government building energy performance standards (BEPS) mandate that thousands upon thousands of businesses utilize Portfolio Manager without any express safeguards despite that most of those governments (e.g., Maryland) have the same or similar obligations for business data confidentiality that the U.S. Supreme Court found in Argus Leader under their existing exemptions in state freedom of information act laws. There are increasing calls to correct these dangerous violations of law expressly affording confidentiality protections to those businesses mandated to input their data into Portfolio Manager including when done in response to the increasing number of mandatory BEPS.
Best in class companies not only recognize it is time for business to own their own data and profit from it while also protecting themselves from utility sector data vulnerabilities, including those driven by wrongheaded government actors who in the name of responding to climate change have no regard for the risks that arise from the failures of confidentiality.
Businesses must protect their data, not to mention monetize it for their benefit, and can do both while at the same time leading the way toward decarbonizing the economy and repairing the world.
A live webinar “How to Make ‘Net Zero’ Pledges and Claims” 30 talking points in 30 minutes, Tuesday, November 21 at 9 am ET presented by Stuart Kaplow and Nancy Hudes on behalf of ESG Legal Solutions, LLC. The webinar is complimentary, but you must register here.