**1. Introduction**

The smart grid is a worldwide modernization of electrical power systems in the 21st century. Two-way communication networks enable smart grids to collect real-time data from both the electricity supply (i.e., power stations) and demand (i.e., households) sides, and further boost the power system's reliability, availability, and e fficiency.

As an essential enabler and prerequisite of the smart grid, smart meters are being installed countryand world-wide at single houses to collect real-time data on energy consumption. Smart meters o ffer an opportunity to consumers to play an active role in household energy consumption management. Based on these advantages, the UK governmen<sup>t</sup> is working to ensure 80% of households install smart meters by 2020, paving the way for future smart grid construction [1].

However, with the EU's mandate to install smart meters, worries about privacy intrusions caused by smart meters are rising. Researchers point out that private household information can be revealed by smart meters [2–4]. Through continuously monitoring the real-time smart meter data, third parties (TP) could have an inside view of household activities and behaviours (e.g., how many residents live in the house, when people leave the home, what the residents are doing at particular times, such as sleeping, bathing, watching TV, washing clothes, etc.). Although data collection may be justified on ethical grounds of utilitarianism (i.e., ensuring the greater, collective good of energy e fficiencies in smart grids), the intrusion into privacy could also have negative ethical social consequences, including the conditional shaping of freedom and behaviour of individuals and households [5,6].

It is urgently expected that a more reliable smart metering system should be proposed to improve privacy and security. To do this, there could be three operational methods to protect households' privacy: (a) user demand shaping, (b) data manipulation, and (c) encryption techniques. User demand shaping approaches modify electricity data using methods such as energy storage systems or rechargeable batteries in households [7]. This requires the installation of extra devices, which is expensive. Data manipulation approaches modify energy data before sending it to TP (i.e., utility companies) by employing strategies like data obfuscation, data aggregation [8], data down-sampling, encryption protocols [3], or data anonymization. However, these methods sacrifice functionalities to protect privacy. Encryption techniques include homomorphic encryption (HE) and multi-party computation (MPC); these techniques encryp<sup>t</sup> the input data and can still implement essential operations with encrypted data, but techniques such as HE also cause computing overhead, increasing the budget.

At a legal level, the General Data Protection Regulation (GDPR) has been in force since 25 May 2018 [9]. Covering all European countries, the purpose of GDPR is to protect all EU citizens from privacy and data violation, providing more power to individuals to control their personal information. With these operational and legal operational possibilities, it is also important to consider 'soft' ethical strategies that use them to contribute to protect household privacy, potentially enabling households to be more in control of their digital data [10]. One such strategies is that of considering different stakeholders involved or affected by digital data gathering [11].

In this paper, we extend the approach from [8,12,13] to the combined use of existing data aggregation and data down-sampling techniques to design a privacy-preserving smart metering system. The system follows an operational and ethically (consequentialist) driven trade-o ff strategy and model which could contribute to increase functionalities of current smart metering devices in smart grids whilst ensuring that digital privacy intrusion is minimised and protected if not appropriately governed. In addition, the system provides three di fferent communication channels for data collection to enable diverse data granularity transmission to TP, with each channel also providing required functionalities (time-of-use billing, grid operation and management, and TP services). We present our system and discuss the results of testing it with implications for the future design or managemen<sup>t</sup> of smart meters by TP and households.

The paper is organized as follows: A presentation of smart grids and smart metering systems with ethical concerns about privacy intrusion is o ffered in Section 2. A review of current operational strategies to deal with privacy intrusion is presented in Section 3. In Section 4 our main contribution is proposed: a trade -o ff strategy is discussed with a proposed new smart metering system model to support it. A simulation work to quantify the privacy boundary is given in Section 5. The conclusion, implications, and future work are drawn in the last sections of the paper.
