IoT and Privacy, are we ready?

Security risks when it comes to massive devices interconnection

How far is IoT from becoming a reality? The connectivity, the skills, the storage and analysis capacity, the devices, a high speed of response… All of them are technology already available but why it is not implemented in business and society yet?

IoT systems involve the processing of huge amount of data, which are shared on a large scale between interconnected devices. Information travelling across lot of networks might result in a high risk of being compromised if there are no appropriate security and control standardised measures in place.

The European Commission and other regulation bodies are aware of this situation and are taking action in order to prevent data breaches and cybersecurity threats. The launch of the Alliance for Internet of Things Innovation (AIOTI) and the adoption of the Digital Single Market (DSM) Strategy are some of the initiatives.

Inspired on the “Good Practices for Security of Internet of Things in the context of Smart Manufacturing” document published by the European Union Agency For Network and Information Security (ENISA), Aphaia highlight the main privacy risks derived from IoT processes in order to detail feasible security measures and its relation with the GDPR in our next following videos.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessment, and Data Protection Officer outsourcing.

GDPR territorial scope

The European Data Protection Board publishes guidelines on the territorial scope of the GDPR.

The European Data Protection Board (EDPB) has recently published guidelines on the territorial scope of the GDPR, in order to clarify the cases where GDPR applies according to Article 3. Territorial scope of the GDPR is defined based on two main criteria: the “establishment” criterion (1) and the “targeting” criterion (2).

  • -Processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

The concept of establishment extends to any real and effective activity, even where it is minimal, exercised through stable arrangements. It may include activities carried out over the internet even if there is only one single employee or agent with presence in the Union, where he or she acts with a sufficient degree of stability.

In the context of” involves all those processing activities taking place outside the Union that are inextricably linked to the activities of a local establishment in a Member state. “Inextricable link” is therefore the criterion to determine the application of the GDPR in the context of an establishment in the Union, but EDPB considers that it should be analysed on a case-by-case basis and additional elements like revenue-raising in the EU should also be taken into account.

EDBP underlines that a non-EU controller having a processor in the Union does not imply that such controller is processing data in the context of an establishment in the Union, because the processor merely provides a service, which does not qualify as activity “inextricably linked”.

  • -Processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, or the monitoring of their behaviour.

EDBP stresses the location of the data subject in the territory of the Union as the determining factor to be assessed at the moment when the relevant trigger activity takes place, while nationality or legal status of a data subject are not relevant to this extent. This criterion will not apply when the processing of personal data relates to an individual alone.

In addition, this criterion will only trigger the application of GDPR where the conduct on the part of the controller or processor clearly demonstrates its intention to offer goods or services to a data subject located in the Union, which would be ascertained based on some elements such the designation by name of a Member State with reference to the good or service offered, the use of EU search engines, the features of the marketing campaigns or the existence of specific addresses, telephone numbers, domain, currency or language for the EU.

  • -Furthermore, GDPR will as well apply to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessment, and Data Protection Officer outsourcing.

GDPR Challenges For Artificial Intelligence

Data protection in algorithms

Technological development is enabling the automation of all processes, as Henry Ford did in 1914; The difference is that now instead of cars we have decisions about privacy. Since GDPR came into force on 25th May 2018, lots of questions have arisen regarding how the Regulation may block any data-based project.

In this article, we aim to clarify some of the main GDPR concepts that may apply to the processing of large amounts of data and algorithm decision-making. It has been inspired by the report the Norwegian Data Protection Authority -Datatilsynet- published in January this year: “Artificial Intelligence and Privacy”.

Artificial intelligence and the elements it comprises like algorithms and machine/deep learning are affected by GDPR for three main reasons: the huge volume of data involved, the need of a training dataset and the feature of automated decision-making without human intervention. These three ideas reflect four GDPR principles: fairness of processing, purpose limitation, data minimisation, and transparency. We are briefly explaining all of them in the following paragraphs – the first paragraph of each concept contains the issue and the second one describes how to address it according to GDPR.

One should  take into account that without a lawful basis for automated decision making (contract/consent), such processing cannot take place.

Fairness processing: A discriminatory result after automated data processing can derive from both the way the training data has been classified (supervised learning) and the characteristics of the set of Data itself (unsupervised learning). For the first case, the algorithm will produce a result that corresponds with the labels used in training, so if the training was biased, so will do the output. In the second scenario, where the training data set comprises two categories of data with different weights and the algorithm is risk-averse, the algorithm will tend to favour the group with a higher weight.

GDPR compliance at this point would require implementing regular tests in order to control the distortion of the dataset and reduce to the maximum the risk of error.

Purpose limitation: In cases where previously-retrieved personal data is to be re-used, the controller must consider whether the new purpose is compatible with the original one. If this is not the case, a new consent is required or the basis for processing must be changed. This principle applies either to the re-use of data internally and the selling of data to other companies. The only exceptions to the principle relate to scientific or historical research, or for statistical or archival purposes directly for the public interest. GDPR states that scientific research should be interpreted broadly and include technological development and demonstration, basic research, as well as applied and privately financed research. These elements would indicate that – in some cases – the development of artificial intelligence may be considered to constitute scientific research. However, when a model develops on a continuous basis, it is difficult to differentiate between development and use, and hence where research stops and usage begins. Accordingly, it is therefore difficult to reach a conclusion regarding the extent to which the development and use of these models constitute scientific research or not.

Using personal data with the aim of training algorithms should be done with a data set originally collected for such purpose, either with the consent of the parties concerned or, to anonymisation.

Data minimisation: The need to collect and maintain only the data that are strictly necessary and without duplication requires a pre-planning and detailed study before the development of the algorithm, in such a way that its purpose and usefulness are well explained and defined.

This may be achieved by making it difficult to identify the individuals by the basic data contained. The degree of identification is restricted by both the amount and the nature of the information used, as some details reveal more about a person than others. While the deletion of information is not feasible in this type of application due to the continuous learning, the default privacy and by design must govern any process of machine learning, so that it applies encryption or use of anonymized data whenever possible. The use of pseudonymisation or encryption techniques protect the data subject’s identity and help limit the extent of intervention.

Transparency, information and right to explanation: Every data processing should be subject to the previous provision of information to the data subjects, in addition to a number of additional guarantees for automated decision-making and profiling, such as the right to obtain human intervention on the part of the person responsible, to express his point of view, to challenge the decision and to receive an explanation of the decision taken after the evaluation.

GDPR does not specify whether the explanation is to refer to the general logic on which the algorithm is constructed or the specific logical path that has been followed to reach a specific decision, but the accountability principle requires the subject should be given a satisfactory explanation, which may include a list of data variables, the ETL (extract, transform and load) process or the model features.

A data protection impact assessment carried by the DPO is required before any processing involving algorithms, artificial intelligence or profiling in order to evaluate and address the risk to the rights and freedoms of data subjects.


Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessment, and Data Protection Officer outsourcing.

GDPR biometric data explained by Spanish DPA

Spain Supervisory Authority (AEPD) opinion on GDPR biometric data

AEPD 10thAnnual Session took place last June, and some of the main questions that were addressed in the meeting have now been publicly published.

Participants were specially concerned about GDPR biometric data and its processing under certain circumstances, like labour sphere.

Spanish Data Protection Legislation previous to GDPR (LOPD) did not contain any specific definition of “biometric data”, but it was instead included within the general concept of “personal data”. It means that there were no particular requirements to be taken into account for the processing of such information.

According to RGPD, “biometric data” is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”. Additionally, GDPR biometric data is a special category of personal data (Article 9 GDPR), which means that its processing shall be prohibited except for some cases, like explicit consent from the data subject.

As one could note, there is a big difference between the previous legislation (AEPD) and the current one (RGPD), which has not been totally implemented yet, so that is why AEPD opinion becomes so important for latest and future data protection issues in Spain.

Participants asked about the use of biometric technology with facial recognition in case any Article 9 GDPR exception apply. AEPD claimed that minimisation and lawfulness should govern any data processing. However, two scenarios were underlined: labour sphere and critical infrastructures. The latter requires additional security measures that might themselves justify the use of biometric technologies. Labour sphere is subject to specific Labour Legislation (“Estatuto de los Trabadores (ET)” in Spain) which imposes its own requirements. AEPD stated that, according to such Legislation, the use of biometric data in companies falls under the scope of employee monitoring, so it is subject to proportionality and prior information instead of employees’ consent. Nevertheless, AEPD did stress the importance of good practices, and asserted that it is highly recommended to avoid storing such data (e.g. including the data in a smart card which is always in employees’ possession).

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.