Today we can as individuals already communicate with different objects and devices using established online connections. Internet of Things (IoT) takes it a step further and tries to define programmed relations and communication among devices and objects themselves. Such connections, enabled by the use of a number of sensors, can bring many benefits to the society and to the individual, but at the same time raise privacy and data protection concerns.
The European Commission has started working on the IoT developments a while ago, having established a special IoT working group. As a result, the Commission published a report on the IoT in 2013. Although the report has identified several possible privacy issues, it did not envisage the need for any specific legislation until the proposed Data Protection Regulation has been enacted.
In July 2014 the Commission published a communication ‘Towards a thriving data-driven economy’, in which it forecast the funding of a series of projects related to the IoT technology. While the Commission does not give any specific directions regarding the upcoming projects, this shows that the Commission recognizes the need for continuous work on the IoT.
A step further
In September 2014, the European Union Working Party 29 (WP29) issued an Opinion on the recent developments of the IoT. Compared to the Commission approach so far, the WP29 Opinion takes a step further and provides guidelines for various stakeholders related to the IoT. The Opinion focuses on three IoT developments, namely (1) wearable computing, such as watches and glasses; (2) quantified self, which represents devices that record individual’s lifestyle; and (3) domotics, such as smoke alarms, thermostats, etc.
Furthermore, in the Opinion WP29 debates the scope of the EU law; discusses the obligations of different stakeholders that act as data controllers, and issues recommendations to the each group of the stakeholders.
The territorial scope of the EU data protection law has been the subject of many debates since the publication of the Data Protection Regulation proposal in 2012, especially in the context of data controllers not established in the EU. With regards to the IoT, the WP29 clarifies that the EU data protection rules are likely to apply also to the data controllers not established in the EU if they use the equipment placed in the EU. Such equipment is not only the IoT devices but also smartphones or tablets with installed software that can communicate with the IoT devices.
IoT devices can, with their numerous sensors, collect and process enormous amounts of data. Given the broad interpretation of the notion of personal data in the EU data protection law, much of the collected data is considered ‘personal data’. Furthermore, data processing by IoT devices can be particularly delicate if data controllers are able to learn sensitive information (e.g. individual’s health, ethnicity, political beliefs …) from the data so gathered. EU laws prohibit the processing of sensitive data without individuals’ explicit consent.
Users must be aware of data processing activities
When it comes to the data processing obligations of data controllers, the WP29 refers to already existing data protection legislation. Thus, the IoT stakeholders have to follow already established obligations that are more in detail explained in the White paper on Big Data.
WP29 believes that users’ consent should be the most important legal ground for conducting the IoT data processing. However, the WP29 recognises other possibilities, such as legitimate interest of the data controller for a specific data processing situation. Personal data can be processed only for specified, explicit and legitimate purposes, which have to be defined and communicated prior the beginning of the data processing.
It is particularly important that users of the IoT devices are aware of data processing activities, which enables them to exercise their legally granted rights, such as the right to access. WP29 argues that such rights should not be limited only to the subscribers of the IoT services but available to any individual whose data are being processed. Retention periods for the gathered data should be short and data should not be kept for longer than necessary in order to fulfill the purposes of the collection.
Data controllers should apply adequate security measures in order to safeguard the data and minimize the possibility of a data breach. Particularly problematic are communications channels among devices themselves as they often fail to encrypt the communicated data. Apart from all the obligations related to data processing, the WP29 emphasizes the importance of users being able to continuously use the device if they decide to opt-out. Such a device should enable the features that would be assigned to its unconnected counterpart.
Specific recommendations for stakeholders
The WP29 concludes the opinion with some specific recommendations for stakeholders.
They are generally advised to carry out a privacy impact assessment prior they launch any new applications to the Internet of Things devices; not to keep a raw data for longer that is necessary; and empower users with the control over their data.
OS and device manufacturers are particularly advised to consider the data minimization principle, enforce transparency and user control. Furthermore, they should communicate data subject’s opt-outs to all other stakeholders; facilitate a local storage and data processing in order to minimize data transfers; and use simple language when informing users on the vulnerability of their IoT device.
Application developers should enable apps to frequently remind users on the ongoing data processing activation of their IoT devices.
Social platforms should enable user review of the information originating from the IoT device prior to its publication. Such publications’ setting should not be public by default.
IoT device owners and additional recipients should not economically penalize users or hinder access to the capabilities of their devices if the users refuse to consent to data processing.
Standardization bodies and data platforms should promote interoperability among IoT devices; proper data anonymization; and develop certified standards, which would facilitate privacy safeguards for data subjects.
The complete scope of the recommendation can be found in the Opinion. The WP29 Opinions are not legally binding documents, but they serve as guidelines to the national data protection authorities (DPAs). The DPAs often follow such guidelines; however they are also able to issue their own guiding principles. Given that there is not much guidance with regards to the IoT on the national level yet, we can expect such developments in the future.