The Article 29 Data Protection Working Party (“Working Party”), the independent European advisory body on data protection and privacy, comprised of representatives of the data protection authorities of each of the EU member states, the European Data Protection Supervisor (the “EDPS”) and the European Commission, has identified a number of significant data protection challenges related to the Internet of Things. Its recent Opinion 08/2014 on the Recent Developments on the Internet of Things (the “Opinion”), adopted on September 16, 2014 provides guidance on how the EU legal framework should be applied in this context. The Opinion complements earlier guidance on apps on smart devices (see InsidePrivacy, EU Data Protection Working Party Sets Out App Privacy Recommendations, March 15, 2013).

Internet of Things

The Internet of Things (“IoT”) refers to an “infrastructure in which billions of sensors embedded in common, everyday devices […] are designed to record, process, store and transfer data.” The Opinion focuses on three specific IoT developments, which are considered exemplary of most of the main privacy issues related to IoT, namely:

  • Wearable Computing (such as watches and glasses);
  • Quantified Self things which record information about the individuals’ own habits and lifestyles (such as sleep trackers); and
  • Home automation (“domotics”), such as connected smoke alarms or washing machines.

By contrast, the Opinion does not deal specifically with B2B applications and more global issues like smart cities.

Data protection challenges

The Working Party identifies the following main data protection challenges related to IoT:

  • lack of control over the dissemination and flows of data and excessive self-exposure of the users;
  • low quality or invalid consent;
  • possibility to infer other information with a totally different meaning from the data and use of the data for secondary purposes;
  • detection of behaviour patterns and profiling through intrusive surveillance;
  • limited possibility to use services anonymously; and
  • increased security risks (for instance, many sensors are not capable of establishing an encrypted link and are vulnerable to physical attacks, eavesdropping or proxy attacks; absence of automatic updates).

The stakeholders

The IoT usually involves multiple stakeholders, including:

  • device manufacturers;
  • social platforms;
  • third party application developers; and
  • IoT data platforms.

In the Working Party’s view, all these stakeholders may qualify as data controllers under EU data protection law and are therefore responsible to comply with the different obligations imposed on controllers under the EU Data Protection Directive 95/46/EC. The Opinion also briefly discusses the consent requirement for the use of cookies or similar tracking technologies in the ePrivacy Directive, as amended.

EU data protection framework

The Working Party considers that the EU data protection framework applies to non-EU controllers by virtue of the “make use of equipment” provision in Article 4 of the EU Data Protection Directive. Not only would the objects that collect and further process the individuals’ data in the context of the provision of services in IoT qualify as equipment, but also the users’ terminal devices (e.g., smartphones) on which software or apps were installed to monitor and send the collected data.

The Opinion discusses a number of provisions that deserve specific attention in the context of IoT, namely:

  • Legal basis for processing. The Working Party considers that consent “is the first legal basis that should be principally relied on in the context of the IoT.”. The two other legal bases are “necessity for the performance of a contract” and “the legitimate interest” grounds for processing. In case of sensitive data (including cases where the recorded data only reveal sensitive data through inferences), explicit consent is required for data processing.  Data subjects must have a possibility to effectively withdraw any prior consent. The Working Party requires that withdrawal schemes be fine grained, allowing to withdraw consent with respect to (i) any data collected by a specific thing; (ii) a specific type of data collected by anything; and (iii) a specific processing (operation). Controllers should offer an option to disable the “connectivity” feature and to allow the thing to provide the usual functionalities without the connected functionality (for example, it should be possible to use a smart fire alarm as a fire alarm without any of its smart features).
  • Transparency. The Working Party recalls the obligation to communicate specific information to data subjects in application of Articles 10 and 11 of the EU DP Directive (see also the next point). Controllers should provide the information in a user-friendly way.
  • Data quality. The Working Party interprets the fairness principle as meaning that personal data never be collected and processed without the individual being aware of it.  It hence requests  that controllers inform all individuals in the geographical or digital vicinity of connected devices (for instance, by broadcasting a signal) when data related to them or their environment are collected. The Working Party insists that controllers only collect data for specified, explicit and legitimate purposes (“purpose limitation”) and limit the data collection to what is strictly necessary for the so-defined specific  purpose(s) (“data minimization”).  Data collected and processed in the context of IoT should be kept for no longer than is necessary (for instance, data should be deleted once the subscription is cancelled).
  • Security. The Working Party considers controllers to be fully responsible for the security of the data processing. Controllers should perform security assessments of the systems as a whole. The Working Party also calls for the certification of devices and the alignment with internationally recognised security standards. Subcontractors should be held by high security standards. Privacy protections should be built-in from the very outset (“privacy by design”), for instance, by disabling certain critical functionalities by default. The Opinion discusses the importance of automatic updates (security patches) or alternative solutions to support the device. Controllers should also have an adequate policy of data breach notification.
  • Rights of the data subject. IoT stakeholders must allow the subscribers of IoT services, device owners and any individual whose personal data are processed to exercise their rights. Providing access to the raw data and enabling data portability are considered essential to end situations of user “lock-in”. The Working Party stresses the importance of “user empowerment” and “the principle of self-determination of data” in this respect.

The Opinion concludes with an extensive list of more specific recommendations for each of the IoT stakeholders.  Importantly, the Working Party requires controllers to perform privacy impact assessments (“PIAs”) before launching any new applications and to apply the principles of Privacy by Design and Privacy by Default.

It also noteworthy that the Opinion emphasizes the importance of standardisation in several instances. Standards should be developed, in particular, for a common protocol to express preferences with regard to data collection and processing; a standardized format for raw and aggregated data; portable and interoperable data formats for data export and transfer; a baseline for security and privacy safeguards; and lightweight encryption and communication protocols.