The Internet of things: a data protection challenge?

Introduction

The Article 29 Working Party (“WP29”) has recently adopted an opinion (the “Opinion”) on the Internet of Things (“IoT”). The IoT describes the increasing interconnection of devices, including TVs, cars and refrigerators, and the associated rise in the flow of data between those machines.

The Opinion focuses on: (i) wearable computing (for example watches and glasses); (ii) quantified self (objects which record information about an individual’s habits and lifestyles, such as sleep trackers and devices that measure weight, pulse etc.); and (iii) home automation (domotics).

The WP29 projects that IoT is on the threshold of integration into our daily lives, whilst warning that this growth opportunity should not be to the detriment of privacy and security. Businesses should enable users to remain in control of the sharing of their personal data throughout the product lifecycle
The Opinion highlights key data protection obligations and sets out practical recommendations for businesses.

Legal basis for processing personal data in the IoT environment

The Opinion confirms that the Data Protection Directive 95/46/EC (the “Directive”) is fully applicable to IoT in establishing the legal basis for processing personal data.

Fair processing

With regard to transparency, data controllers may choose to provide the information required for fair processing (including the data controller’s identity) in innovative ways, for instance, using location through privacy-preserving proximity testing via a centralised server to inform users located close to the sensor.

User consent

The WP29 confirmed that if businesses are to rely on individuals’ consent as the legal basis for processing personal data in the IoT environment, they must ensure that consent is "fully informed, freely given and specific". They also warned that "classical mechanisms used to obtain individuals’ consent may be difficult to apply in the IoT environment” as they may produce "'low-quality' consent" that does not conform to EU privacy rules.

The WP29 suggested that manufacturers should decentralise control over data processing in the IoT environment, in order to help consumers understand what data their device collects, and cut down on the transfer of personal data to device manufacturers. The Opinion also recommends that data controllers offer an option to disable the “connected” feature of the IoT device and allow it to work as an unconnected item.

The Opinion emphasises that businesses which store personal information or have access to data on IoT devices must gain individuals' consent to store or access the data. Such consent is not necessary if the storage or access is “strictly necessary" to provide a service individuals have "explicitly requested". However, quantified self-applications (which relate to the well-being of an individual) may process sensitive personal data (e.g. relating to the individual’s health) which requires the individual’s explicit consent.

At the same time, consumers must be given "accessible, visible and efficient" tools to revoke their consent and object to the data processing relating to them; there must be no “technical or organisational constraints or hindrances” imposed on them. In line with the “right to portability” (which may be included in the new General Data Protection Regulation being introduced by the EU), the Opinion recommends that personal data processed by a device should be stored in a standard format to allow data portability.

‘Legitimate interests’

EU data protection rules permit the processing of personal data if it is in the stakeholders’ ‘legitimate interests’, except where this would be detrimental to the interests or fundamental rights of the user (including the right to privacy when processing personal data).
However, the Opinion indicates that economic and legitimate interests are unlikely to be a suitable basis for processing personal data generated in relation to the IoT without user consent. This is suggested on the basis of the privacy implications when processing personal data in the IoT environment.

Using data for specified purposes

The WP29 reminds businesses that personal data can only be used for "specified, explicit and legitimate purposes". If businesses intend to use data for other purposes, they should ensure that the data is used for purposes that are compatible with the original purposes and that consumers are notified about those purposes before the processing takes place. The WP29 warned that businesses which hoped to find a retrospective use for the processing could be breaching EU data protection laws.

In addition, businesses should apply the “data minimisation” principle when collecting personal data. This means that only personal data which is “strictly necessary for the specific purpose previously determined” should be collected. Therefore, data that is unnecessary for this purpose should not be collected and stored “just in case” or because ‘it might be useful later”.

Some Risks of IoT

The IoT raises several security challenges, namely, the risk that the IoT may “turn an everyday object into a potential privacy and information security target”. Connecting to less secure devices would potentially increase new methods of attack. The WP29 encourages businesses to have an adequate data breach notification policy in order to minimise software vulnerability issues.

Also of concern is the fact that the processing of data in the IoT may relate to individuals who are neither subscribers nor actual users of the IoT. For instance, smart glasses are likely to collect data from other data subjects as well as from the owner of the device. The Opinion confirms that the application of EU data protection rules does not depend on the ownership of a device/terminal, but rather on the processing of the personal data itself, whoever the individual concerned may be.

Given the large amount of data processed automatically in the IoT environment, an additional risk is that of re-identification following the anonymisation of data. For example, wearable devices kept close to the data subject can result in the collection of a range of other identifiers which could generate a digital fingerprint. Such data can later be combined with other data issued from other systems such as CCTV or internet logs. The WP29 has published a separate Opinion on Anonymisation Techniques which includes guidance on how to minimise this risk.
Certain applications require data subjects to install third-party applications which enable them to access their data. Installing these applications often involves providing the application developer with an access to the data through the API (application programming interface). Such applications are traditionally installed on an opt-in basis. However in practice, the user’s consent is often not specific and sufficiently informed as third-party application developers do no display sufficient information for the user’s consent.

WP29 recommendations to all stakeholders

The WP29 made recommendations applicable to all business stakeholders in the IoT environment, including: (i) performing Privacy Impact Assessments (“PIAs”) before any new applications are launched in the IoT; (ii) deleting raw data as soon as the data required for processing is extracted; (iii) users must be able to exercise their rights and be ‘in control’ of the data; and (iv) the methods for providing information and requesting consent should be as user friendly as possible.

The Opinion also sets out specific recommendations to device manufacturers, application developers, social platforms, IoT device owners, standardisation bodies and data platforms.

Conclusions

Given the fast pace of technological innovations in the IoT environment, it is clear that businesses need to engage with consumers about how they intend to store and process their data. Businesses must find a way to be transparent about their data processing intentions, at the same time as empowering consumers to remain in control of their personal data.