5 min to read

Legal considerations on the Internet of things: 2015 and beyond – Part 2: Data Protection

Date
02 October 2015

iStock_000014347466Medium (2)
The Article 29 Data Protection Working Party recently issued an Opinion (8/2014) in which they started to address some of the privacy related aspects of the IOT.

One of the main elements of European Data Protection law architecture is consent, which must be obtained from any individual whose data is processed so that he or she is fully informed and able to grant complete consent.

In the IOT scenario the Working Party acknowledged that it is possible for individuals not to be fully aware of the fact that some of their data is processed or shared with third parties, because data can be collected by devices which nobody would immediately acknowledge or take into account. The Working Party clearly stated that no form of widespread unregulated remote surveillance of individuals would be allowed by EU law.

The Opinion addresses three types of IOT scenarios:

1) Wearable Computing

a. Intelligent connected objects that can be used for many different data transmission or data collection purposes.

2) Quantified Self

a. Control and collection of data on physical exercise or other body measurements (like sleep pattern, steps taken, calories burned, heart beats and other health related data)

3) Home Automation

a. Remote control and activation of house functions and systems

The Opinion undertakes a detailed analysis of these IOT scenarios, which expose a lot of personal data, and proposes a long list of suggestions and recommendations for IOT stakeholders. This can be considered as a first Data Processing guide to IOT users, device manufactures and application developers.

  • The recommendations start by indicating the need to prepare a Privacy Impact Assessment (PIA) before launching any IOT application on the market. This exercise can be done using the suggestions already provided by the Working Party on RFID applications. PIAs should then be made available to the public and to other stakeholders that want to enter the same area of business.
  • Raw data, which is normally not needed by most stakeholders, should be deleted immediately, possibly at the nearest point of collection. Whenever possible, raw data should be aggregated directly on the device and made accessible in a standard format.
  • Principles of Privacy by Design and Privacy by Default should be applied, to allow users to be in control of their data, knowing what information is collected, when it is gathered and for what purposes it is processed.
  • This information should be transferred to the users in a simple and clear way, using the physical interface of the device itself or its capability to send data wirelessly.
  • Device manufacturers should always be able to inform users about which data is collected and how it is interconnected with other data, and should be able to inform the entire chain of data processors of the choices made by users, including the decision to withdraw consent and stop data processing, access data and analyse content and features, allowing in any case data portability.
  • Quick data processing options buttons should be enabled, similar to those used to disable wireless or accessibility functions on smartphones, something like a “do not collect” option.
  • Location functions should be made anonymous as much as possible and constant location identification of users should not be allowed.
  • Vulnerabilities and other accidents which could risk data dissemination or unwanted access to data should be made known to users and all other stakeholders involved, and security by design processes should be applied, using cryptography where possible.
  • IOT devices that could be shared by different users (such as rented homes) or used by many individuals (public devices) should allow access through separate non-shareable user profiles.
    • Standards and common data processing methodologies should be encouraged, so that awareness and ease of use would prevail and become generally used by the public.
  • Data minimisation principles should be applied so that aggregated data is used instead of more personal raw data.
  • Devices and applications should regularly inform users of the fact that sensors are recording data, especially when this is done in the background without the direct involvement of user.
  • Sensors and IOT data should be available for control or editing before being disseminated to the public on social media, and these types of data should by default not be accessible by the general public or indexed by search engines.
  • No degradation or limitation of services should be allowed if data processing consent is denied or reduced, and no economic penalisation is permitted in such cases.
  • Irrespective of contractual relationship with the IOT device manufacturer or enabler, any person whose data is used and processed by the devices should be made aware of this fact and be granted the right to deny use of their data.

Read the rest of the series

Follow us at @TwobirdsTech to keep up to date with the series and more legal insights from Bird & Bird.

Author: Roberto Camilli
Senior European Counsel
Italy
Tel: +39 02 30 35 60 00

Share
Written by
Clarity Admin
Clarity Admin
Related articles
Smart Contracts – Recognising and Addressing the Risks
4 min to read
29 December 2021
Smart Contracts – Recognising and Addressing the Risks
Smart contracts, where some or all of the contractual obligations are defined in and/or performed automatically by a computer program, are expected to have a significant impact on the way business is...
Technology Projects: Managing the Risks of Innovation and Change Part 3: Contract Reset and Dispute Resolution
Technology Projects: Managing the Risks of Innovation and Change Part 3: Contract Reset and Dispute Resolution
Customers in long-term technology projects can find that while they have been working towards their chosen solution a more advanced, cheaper, or simply more desirable technology has become available....
Digital dispute resolution rules to facilitate rapid and cost-effective resolution of disputes involving novel digital technologies
Digital dispute resolution rules to facilitate rapid and cost-effective resolution of disputes involving novel digital technologies
While some saw the development of products using blockchain technology leading to the demise of disputes, the reality is that disputes in the arena of digital technology are increasing in number. Lawtech’s...
Technology Projects: Managing the Risks of Innovation and Change Part 2: During the Life of the Project
Technology Projects: Managing the Risks of Innovation and Change Part 2: During the Life of the Project
Customers in long-term technology projects can find that while they have been working towards their chosen solution a more advanced, cheaper, or simply more desirable technology has become available....
Cookies
We use analytics cookies to help us understand if our website is working well and to learn what content is most useful to visitors. We also use some cookies which are essential to make our website work. You can accept or reject our analytic cookies (including the collection of associated data) and change your mind at any time. Find out more in our Cookie Notice.