The Article 29 Data Protection Working Party recently issued an Opinion (8/2014) in which they started to address some of the privacy related aspects of the IOT.
One of the main elements of European Data Protection law architecture is consent, which must be obtained from any individual whose data is processed so that he or she is fully informed and able to grant complete consent.
In the IOT scenario the Working Party acknowledged that it is possible for individuals not to be fully aware of the fact that some of their data is processed or shared with third parties, because data can be collected by devices which nobody would immediately acknowledge or take into account. The Working Party clearly stated that no form of widespread unregulated remote surveillance of individuals would be allowed by EU law.
The Opinion addresses three types of IOT scenarios:
1) Wearable Computing
a. Intelligent connected objects that can be used for many different data transmission or data collection purposes.
2) Quantified Self
a. Control and collection of data on physical exercise or other body measurements (like sleep pattern, steps taken, calories burned, heart beats and other health related data)
3) Home Automation
a. Remote control and activation of house functions and systems
The Opinion undertakes a detailed analysis of these IOT scenarios, which expose a lot of personal data, and proposes a long list of suggestions and recommendations for IOT stakeholders. This can be considered as a first Data Processing guide to IOT users, device manufactures and application developers.
- The recommendations start by indicating the need to prepare a Privacy Impact Assessment (PIA) before launching any IOT application on the market. This exercise can be done using the suggestions already provided by the Working Party on RFID applications. PIAs should then be made available to the public and to other stakeholders that want to enter the same area of business.
- Raw data, which is normally not needed by most stakeholders, should be deleted immediately, possibly at the nearest point of collection. Whenever possible, raw data should be aggregated directly on the device and made accessible in a standard format.
- Principles of Privacy by Design and Privacy by Default should be applied, to allow users to be in control of their data, knowing what information is collected, when it is gathered and for what purposes it is processed.
- This information should be transferred to the users in a simple and clear way, using the physical interface of the device itself or its capability to send data wirelessly.
- Device manufacturers should always be able to inform users about which data is collected and how it is interconnected with other data, and should be able to inform the entire chain of data processors of the choices made by users, including the decision to withdraw consent and stop data processing, access data and analyse content and features, allowing in any case data portability.
- Quick data processing options buttons should be enabled, similar to those used to disable wireless or accessibility functions on smartphones, something like a “do not collect” option.
- Location functions should be made anonymous as much as possible and constant location identification of users should not be allowed.
- Vulnerabilities and other accidents which could risk data dissemination or unwanted access to data should be made known to users and all other stakeholders involved, and security by design processes should be applied, using cryptography where possible.
- IOT devices that could be shared by different users (such as rented homes) or used by many individuals (public devices) should allow access through separate non-shareable user profiles.
• Standards and common data processing methodologies should be encouraged, so that awareness and ease of use would prevail and become generally used by the public. - Data minimisation principles should be applied so that aggregated data is used instead of more personal raw data.
- Devices and applications should regularly inform users of the fact that sensors are recording data, especially when this is done in the background without the direct involvement of user.
- Sensors and IOT data should be available for control or editing before being disseminated to the public on social media, and these types of data should by default not be accessible by the general public or indexed by search engines.
- No degradation or limitation of services should be allowed if data processing consent is denied or reduced, and no economic penalisation is permitted in such cases.
- Irrespective of contractual relationship with the IOT device manufacturer or enabler, any person whose data is used and processed by the devices should be made aware of this fact and be granted the right to deny use of their data.
Read the rest of the series
- Part 1: Introduction
- Part 2: Data Protection
- Part 3: Regulatory implications and standards
- Part 4: Standard contracting and automatic contracting
- Part 5: New forms of liability
- Part 6: Cybersecurity
- Part 7: Conclusions
Follow us at @TwobirdsTech to keep up to date with the series and more legal insights from Bird & Bird.
Author: Roberto Camilli
Senior European Counsel
Italy
Tel: +39 02 30 35 60 00