An investigation run by 26 privacy authorities showed that 60% of the reviewed Internet of Things technologies did not pass the test of compliance with data protection laws.

The findings of the investigation

The data protection authorities of 26 countries combined as part of the Global Privacy Enforcement Network ran an investigation Internet of Things technologies and reached the conclusion that over 60% of them are not fully privacy compliant.

Out of 300 reviewed devices,

  • 59% does not provide adequate information on how personal data is collected, used and communicated to third parties;
  • 68% does not provide appropriate information on the modalities of storage of data;
  • 72% does not explain to users how their data can be deleted from the device; and
  • 38% does not guarantee easy-to-use modalities of contact for clients that are willing to obtain clarifications on privacy compliance.

Also, some health related devices triggered security issues since they transmitted data to medical practitioners with encrypting them.

The impact on the Internet of Things industry

The comment from the Italian data protection authority on the results of the investigation is interesting. Indeed, he emphasised that the lack of compliance with privacy regulations of IoT devices is expected to impact the trust of consumers on them.

Internet of Things technologies are often considered as the new “big brother“. If the industry wants to succeed, it needs to be trusted by users. But, in order to do that, users need to be adequately informed on how their data is processed and have full control on them, being able to also delete them at their discretion.

This investigation will result in an expensive bill soon

The data protection authorities did not openly declare that they will issue sanctions against the entities whose devices have been found not compliant with privacy laws. However, this investigation should definitely ring a bell for manufacturers of IoT devices and companies that either are planning to use them or are currently using them as part of their business.

The new EU Privacy Regulation will start to apply with effect from 25 May 2018 and the change which is more often repeated is the massive increase of the applicable sanctions up to 4% of the global turnover of the breaching entity. But the regulation does not just introduce sanctions as it sets up a new set of rules aimed at granting a higher level of control to individuals on the usage of their personal data.

The adoption of a privacy by design approach is the sole solution that can mitigate the potential risks of privacy sanctions. This approach is however only the result of a complex review of Internet of Things technologies which will require also a privacy impact assessment.

The implementation of such changes might take years, if it is considered that some companies already openly declared that they are unlikely to meet the deadline of 25 May 2018.