The Global Privacy Enforcement Network ("GPEN"), the informal network of Data Protection Authorities which looks at transnational privacy and data security issues, has announced that the Internet of Things ("IoT") will be the focus of its annual "privacy sweep", which has taken place during April. This follows previous "sweeps" reporting on online services for children, website privacy policies and mobile phone apps.
IoT has been spoken of for some time, but the move towards it is gaining momentum. Put simply, it describes the ability of every day physical objects to connect and interact with each other through the use of smart technology, such as sensors and chips, embedded in the items. This allows objects to store data and communicate in real time over the internet. This has been seen in the insurance industry with the introduction of technology such as telematics boxes and fitness trackers.
The "sweep" has been coordinated by GPEN, with different Data Protection Authorities focussing on different areas. The various authorities have adopted a range of approaches; some purchasing products and assess privacy communications right out of the box, with others focussing on the website privacy notices and contacting the data controllers directly with specific questions.
The Office of the Privacy Commissioner of Canada is has focused on health devices. “Connected devices, such as fitness trackers, smart scales, sleep monitors and other health related products, are capable of capturing some of our most intimate data,” Canada's Commissioner Daniel Therrien said in a press release issued by the Office of the Privacy Commissioner of Canada.
Both the French (link in French) and Italian (link in Italian) Data Protection Authorities are looking at IoT devices used in the home, such as connected cameras, scales, blood pressure monitors, fitness trackers. The CNIL (the French Data Protection Authority) has said that it is looking at the quality and transparency of information provided to individuals, the security of devices, and the degree of user control. The Italian Data Protection Authority will look at companies’ transparency in the use of personal data and their compliance with data protection rules.
Other Data Protection Authorities are focussing simply on privacy notices. The Belgium Data Protection Authority is looking at smart metering systems, and the Gibraltan Data Protection Authority at smart electricity meters, internet-connected thermostats and watches that monitor health.
In Ireland, the review will involve an in-depth look at IoT devices available to users in this jurisdiction in Ireland, such as smart electricity meters, fitness trackers and telematics, and the Irish Data Protection Authority will be reviewing how well companies communicate privacy matters to their customers.
At the date of publication, the UK ICO has not revealed what its focus will be.
The combined results of the privacy sweep will be published in September. In the meantime, Data Protection Authorities will contact companies covered by the sweep, as and when concerns arise.
In anticipations of the results being published, insurers should be aware that there is also the risk that companies insured may face enforcement action as a result of the sweep. However our experience to date is that, rather than taking strict enforcement action, the ICO will engage with the relevant data controller if any data protection breaches are found. Ideally, the insurer/broker will be involved as soon as the ICO contacts the insured, to help manage that process and mitigate the cost.
We will be reporting further when the report is published, and we expect there to be guidelines as to best practice for privacy notices and handling data generated by IoT devices, and how this impacts the insurance sector.