The Internet of Things (IoT) promises to transform our lives to make them easier, more efficient and intelligent in ways that we cannot imagine – the catch is that such intelligence brings with it a labyrinth of privacy and security issues that our laws are currently unprepared to address. In this article, we take a look at first attempts to fill the gap.
In October 2014, Europe's Article 29 Working Party (WP) (made up of European data protection regulators) published Opinion 8/2014 on the Recent Developments on the IoT (Opinion). The Opinion focuses on:
- wearable technology: objects such as clothes, watches and contact lenses that have sensors, microphones and cameras embedded in them that can record, monitor and communicate data to the device manufacturers and third parties;
- quantified self: things such as pedometers or sleep monitors, which allow individuals to record and monitor their lifestyle and habits; and
- home automation (domotics): connected households using smart fridges, smart lighting and smart security systems.
What does the WP see as the main issues with the IoT?
The WP has identified the following issues as being the primary privacy concerns arising from the emergence of the IoT:
- lack of control and information asymmetry: the communication between individuals, devices and backend systems results in the generation, storage and sharing of certain IoT-pushed data over which the end user has no control;
- low-quality consent: many IoT devices do not contain an obvious point at which the end user can give consent and, even more difficult, many IoT-related services do not give any alternatives to the end user's personal data being created, stored or shared. In these situations, there must be new ways of obtaining a valid consent from the end user (e.g. privacy proxies or 'sticky policies' which stay with the data regardless of which party has access to it);
- extrapolation of inferences from data and repurposing of original processing: the disclosure of raw data to third parties and the regeneration of data for new purposes can easily go beyond the purposes for which the data was originally collected;
- intrusive identification of behaviour patterns and user profiling: certain private behaviours and habits become unwantedly identifiable through use of the IoT;
- limitations on the possibility of remaining anonymous whilst using services: wearing IoT objects that are close to the data subjects results in a range of identifiers being available (e.g. MAC addresses) with re-identification of anonymised data also an issue; and
- security risks: low quality security can make the data vulnerable to being attacked at various points, including at the communication link and storage infrastructure levels.
How should existing and future data protection law apply to IoT?
While the Opinion is based on the current Data Protection Directive 95/46/EC, many of the legal solutions and recommendations are taken from concepts proposed in the draft EC data protection Regulation (e.g. the use of privacy impact statements or privacy/security by design principles).
The Opinion establishes that European data protection law applies even if the data controller is outside of the European Union, provided that the equipment or device has been used within the European Union. The Opinion defines "objects" broadly to mean "all objects that are used to collect and further process the individual's data in the context of the provision of services in the IoT."
Further, the WP suggests that end users must be given access to their data collected by the IoT devices in order to enable them to switch providers. Such portability rights should be complemented by data interoperability standards. Data controllers should also give end users the right to 'disconnect' their devices.
The WP stresses the application of Article 5(3) of the e-Privacy Directive to situations when an IoT stakeholder "stores or gains access to information already stored on an IoT device" as the device will qualify as "terminal equipment". This means that the stakeholder must gain the user's consent to such storage or access except where it is satisfies the 'strictly necessary' requirement i.e. that the operation is strictly necessary to perform a service requested by the user.
The WP identifies three legal bases for justifying processing: consent; where processing is necessary for the performance of a contract to which the data subject is a party; and where the processing is necessary for the purposes of the legitimate interests of the data controller except where overridden by the interests or fundamental rights of the data subject. The Opinion cites the Google Spain judgment to underline that economic interests will not, by themselves, satisfy the legitimate interests requirement.
Data controllers are reminded to comply with the data protection principles, notably that data should be processed fairly and lawfully; the purpose limitation and data minimisation principles; that the data be kept for no longer than strictly necessary; and that special requirements for the processing of sensitive data be complied with. In addition, data controllers must communicate information about themselves and the existence of data subject rights of access in a clear and comprehensible manner and must implement the appropriate security measures. The WP is particularly concerned that IoT devices are difficult to secure for both business and technical reasons and are particularly vulnerable to attack.
The WP is keen to underline that any personal data which is processed with a view to anonymisation is still personal data subject to data protection law until such time as it is genuinely anonymised. Pseudonymous data is still personal data.
Top compliance tips
The WP has made a number of recommendations to the various stakeholders involved in capturing data from connected devices (which sit alongside those made in its Opinion on apps on smart devices) and include:
- carry out privacy impact assessments;
- delete raw data as soon as data required for processing has been extracted;
- apply the principles of Privacy by Design and Privacy by Default;
- enable user empowerment and control including the ability to disconnect the device;
- deliver information about data processing and obtaining consent in a user-friendly manner;
- consent must be explicit, informed and freely given (and users should have the opportunity to withdraw it);
- non-user data subjects must be considered where relevant;
device manufacturers should:
- inform users about the type of data collected and how it will be processed and combined;
- inform all stakeholders if user consent is withdrawn or processing is opposed;
- limit device fingerprinting by disabling wireless interfaces when not in use or use random identifiers to prevent location tracking;
- provide users with tools to locally read and modify data before it is transferred to the data controller and ensure data portability;
- ensure a right of access and the ability to export data;
- provide tools to notify users and update devices when security vulnerabilities are discovered;
- limit the amount of data leaving the device by transforming raw data into aggregated data before it leaves the device;
- enable devices to distinguish between different users; and
- work with standardisation bodies to develop a common protocol to express user preferences;
app developers should:
- use notices and warnings to remind users that sensors are collecting data;
- facilitate data subject rights of access, modification and deletion; and
- consider the possibility of inferring sensitive personal data from the data collected;
social platforms should:
- use default settings to get users to review, edit and decide on what information is generated by the device before it is sent and should ensure they do not, by default, generate public data or data indexed by search engines;
IoT device owners and recipients should:
- have the ability to administrate the relevant device and be able to give informed and free consent and should not be economically penalised or have degraded access if they decide not to use the connected element of the device or specific services;
- users of IoT devices should also inform non-user data subjects whose data may be collected by the device of that fact and respect a data subject's preference not to have data collected;
standardisation bodies and data platforms should:
- promote portable, interoperable, clear and self-explanatory data formats;
- use as few strong identifiers as possible;
- consider the emergence of formats for aggregated data;
- work on certified standards which would set the baseline for security and privacy safeguards; and
- develop lightweight encryption and communication protocols adapted to the IoT to help guarantee confidentiality, integrity, authentication and access control.
What is happening in the USA?
The US regulator has adopted similar non-binding guidance on the data collected by the IoT that essentially leaves it up to the industry to 'do right' by their customers.
In January 2015, the Federal Trade Commission (FTC) released a report on The Internet of Things; privacy and security in a connected world, which provides a "series of concrete steps that businesses can take to enhance and protect consumers' privacy and security, as Americans start to reap the benefits from a growing world of Internet-connected devices." The report has been released on the back of the FTC taking an active approach towards prosecuting IoT device makers for privacy and security breaches, and is likely to fuel further class actions for breach of privacy against device makers in the USA.
Similar to the WP's approach the FTC report has set out a number of recommendations for device manufacturers, including to:
- adopt a security by design approach;
- train employees about the importance of security and ensure that security is managed at all levels of the organisational hierarchy;
- ensure that third party service providers adhere to the same strict set of standards of care regarding security; and
- adopt a 'defence-in-depth' strategy for security risks – i.e. ensure that there are multiple layers of security to combat a particular risk.
While the IoT holds tremendous promise in terms of transforming our everyday lives, there are still undeniably important questions as to how it will affect our privacy and security and how these should be addressed through existing and future laws. Perhaps this is because the promise is simply too great and the possibilities as yet too unknown to ensure that all issues have been covered off.
Despite these uncertainties, the WP's Opinion and the FTC's recent report – notwithstanding their non-binding nature – are strong reminders that consumer privacy and security are top priorities for regulators and consumers and, consequently, for all stakeholders across the IoT ecosystem.