A recent Article 29 Data Protection Working Party (“WP”) Opinion on the Internet of Things (“IoT”) addresses privacy and data protection issues associated with the IoT. The Opinion outlines data protection risks arising from the IoT and sets out recommendations to be followed by a wide range of stakeholders to ensure that the IoT ecosystem develops in a way that will facilitate compliance with EU data protection law. The WP emphasises that a focus on ‘privacy by design’ principles from the outset should help stakeholders avoid encountering data protection obstacles or needing to take expensive and/or practically challenging remediating steps at a later stage.
In its opinion the WP focuses on three specific IoT developments: (i) wearable computing, (ii) quantified self (things designed to be carried around by individuals to record information about their habits); and (iii) domotics (devices designed for use in the home).
Key Data Protection Concerns
The WP expressed concern over the surreptitious nature of data collection from IoT devices. It identified the following data protection issues:
- lack of user control on dissemination of personal data;
- quality of the user’s consent;
- inferences derived from data and repurposing of original processing;
- intrusive user profiling;
- limitations on the possibility to remain anonymous when using services; and
- security risks.
In its comments on these issues the WP referred to other Opinions that it has adopted, such as Opinion 15/2011 on consent, Opinion 02/2013 on apps on smart devices and Opinion 06/2014 on the notion of the ‘legitimate interests’ of the data controller. These cross references demonstrate that although the evolving IoT may give rise to new areas of uncertainty regarding the application of data protection law, there is now a large body of WP guidance materials, not to mention case law, which provides a useful framework for construing how data protection law applies to the IoT or other technological developments.
Who is affected by this Opinion?
This Opinion is relevant to all stakeholders in IoT devices that are ‘data controllers’ within the scope of EU data protection law. For these purposes it is worth highlighting that in the Opinion the WP states that devices used to collect personal data for the purpose of the IoT qualify as “equipment” in the context of Article 4(1) of the Data Protection Directive. As a result, companies based outside the EU that make use of such ‘equipment’ which is located in the EU will be ‘data controllers’ who are subject to EU data protection law, even though they have no physical or legal presence within the EU. If this interpretation is followed by data protection regulators and courts in EU member states, then this will extend the application of EU data protection law to many stakeholders in IoT who will not expect to be within its scope.
Privacy by Design
The Opinion emphasises that the principles of ‘Privacy by Design’ and ‘Privacy by Default’ should be followed from the outset regarding the development and manufacturing of IoT devices and systems. Some examples of how this can be done include (i) building consent mechanisms into the devices themselves, (ii) offering an option to disable the “connected” feature of devices and allowing them to work as unconnected items; and (iii) providing data subjects with an easy mechanism to revoke any prior consent given to specific data processing and to object to the further processing of their personal data.
The Opinion sets out numerous recommendations addressed to different categories of IoT stakeholders, including that:
- Privacy Impact Assessments should be carried out before any new devices or applications are launched in the IoT;
- IoT systems should be designed to ensure that users are informed about the type of data collected and how it will be processed before its collection (both to comply with notification obligations and to ensure that purported consents obtained from users a effective);
- raw data should be deleted as soon as it has been extracted for further processing;
- standardisation bodies should develop lightweight encryption and communication protocols which are suitable for use in connection with IoT devices, bearing in mind practical restrictions regarding the size and manufacturing costs of such devices; and
- IoT applications should facilitate the exercise of data subjects’ rights of access, modification and deletion of personal data.