An Opinion from the Article 29 Working Party looks at how to make connected devices data protection compliant.

What's the issue?

Wearable tech, home automation and quantified self things (e.g. apps which count how many steps you've taken per day) are increasingly a real part of our lives.  While the opportunities created by the Internet of Things (devices connected to each other through the internet) are seemingly boundless, there are also some serious concerns.  Many of these devices process large quantities of personal data and, often, sensitive personal data and pose a potential threat to privacy if steps aren't taken to ensure they are data protection compliant.

What's the development?

The Article 29 Working Party (WP) has published an Opinion on the Internet of Things (IoT). It identifies what the WP considers to be the key risks to privacy posed by the IoT, looking particularly at wearable computing, quantified self things and home automation or domotics. The WP then considers the application of the Data Protection Directive (Directive) and the e-Privacy Directive to the IoT and finishes with a list of recommendations.

What does this mean for you?

If you are operating in the world of connected devices which process personal data, this is essential reading.  Even though not binding, WP Opinions carry significant weight as the WP is made up of European data protection regulators.  It is particularly important to note the emphasis placed on 'Privacy by Design' and 'Privacy by Default' by the WP.  Building data protection compliance into your design from the outset can save headaches when the device comes to market.  Also noteworthy is the WP's view on the application of Article 5(3) of the e-Privacy Directive to the IoT and the need to obtain user consent when placing or accessing information on an IoT device as well as the fact that a non-European entity processing an individual's data collected from a device in the EU will be a data controller under European data protection law.  Best practice will be to act on the Opinion's recommendations.

Read more

The WP identifies particular privacy issues to do with the IoT as including:

  • lack of control on dissemination of personal data and information asymmetry;
  • the difficulty in obtaining a valid consent;
  • extrapolation of inferences from data and repurposing of original processing;
  • intrusive user profiling;
  • limitations to the ability to remain anonymous or go unnoticed;
  • re-identification of anonymised data; and
  • security risks.

The Opinion confirms that all objects which are used to collect and process an individual's personal data qualify as "equipment" in the context of Article 4(1) of the Directive so that a data controller based outside the EU will be making use of "equipment" in a Member State where an IoT device is located in the EU.

The Opinion identifies device manufacturers, social platforms, third party application developers, other third parties and IoT data platforms as potential data controllers in the context of the IoT.

The Opinion also stresses the application of Article 5(3) of the e-Privacy Directive to situations when an IoT stakeholder "stores or gains access to information already stored on an IoT device" as the device will qualify as "terminal equipment". This means that the stakeholder must gain the user's consent to such storage or access except where it is satisfies the 'strictly necessary' requirement.

The Opinion identifies three legal bases for justifying processing: consent; where processing is necessary for the performance of a contract to which the data subject is a party; and where the processing is necessary for the purposes of the legitimate interests of the data controller except where overridden by the interests or fundamental rights of the data subject. The Opinion cites the Google Spain judgment to underline that economic interests will not, by themselves, satisfy the legitimate interests requirement.

The Opinion reminds data controllers to comply with the data protection principles, notably that data should be processed fairly and lawfully; the purpose limitation and data minimisation principles; that the data be kept for no longer than strictly necessary; and that special requirements for the processing of sensitive data be complied with. In addition, data controllers must communicate information about themselves and the existence of data subject rights of access in a clear and comprehensible manner and must implement the appropriate security measures. The WP is particularly concerned that IoT devices are difficult to secure for both business and technical reasons and are particularly vulnerable to attack.

Data subjects should be able to revoke consent and should be given the ability to disable the connected feature of the relevant thing.

Recommendations made by the WP include (in addition to those made in its Opinion on apps on smart devices) include:

  • carry out privacy impact assessments;
  • delete raw data as soon as data required for processing has been extracted;
  • apply the principles of Privacy by Design and Privacy by Default;
  • enable user empowerment and control;
  • deliver information about data processing and obtaining consent in a user-friendly manner;
  • consent must be explicit, informed and freely given;
  • non-user data subjects must be considered where relevant;
  • device manufacturers should:
    • inform users about the type of data collected and how it will be processed and combined;
    • inform all stakeholders if user consent is withdrawn or processing is opposed;
    • limit device fingerprinting by disabling wireless interfaces when not in use or use random identifiers to prevent location tracking;
    • provide users with tools to locally read and modify data before it is transferred to the data controller and ensure data portability;
    • ensure a right of access and the ability to export data;
    • provide tools to notify users and update devices when security vulnerabilities are discovered;
    • limit the amount of data leaving the device by transforming raw data into aggregated data before it leaves the device;
    • enable devices to distinguish between different users; and
    • work with standardisation bodies to develop a common protocol to express user preferences;
  • app developers should:
    • use notices and warnings to remind users that sensors are collecting data;
    • facilitate data subject rights of access, modification and deletion; and
    • consider the possibility of inferring sensitive personal data from the data collected;
    • social platforms should use default settings to get users to review, edit and decide on what information is generated by the device before it is sent and should ensure they do not, by default, generate public data or data indexed by search engines;
  • IoT device owners and recipients should have the ability to administrate the relevant device and be able to give informed and free consent and should not be economically penalised or have degraded access if they decide not to use the connected element of the device or a specific services;
  • users of IoT devices should also inform non-user data subjects whose data may be collected by the device of that fact and respect a data subject's preference not to have data collected;
  • standardisation bodies and data platforms should:
    • promote portable, interoperable, clear and self-explanatory data formats;
    • use as few strong identifiers as possible;
    • consider the emergence of formats for aggregated data;
    • work on certified standards which would set the baseline for security and privacy safeguards; and
    • develop lightweight encryption and communication protocols adapted to the IoT to help guarantee confidentiality, integrity, authentication and access control.