The European Union’s Article 29 Data Protection Working Party (WP29) adopted an opinion (the Opinion) on September 16, 2014 regarding data protection within the Internet of Things (IoT). Recognizing the rapid growth of the IoT, the Opinion responds to emerging data privacy concerns within the IoT, and provides recommendations for stakeholder compliance with EU data protection laws. 

The IoT is made up of the universe of “smart” devices and applications that communicate with each other electronically. The Opinion focuses on a subset of three IoT applications: 1) “wearable computing,” such as watches and glasses with embedded sensors that capture data; 2) “quantified self” devices, such as step counters and sleep trackers that collect information about individual habits and lifestyles; and 3) “domotics,” or home automation devices such as “smart” thermostats and smoke alarms that record and transmit data. 

The Opinion describes a number of significant data security concerns arising from these applications, including: 1) the lack of user control over data dissemination; 2) the lack of durable, high-quality user consent; 3) unchecked repurposing of user data; 4) the profiling of individual users from behavioral data; 5) the limits of user anonymity; and 6) the balancing of end-to-end data security with technological efficiency. 

WP29 extensively describes the applicability of EU Directive 95/46/EC and provisions of the EU’s e-Privacy Directive – 2002/58/EC, as amended by 2009/136/EC – to processors of data in the IoT, including device manufacturers, social platforms, and third parties. This analysis emphasizes three key principles: 1) collecting personal data lawfully and fairly; 2) limiting data collection to specific purposes; and 3) minimizing the amount of data collected for a given purpose. 

The Opinion elaborates on this analysis with a comprehensive set of recommendations for IoT stakeholder compliance with EU data protection laws. Recommendations for all stakeholders include the creation and disclosure of Privacy Impact Assessments, the aggregation of data, and the development of user-friendly methods of controlling data disclosure. The Opinion provides additional recommendations for OS and device manufacturers, application developers, social platforms, IoT device owners, additional data recipients, and standardization bodies. 

As the IoT develops and its application expands, the WP29 will continue to release guidance on compliance with EU data protection laws. 

The full Working Party opinion can be found here: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf  

Andrew Liebler