On September 23, the Article 29 Working Party, an independent European advisory body on data protection and privacy set up under Article 29 of Directive 95/46/EC, released an opinion on safeguarding data in the internet of things. The “internet of things” (IoT) refers to connected devices other than computers and smart phones. The Working Party opinion focused on three types of IoT applications: wearable devices (e.g., Google Glass, Apple Watch), quantified self devices (e.g., Fitbit), and home automation devices or “domotics” (e.g., smart thermostats). According to the Working Party, IoT devices raise particular data protection and privacy concerns because:
- Data subjects generally have less control over and/or a lack of awareness of what information is collected;
- The lack of information about what data is collected and used for interferes with data subjects’ ability to consent to the data’s collection;
- The increased amount and aggregation of data can lead to data repurposing and behavior profiling;
- Devices have a limited ability to allow users to remain anonymous; and
- Efficiency often trumps security.
The Working Party maintains stakeholders in any IoT device present in the European Union may qualify as data controllers and therefore be subject to EU privacy and data protection laws, whether or not the stakeholders are themselves present in the European Union. Stakeholders include device manufacturers, third-party application developers, and social platforms that interact with device data. After discussing the legal requirements that apply to data controllers and the rights of data subjects, the Working Party made numerous specific, practical recommendations. A small selection of these recommendations are:
- Implement privacy by design or by default;
- Perform privacy impact assessments;
- Give data subjects the maximum control over their data;
- Inform data subjects about what data is collected and frequently remind them that sensors are collecting data;
- Provide tools that allow data subjects to read and edit the data before it is processed;
- Notify users when security vulnerabilities are detected; and
- Delete raw data when it is no longer needed.