The European Union’s (“EU”) independent data protection advisory body, the Article 29 Working Party (“A29WP”) has recently published an opinion (Opinion 8/2014) (the “Opinion”) on the ‘Internet of Things’ (the “IoT”). The Opinion addresses data protection and privacy concerns that arise from the use of networked or ‘smart’ products and clarifies the basis on which data protection law will apply to suppliers of such products.

In the A29WP’s view, the IoT, a network of internet connected smart goods ranging from telephones to toasters, is on the ‘threshold’ of integration into the lives of EU citizens. The Opinion specifically focuses on wearable computing (e.g. smart watches, glasses and clothing), quantified self (devices which measure personal information such as activity counters or sleep trackers), and home automation devices (e.g. smart light bulbs or washing machines).

Privacy concerns

The A29WP briefly summarises the privacy and data protection concerns which arise in relation to the IoT which include:

  1. Lack of control and information asymmetry: the amount of personal data (both in terms of primary data and metadata) and the interaction of both users with machines and machines with machines will result in new varieties and volumes of data which cannot be adequately controlled using existing methods.
  2. Quality of consent: the ubiquitous nature of the IoT, and the inability to distinguish smart and traditional devices, means that the individuals whose data are being used (the “data subjects”) may not be aware of, or consent to, data collection and processing. Further, even though some smart devices may allow certain functions to be switched to preserve privacy, this is often more a theoretical than a practical solution.
  3. Inferences derived from data: data may be cross-referenced against other data to obtain or infer new data which is more significant or sensitive. For example, activity trackers combined with nutrition data may allow inferences about a data subject’s physical condition.
  4. Patterns and profiling: the cross-referencing of data from devices within the IoT may allow the creation of profiles and generation of patterns about data subjects. This may have a demonstrable effect on the lives of data subjects and lead to changes in behaviour (in the same way intensive CCTV usage alters the behaviour of individuals).
  5. Limitations on anonymity: the prevalence of sensor data, and the ability to cross refer it, will make anonymisation increasingly difficult. For example, the independent collection of anonymous MAC addresses by a device could be cross referenced against the same data from other devices to build up a pattern of movement.
  6. Security risks: the IoT is only as secure as the weakest link in the chain. Unfortunately the security of smart devices is sometimes not fully considered, and such devices are low-power or battery operated with limited security and encryption capabilities.

Applicability of data protection law

EU data protection law regulates how the personal data of EU citizens is legally collected and processed. The term ‘personal data’ has a broad meaning, and it is likely much of the data generated by and about individual data subjects (and their smart equipment) would fall within its scope. Under the present regime, data controllers (the entities responsible for the means and purposes for which personal data is processed), which are established in the EU or use “equipment” in the EU to process personal data, are primarily liable for how the data is used.

Notably the A29WP states that suppliers of smart equipment will, by virtue of such equipment being in the EU, themselves be deemed to be established in the EU under Article 4.1(d) of the Data Protection Directive (95/46/EC) (the “Directive”), which provides that data protection legislation shall apply to those data controllers who are not otherwise established in the EU but who use ‘equipment’ located in a Member State. The A29WP’s view is this should be interpreted broadly, and points to the approach taken by the Court of Justice for the European Union (“CJEU”) in the recent Google Spain case (C-131/12), where it was held that Google Inc.’s advertising subsidiary in Spain sufficed to establish the US parent company in the EU.

The definition of controller may also extend to device manufacturers as, in many cases, they will collect or process data generated by the equipment. However, even if this is not the case, by designing the device the manufacturer will have determined the means and purposes by which data is collected and processed and may be classed as a data controller (which would make them potentially liable for how the data is subsequently processed).

Beyond the device suppliers and manufacturers, other parties could also assume the role of a data controller. These could include social media platforms to which the device posts information, third party app developers whose API’s enable data subjects to access the device (for example an app released by an alarm system company which allows customers to monitor their home), and other third parties with access to the data (for example a health insurance company monitoring a client’s pedometer).

Recommendations

The A29WP sets out specific recommendations for OS and device manufacturers, application developers, social networks, device owners and standardisation bodies and data platforms. The recommendations include the following:

  1. All stakeholders: should undertake privacy impact assessments, delete raw data when no longer required, apply principles of privacy by design and default, enable users to control their own data, make information regarding consent user-friendly and generally design devices to inform user and non-user data subjects as to how their data will be used.
  2. OS and device manufacturers: have a responsibility to limit as much as possible the amount of data leaving the device. They should inform users about the type of data collected and offer a ‘do not collect’ option, inform other stakeholders immediately if consent is withdrawn and limit device fingerprinting by disabling identifiers and wireless interfaces when not in use. Data subjects’ rights of access should be facilitated, and it is recommended that data be in portable format for exporting. Security by design should be implemented and appropriate cryptography components are important. OS and device manufacturers are also recommended to create tools to notify users about and update vulnerabilities. Devices themselves should also be able to distinguish between users. Finally, device manufacturers cooperate with standardisation bodies to create a common protocol and enable the use of personal privacy proxies to facilitate storage and processing of data on the device itself.
  3. App-developers: app-developers should comply with data protection principles relating to data minimisation to facilitate data subject access rights. Data itself should be portable in both raw and aggregated formats and it is important developers are aware of the risk of interfering with sensitive information from other data. Users should also be warned when a sensor is collecting data, either as it happens or (if the app is not directly connected to the device) periodically provide notifications regarding data collection.
  4. Social platforms (such as social media networks): should not publicise or allow search engines to index data by default. Default settings should allow and prompt users to better control published information.
  5. Owners of smart devices: should have administrative control of the device and where the device owner is party to a contractual relationship with the data subject (for example a car rental company leasing an IoT connected car to a data subject), or even where there is no such relationship, the data subject should have the ability to access/oppose data collection and processing. Crucially, the data subject should provide consent and not be penalised economically or in terms of accessing the device’s capabilities if they refuse to do so.
  6. Standardisation bodies: should promote standardised data formats for raw and aggregated data which also facilitate anonymisation, and develop security and privacy standards and protocols.

The A29WP has also stated its intention to issue a future opinion on 'Fingerprinting', i.e. the use of information to build up a digital profile or 'fingerprint' of an individual.

WAB Comment

The A29WP's Opinion provides a useful overview of the key challenges and legal issues facing the IoT’s various stakeholders. However, the IoT does not easily reconcile itself with EU data protection law. Whereas data protection law seeks to protect individuals’ rights to control how data is collected and used, the IoT is built upon numerous devices inconspicuously collecting large amounts of varied data for a myriad of uses. The IoT may provide benefits to data subjects, particularly in terms of automation and convenience, but inherently aims to do so without intruding on the daily lives of individuals. Further, the data generated by smart devices is a valuable commercial asset which data controllers will often wish to exploit.

The most straightforward way to ensure compliance with data protection law would be to obtain the data subject’s consent or, alternatively, to avoid the application of data protection law by anonymising the personal data generated. As anonymised data carries with it the risk of individuals being “re-identified” from combination with other available data, however, the most certain approach remains to obtain the data subject’s consent. The challenge for data controllers is to find a technical solution for obtaining consent that does not rely on complex and lengthy privacy policies or terms of use which are difficult for device users to read and understand.