We're at this year's Web Summit! Click here to find out more.

The Article 29 Working Party (“WP”) – a collection of 28 EU national data protection authorities – has recently published its opinion on the ‘Internet of Things’. With an estimated 30 billion devices to be connected to the internet of things by 2020, the WP has considered the privacy challenges arising from this evolving sector. The WP views the internet of things as posing a number of personal data protection and privacy challenges, including the risk of security breaches and of profiling or surveillance. This post considers these challenges. Next week, we will look at the recommendations made by the WP to tackle these challenges.

What is the Internet of Things?

The ‘internet of things’ (“IoT”) is an odd and somewhat new phrase. While the IoT covers an extensive range of issues such as ‘smart cities’, ‘smart transportation’ and M2M (machine to machine) communications, the WP focused on the existing user-facing devices, such as wearable computing; “quantified self”; and home automation.

Wearable computing covers everyday items, like watches and glasses, which have embedded sensors to increase functionality. “Quantified self” refers to items enabling people to monitor and measure information about their activities and lifestyle, such as fitness and activity trackers. As the name suggests, home automation covers “connected” home devices, such as light bulbs, alarms, washing machines or thermostats.

Challenges faced

The WP focused on a number of challenges arising from the IoT. It considers that these challenges are “amplified” due to the huge increase in the amounts of data being processed.

The challenges identified by the WP include:

  1. Ensuring users have sufficient control as they often cannot review the data before its ‘publication’.
  2. Automatic or default communication without the user being aware and the difficulty in controlling the flow of data.
  3. A lack of awareness by individuals, other than the user, of a device’s enhanced capabilities and the quality of their consent.
  4. The insufficiency of classical consent mechanisms and the need for new methods of consent.
  5. The risk of stakeholders processing data beyond the original specified purposes, particularly in light of the advances in algorithms and analytics engines.
  6. IoT devices’ ability to determine the habits, behaviours and daily activities of individuals (see our post on the Digital Rights Ireland case where the CJEU made similar comments).
  7. The limits on the ability to remain anonymous while using IoT devices or services.
  8. The vulnerability of devices to “re-identification attacks” where users can be identified by an unauthorised party.
  9. The risk of turning an everyday object into a privacy and information security target.
  10. The battle between device battery efficiency and the security of communications resulting in a lack of encrypted data flows.

What does this mean?

While the opinion is not law, it provides an insight into the sorts of issues that European privacy regulators are likely to focus on as the IoT develops. Given the upsurge in the ways in which data are collected and processed, and the considerable expansion in the types of data that are measured and collected by the IoT, the industry is likely to face considerable regulatory scrutiny.

The challenges set out above demonstrate the difficulties in applying the existing law to this developing area. While the usual issues of control, consent and security continue to crop up, it appears that ease of use and functionality are central to the data protection and privacy concerns identified by the WP. 

In next week’s post, we will consider the second part of the WP’s analysis – the obligations of stakeholders and the WP’s recommendations for tackling the various challenges.