The Internet of Things introduces challenges for the data-protection-conforming exchange of data between machines. Yet M2M products can definitely benefit from the legal requirements.
For some sectors such as automotive and engineering, the Internet of Things carries promising opportunities for designing new products and services. In doing so, data is frequently exchanged between machines (“machine to machine”, “M2M”).
The challenge begins with an important recognition, namely that the legally relevant “personal” nature of the data is not always obvious in M2M products and services (collectively “M2M products”). To the extent that only data devoid of relationships to natural persons ("machine data") is transmitted and processed, this generally does not pose legal problems. Nevertheless, upon careful review, it is not unusual for legally relevant personal identity information to emerge from some of the M2M data. For example, in most cases, tangible insights regarding the whereabouts and driving behaviors of the driver can be obtained from the vehicle’s location, movement or operating condition data incidental to the operation of a passenger car. Log data for machine usage are also frequently personal.
In such cases, the legal requirements for the protection of personal data come into play. Data privacy protection law is sometimes perceived by business as an obstacle. However, experience often shows that data privacy protection requirements can be incorporated into a thoughtfully formulated (M2M) product concept that does not diminish the product’s commercial viability and desirability. If anything, observing data privacy protections can in this sense even represent a qualitative added value of the affected M2M product – and thereby contribute to a competitive advantage for the manufacturer, among other things. On the downside, it is becoming increasingly apparent that M2M products created without sufficient view toward data privacy protection requirements have limited or no commercial viability.
Under these circumstances, it is recommended that a careful legal examination of the data streams be completed very early at the beginning of product design. If this reveals that the collection, processing or transmission of personal data is in issue, then the question may arise to what extent the personal nature of the data collection is really necessary, or whether it can be avoided within the product-related data processing using adequate methods such as anonymization or pseudonymization without disadvantaging the M2M product. In the latter case, a special legal protection for the data will generally no longer be required.
Insofar as personal data is specifically needed, a legal basis may be identified for legitimizing the data processing where necessary. The data processing will thereafter be configured within the framework of the identified legal basis. Alternatively, concepts of consent are being formulated and are becoming increasingly relevant in the M2M area, which can legitimize the processing of personal data to a sufficient degree.
Overall, the data protection principles of “privacy by design” and “privacy by default” play just as important a role in this phase as do creative legal approaches, for example in connection to the collection and processing of location data in accordance with relevant legal requirements.
Conclusion: The decisive factor in the successful formulation of M2M products is a focus on practical, legally precise solutions that take into account data privacy protection aspects. On the one hand, M2M products without sufficient consideration of data privacy protection requirements will have limited or no market viability. On the other hand, lawful data protection should not impede the development of innovative M2M products.