The Article 29 Working Party, which is composed of representatives of DPA’s from every European country, has recently rendered an opinion (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf ) on data privacy issues surrounding the development of the “Internet of Things” (IoT), which includes wearable computing, quantified self devices, and domotics. Although such data is generated by “things” or devices, it is considered personal data because it may enable the life pattern of a specific individual to be discerned. After identifying the major privacy issues raised by such devices, the Article 29 Working Party made a series of recommendations to IoT stakeholders.
According to this Opinion, the Internet of Things is a concept that currently includes three different types of devices:
- Wearable computing — such as watches and glasses — embedded with sensors, cameras, and microphones that can record and transfer data.
- Quantified self devices that a person carries to record information about his or her lifestyle, such as sleep patterns, calorie intake, or distance walked. These devices record information that may be considered health data, which EU law classifies as sensitive data.
- Domotics, which are connected devices placed in homes or offices that are used to remotely control items such as light bulbs, thermostats, and smoke alarms. The data these devices record and transfer may reveal a person’s lifestyle habits and choices.
The IoT poses several data protection challenges. The Article 29 Working Party identified six majors risks related to data collected and transferred by IoT devices :
- Users lack control over data collection and transfer because communication between objects may be triggered automatically and without individual controls. This may result in excessive self-exposure.
- User consent may not be solicited before an IoT device processes data, and users are sometimes not even informed that such data processing will occur. In addition, wearable computing devices with recording cameras or microphones may record individuals without their knowledge or consent.
- IoT data is sometimes used for secondary purposes, and users may not have been informed that third parties may “repurpose” the data. A user may be comfortable sharing the information for its primary purpose, but not for a different secondary purpose.
- Sensors may make it easy to intrude on individual privacy within the home. The Article 29 Working Party draws a comparison between the IoT and the use of CCTV in public spaces.
- The IoT may limit possibilities for individuals to remain anonymous, as wearable devices sometimes collect and transmit a user’s exact physical location.
- The IoT raises security challenges and could be a potential target of hackers, resulting in personal data being stolen with widespread effects on an individual’s rights.
Users of the IoT (for example, quantified self device users) are data subjects, but individuals that are not users of IoT devices can also be data subjects: smart glasses may collect data about individuals other than the person wearing the device. Moreover, several companies are considered joint data controllers: as examples, device manufacturers that collect and process personal data generated by the devices, social platforms where users share their data with other users, and application developers.
The Article 29 Working Party applied the cornerstone principles of data protection law to IoT devices and stakeholders, including:
- Fairness and lawfulness of the collection and processing of data: implying that data subjects must be aware that data is being collected. This is crucial, especially in the case of “invisible” sensors such as the cameras contained in wearable computing.
- The purpose limitation principle, which prohibits “repurposing” data collected without data subject consent for the new purpose.
- The data minimization principle, which provides that only data strictly necessary for the purpose is collected; data should not be collected just in case it could be useful in the future.
- Data should not be kept for a longer period than necessary.
- Sensitive data, such as health data, requires explicit consent.
- Security of the data must be provided for.
In addition, data subjects must be informed about data collection, have a right to access the data, and have a right to withdraw consent and to oppose such data collection and processing.
Finally, the Article 29 Working Party made a series of recommendations, including (i) the performance of Privacy Impact Assessments (PIAs) prior to launch of new IoT applications, (ii) the aggregation of individual data as soon as possible, (iii) using privacy by design, and (iv) making the method for consent as user-friendly as possible.