On September 16, 2014, the European Union’s Article 29 Working Party (“Working Party”) released an opinion on recent developments involving the Internet of Things (“IoT”). The opinion provides data controllers (e.g., device manufacturers, application developers, social platforms) guidance on how to comply with the EU legal framework on privacy and data protection when collecting personal data from certain devices. Additionally, the Working Party opinion lists potential privacy and data security challenges for the IoT landscape. The opinion notes its potential application to data controllers outside of the EU that collect personal data from connected devices of data subjects within the EU.
The opinion lists potential privacy and data security concerns regarding IoT, including: (1) obtaining consent across connected devices and applications; (2) profiling of individuals through the collection of personal data from outside parties; and (3) capability of unauthorized parties to make inferences on a data subject’s lifestyle, habits, preferences, or their activity while at home. The opinion suggests that a lack of adequate privacy and data protection measures of one unsophisticated connected device may weaken the safeguards of another device it is connected to, regardless of whether the latter device provides adequate consent and opt-out tools.
While the Working Party’s opinion discusses potential privacy and security concerns involving IoT, it recognizes that IoT holds “significant prospects of growth for a great number of innovating and creative EU companies.” The Working Party notes that it will continue to provide guidance on how to comply with EU privacy and data protection law in the IoT landscape as it evolves.