Under existing EU data protection laws, and under the new proposed EU Data Protection Regulation (when it comes into force), stakeholders in relation to Internet of Things (IoT) face significant challenges in achieving compliance while not compromising the appeal or efficacy of their IoT products and services.
Participation in the IoT is “not a game played by different rules”. Reflecting this sentiment, the Article 29 Data Protection Working Party1 (WP29) has published guidance for stakeholders in a recent opinion (Opinion 8/2014 on the Recent Developments on the Internet of Things) (the Opinion). The Opinion emphasises, in relation to the IoT, the need to build in compliance mechanisms (by design and default) into IoT devices and related services. The EU Data Protection Regulation similarly emphasises that approach.
The message is clear: taking steps now to reflect such requirements in the design and operation of IoT devices and related services can avoid costly and disruptive redesign and retrofitting of compliance-driven functionality later on. According to the WP29, operating system and device manufacturers, operators of social media platforms, application developers, device owners, standardisation bodies and data platform operators may all need to consider taking such action.
In this briefing, we outline some of the privacy concerns raised by the WP29 in relation to the IoT, its view of the legal basis by which data can be legally accessed and processed via the IoT, some of the limits that must be observed in relation to such access and processing, and the guidance set out by the WP29 in assisting relevant stakeholders to achieve compliance when participating within the IoT ecosystem.
What is the Internet of Things?
The “Internet of Things” is a term used to describe the multitude of “smart” devices and objects that can communicate to each other using wireless and wired technology. Such devices rely on the “unique addressability” of connectivity to the Internet to transmit, compile and analyse data collected by embedded sensors. Devices can include those with execution capabilities (for example, locks controlled over the Internet) and (increasingly) ambient intelligence and autonomous control.
In its Opinion, the WP29 focuses on three categories of IoT devices:
- wearable computing (e.g. smart watches and glasses);
- quantified self (e.g. health monitors); and
- domotics (home automation).
These devices relate principally to B2C activities, where data privacy concerns are typically of most concern.
What are the data privacy concerns for the IoT?
Among other things, the WP29 identifies the following concerns:
- IoT data may not be adequately reviewable by the data subject prior to its use or publication;
- communication between IoT devices can be triggered automatically, as well as by default, without the individual being aware of it;
- an individual may not be able to prevent further transmission of their personal data collected by an IoT device without disabling most of the functions of the device;
- it will be even more difficult to control the data’s subsequent use, and thereby give rise to potential function creep;
- the ability to reject certain services or features of an IoT device may be more of a theoretical concept than a real option;
- the increase in the amount of data generated by the IoT, in combination with modern data analytics and cross-matching, may lend the data to secondary uses not within the scope of the purpose assigned to the original processing;
- such data analysis might enable the detection of an individual’s detailed and complete life and behaviour patterns;
- full development of IoT capabilities (with the correlation of so many identifiers across so many sources) may limit the efficacy of anomymisation and pseudononymisation, and make the data vulnerable to re-identification attacks; and
- the IoT raises various security challenges, with less secure IoT devices offering the opportunity for attack, remote control or unauthorised surveillance, particularly as deploying privacy and security controls may divert precious computational and battery resource.
What sort of information would be personal data?
The opinion does not seek to add to previous expansive interpretations of personal data. However, it is safe to assume that any unique identifier (eg mobile device IMEI numbers) that can be cross correlated back to an individual with other information likely to come into the hands of the controller is likely to be regarded as personal data by the WP29.
Who could be a data controller?
The WP29 takes a broad view of who might be a “data controller” in relation to the IoT. Observing that the role of the different stakeholder involved in the IoT will be essential in determining their legal status as data controllers, the WP29 considers that they could include device manufacturers, social media platforms, application developers, device lenders or renters, data brokers and operators of data platforms (among others) all of whom may access the data or direct others to do so. Much will turn on the precise nature of their respective interventions within the IoT ecosystem. The opinion also stresses that certain devices such as wearable devices such as smart glasses are likely to render the user a data controller too.
What is the legal basis for processing data collected via the Internet of Things?
The WP29 observes that simply storing or accessing information already stored on an IoT device would, under Article 5(3) of Directive 2002/58/EC (the cookies consent provision), require the relevant stakeholder to get the consent of the data subject (in as much as such device qualifies as “terminal equipment”).
Turning more specifically to EU data protection laws, the WP29 considers that they offer three potential legal bases for processing data collected and processed via the IoT:
- processing is with the consent of the data subject;
- processing is necessary for the performance of a contract; or
- processing is necessary for the purposes of “legitimate interests” of the data controller.
The WP29 views consent as the likely legal basis for processing of data in relation to the IoT in most cases (particularly given the similar requirements of Article 5(3) of Directive 2002/58/EC, mentioned above). It views the “legitimate interests” ground as highly unlikely to apply.
The WP29 is particularly concerned about the effectiveness of consent in the context of the IoT. Device users may not be aware of the data processing being carried out. This, the WP29 observes, could create “a significant barrier to demonstrating valid consent under EU law, as the data subject must be informed”. Underscoring the need for privacy by design, the WP29 suggests that consent could be obtained by including consent mechanisms incorporated into IoT devices themselves.
The WP29 states that it will be necessary for IoT devices and services to include functionality that enables users to withdraw consent at any time. It also suggests that data controllers will need to provide a system of “continuous withdrawal” of consent, enabling users to withdraw consent without having to exit the totality of the service provided (ie making the use of such things conditional on being tracked highly problematic).
What are the limits on processing personal data collected via the IoT?
EU data protection legislation requires that personal data should always be processed fairly and lawfully. This means that personal data should never be collected without the individual being aware of it. This requirement is particularly important in the case of the IoT, where connected devices typically include sensors specifically designed to be unobtrusive or to be as invisible as possible.
Personal data collection and processing is also restricted by:
- the purpose limitation principle, under which data can only be collected for specific and legitimate purposes. These purposes must be defined before the processing takes place. For the IoT, this means that stakeholders must be sure of their business requirements before they engage in collecting data;
- the data minimisation principle, under which the data collected should be strictly necessary for the specific purpose previously determined by the data controller. In relation to the IoT, the WP29 considers that this principle means that, when personal data is not necessary to provide a specific service run on the IoT, the data subject should at the very least be offered the opportunity to use the service anonymously.
Under EU data protection laws, data must not be kept for longer than is necessary for the purpose for which the data were collected. The WP29 notes that, in relation to the IoT, this means that personal data communicated by a user when it subscribes to a specific service on the IoT should be deleted as soon as the user puts an end to its subscription.
There are also implications for IoT in relation to the collection and processing of data considered sensitive under EU data protection laws (such as data on ethnicity, health or sex life, religious or philosophical beliefs), particularly in relation to “qualified self” devices. While the information that they collect may not always constitute sensitive data, the WP29 observes that IoT stakeholders will need to comply with the more rigorous requirements in relation to obtaining consent in relation to processing such data.
Transparency requirements under EU data protection legislation will also be relevant to IoT stakeholders. Under current EU law, data controllers must provide information concerning the controller’s identity, the purposes for processing, the recipient of the data, and rights as data subjects to access data or to oppose its processing. The WP29 suggests that this information could be provided in some instances by the IoT object or device itself, through wireless connectivity, or privacy-preserving proximity testing (done by a centralised server to inform users that they are located close to the IoT sensor).
Observing that the IoT raises a number of problems in relation to data security, the WP29 notes that IoT stakeholders will need to implement appropriate technical and organisational measures to protect personal data in order to comply with EU data protection laws. This may involve building in encryption in relation to information collected.
Under EU data protection laws, data subjects have rights of access to data that is subject to the processing and to information regarding their source. The WP29 believes that current IoT systems may prevent users from freely choosing the service that interacts with their device. Users may rarely be in a position to have access to the raw data that are registered by IoT devices. Such matters may need to be addressed in terms of design functionality if compliance with the applicable laws is to be achieved.
What steps can be taken to achieve compliance?
The WP29 sets out general recommendations applicable to all stakeholders as well as specific recommendations for particular stakeholders. The WP29’s general recommendations include recommendations on privacy impact assessments, deleting raw data, privacy by design and default, data subject access rights, obtaining consent, and transparency in relation to processing.
What perhaps is not drawn out explicitly enough in the opinion, is that for individuals associated with a “thing” to be able to understand how their data is used, to be able to check on that use through the exercise of subject access rights and exert real control in the manner envisaged by the WP29, the following developments may need to occur (this is the author’s view and not the WP29s):
- all privacy notices relating to the “thing” that collects the data from the actors that use that data will need to be delivered through the smartphone or pc interface (how else will the individual ever be able to keep up with what he/she has or has not consented to);
- given the multiplicity of actors that might use this data, it would be far simpler if the types of data and the uses made is categorised in a standard manner in the notices (so the user can recognise types of use he/she is or is not comfortable with quickly and without having to read all the small print);
- in order for those notices to be more than just annoying, irretrievable and ultimately meaningless, one actor (possibly outside of the IoT ecosystem to foster trust) will have to take on the role of recording the permissions given over time (creating a consent register for each individual) so that the individual can track and audit who has what data about him/her and can hold them to account as to what was agreed;
- as different “things” which may already be associated with an individual without his or her’s knowledge can communicate with different networks, one might think that it would be very helpful if the operator of the consent register had some technology that blocked any non-permissioned “things” communicating with any non-permissioned network within a certain radius of the individual or his/her house (a sort of non-surveillance force field!). However, not every “thing” that is associated with an individual will be physically proximate to that person or his/her house and the system itself might have some unintended consequences unless universally adopted (one person’s forcefield would knock out anyone near him or her’s communications) so an offensive technological solution seems unlikely; and
- given the difficulties in implementing the previous paragraph’s wishful thinking, the incentive to invest in such a regime will be driven by whether high sanctions are imposed for breaches of the privacy rules by those who collect and use data from “things” without being permissioned (particularly if use which was not permissioned on the consent register received more punitive sanctions).