The Internet of Things (IoT) has taken off in 2014, with the launch of numerous new connected devices by global electronics manufacturers. Designed as smartphone extensions or linked to a wireless network, connected devices offer a wide range of services to consumers by collecting and transmitting all types of data via sensors. The number of such devices is expected to hit 80 billion by 2020.(1) Although the IoT offers businesses and consumers new opportunities, it nevertheless poses many risks: when a device is connected to the Internet, it is technically possible to locate and misuse it.
The current legal framework does not address all types of connected device and does not effectively regulate all of the issues they raise. The relevant provisions are varied and scattered across numerous different statutes (eg, on the law of contracts, liability, information technology, personal data and intellectual property). This framework is beginning to show its limits, particularly as regards the main legal issue: personal data protection and privacy.
The IoT economy is based on the use of a vast volume of personal data, and increasingly Big Data. Questions are arising over the use of such data, particularly with respect to security. Users may lose control of their data when it is transmitted to other applications or disclosed on social networks. Likewise, collected data may allow businesses to profile the spending habits of individual consumers, thereby violating their privacy. Computer experts have even shown how it is possible to remotely deactivate the brakes on an electric car or assume control of a pacemaker through an ordinary computer.
Article 34 of the Data Protection Act requires data controllers to take all necessary measures to ensure data security and, in particular, to prevent data from being distorted, damaged or accessed without authorisation. Breach of this requirement carries a penalty of five years' imprisonment and a €300,000 fine under Article 226-17 of the Criminal Code. For legal entities, the fine may be multiplied by five and thus amounts to a maximum of €1.5 million. Article 323-1 of the Criminal Code also provides that breaches of automated data processing systems are subject to a penalty of two years' imprisonment and a €30,000 fine.
Users of connected devices such as glasses can film people without them knowing and then broadcast the videos via social media, which raises the issue of the right to privacy and violations of the publicity rights or reputations of those who are filmed. Pursuant to Article 226-22 of the Criminal Code, anyone who collects personal data whose disclosure would have the effect of breaching the subject's privacy or harming the subject's reputation, and who discloses such data without authorisation to a third party which is not entitled to receive such data, is liable to a penalty of five years' imprisonment and a €300,000 fine.
Moreover, several connected devices aimed at promoting wellbeing(2) involve the processing of health data. As health data is considered sensitive data, its collection and processing are in principle prohibited. Such data may be collected only by hosts which have obtained approval pursuant to Article L1111-8 of the Public Health Code.
Other devices, such as watches and cars, incorporate global positioning systems. Geolocation is regulated by the Act of March 28 2004. Pursuant to Article 230-32 of the Criminal Procedure Code, geolocation tracking is permitted only when it is necessary for the purposes of an investigation or an inquiry, and can be carried out only by a judicial police officer.
It is thus evident that many pitfalls are associated with the IoT and it is doubtful whether the current legal framework is sufficient to regulate the diverse range of connected devices - especially as data is increasingly hosted on servers located in the United States or India and thus does not benefit from the level of protection assured in the European Union. As technological progress continues, stakeholders(3) must be able to develop their activities in accordance with applicable rules.
Until a more specific legal framework is established, the Data Protection Act and the EU Data Protection Directive (95/46/EC) will apply to IoT devices. The Act of January 5 1988 on computer fraud is also applicable. Connected devices are also covered by the recent Act 2015-136 of February 9 2015 on emission sources of radio-electric devices, including connected devices containing radio-frequency identification chips for the storage and transfer of data.
Stakeholders are also advised to refer to the Article 29 Working Party's opinion(4) of September 16 2014, which recommends that impact assessments be conducted before any new IoT applications are launched, aggregating data, applying the principles of privacy by design and privacy by default or even empowering users by ensuring that they remain in control of their personal data at all times. Stakeholders should also refer to the report published on January 16 2013(5) in which the European Commission recommended that connected devices be designed from the outset to meet the requirements relating to the right to delete data, the right to be forgotten, data portability, protection of privacy and the principles of data protection. In a study conducted by the CNIL's Innovation Laboratory, entitled "The body: a new connected device", the CNIL set out the following recommendations for users:
- Use a pseudonym to share data;
- Do not automatically share data with other services;
- Identify circles of trust before publishing data; and
- Erase or retrieve data when a service is no longer used.
For further information on this topic please contact Leila Benaissa at FIDAL by telephone (+33 1 4738 5400), fax (+33 1 4738 5499) or email (firstname.lastname@example.org). The FIDAL website can be accessed at www.fidal.fr.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.