The Article 29 Working Party (WP29) has issued a new opinion on the Internet of Things (IoT) which was formulated from its plenary meeting of 16-17 September 2014 (the Opinion).
The Opinion defined IoT as “an infrastructure in which billions of sensors embedded in common, everyday devices … are designed to record, process, store and transfer data and, as they are associated with unique identifiers, interact with other devices or systems."… It stated that “[t]he viability of many projects in the IoT still remains to be confirmed", but the technology offers “significant prospects of growth for a great number of innovating and creative EU companies".
WP29 has described the IoT as being on "the threshold of integration" with our daily lives. They note that if it is not properly regulated, the IoT could potentially "develop a form of surveillance of individuals that might be considered as unlawful under EU law". WP29 has drawn significant attention to the privacy and data protection challenges raised by the IoT and has created a “comprehensive set of practical recommendations” for the stakeholders involved in the development of the IoT. In summary, WP29 have advised that companies and organisations developing IoT applications should go beyond the current EU compliance requirements to ensure that personal privacy is safeguarded.
The Opinion focuses on wearable computing (such as watches and glasses), quantified self (items used to record one's own activities and lifestyle, such as sleep trackers and other health and fitness indicators such as patient monitoring systems) and domotics (home automation such as devices for the control of lighting, heating and ventilation and security locks). In recognition of the growth of the IoT ecosystem, the Opinion notes that many “questions arise around the vulnerability of these devices”. The WP29 emphasises that “users must remain in complete control of their personal data throughout the product lifecycle, and when organisations rely on consent as a basis for processing, the consent should be fully informed, freely given and specific".
The main privacy, data protection and security issues which WP29 has focussed on are: (1) the user’s lack of control over their data and information asymmetry; (2) the quality of the user’s consent; 3) the repurposing of original data processing; (4) intrusive profiling and behavioural analysis; (5) difficulties to ensure anonymity and (6) security risks vs. the possible inefficiencies of increased security.
This Opinion stresses that the present EU legal framework (the EU Data Protection Directive 95/46/EC on the protection of personal data and the e-Privacy Directive 2002/58/EC as amended in 2009) is fully applicable to the processing of personal data through the different types of devices, applications or services used in the context of the IoT.
The recommendations are hoped to help stakeholders acquire a strong competitive advantage by explaining how to implement a sustainable IoT which complies with the data protection legal framework in full conformity with data protection principles.