The EU Data Protection Advisory Body, the “Article 29 Working Party” recently issued its opinion on the Recent Developments on the Internet of Things (WP 223). In the opinion, the Working Party addressed privacy and security concerns associated with common, everyday devices ("Things") in the individual's environment, which are designed to record, process, store and transfer personal data, and seamlessly communicate and interact with other devices or systems using networking capabilities ("Internet of Things" or "IoT").
The opinion addressed three specific IoT categories: (1) Wearable Computing (everyday objects and clothes, e.g. smart watches and glasses, in which sensors were included to extend their functionalities); (2) Quantified Self (tracking information about the individuals habits, tendencies and lifestyle – e.g. pulse or heart rate indicators); and (3) Home automation.
The pivotal privacy challenges identified with relation to the ecosystem of these IoT categories are: (a) Lack of effective control on the generated data flow, excessive self-exposure and information asymmetry; (b) Quality of user's consent (particular challenges to obtain uninformed and free consent); (c) Inferences derived from data and repurposing of original processing; (d) Intrusive bringing out of behavior patterns and profiling; (e) Limitations on the possibility to remain anonymous when using services; and (f) Security risks.
The Working Party addressed the application of key provisions in EU privacy law that deserve specific attention in this context, and provided guidance and practical recommendations which are addressed to the different stakeholders concerned(device manufacturers, application developers, social platforms, data brokers and platforms, and others) to assist them in applying the EU data protection legal framework and implementing privacy and data protection in their products and services.
Concerning application developers, the Working Party asserted that the applications are traditionally installed on an opt-in basis (as such access is subjected to the requirement of obtaining the user’s prior and informed consent). However, practice shows that in many cases, authorization requests made by third-party application developers do not display sufficient information in order for the user’s consent to be considered as specific and sufficiently informed, and to be valid under EU law.
The Working party listed various recommendations for such stakeholders to facilitate the application of the EU legal requirements with respect to IoT.
With respect to application developers, the Working Party stressed the importance of providing an adequate level of information to end-users, offer simple opt-out or granular consent (when applicable), and anonymizing the data when consent has not been obtained, before repurposing it or sharing it with other parties (see also previous opinion concerning apps on smart devices (WP202)).
Further, the Working Party recommended application developers to: (a) display notices or warnings in order to frequently remind users that sensors are collecting or recording data; (b) facilitate the exercise of data subject rights of access, modification and deletion of personal information; (c) minimize the amount and quality of collected data which is required to provide the service; (d)provide tools for exporting both raw or aggregated data in a standard and usable format; and (e) pay special attention to the possibility of inferring sensitive personal data.