Our last post looked at 10 personal data protection and privacy challenges arising from the growing ‘Internet of Things’ (“IoT”) that the Article 29 Working Party (“WP”) identified in its recent Opinion. Together with these challenges, the WP also made a number of potential recommendations for the various stakeholders in the IoT ecosystem. Here we consider the top 7 recommendations.
What was recommended?
In setting out its recommendations, the WP specifically refers to its previous opinion on apps for smart devices (see ‘Appy Campers - Mobile Apps and Data Privacy) as directly relevant to the IoT. The WP has stated that app developers and device manufacturers should provide:
- an adequate level of information to end users; and
- simple opt-outs and/or granular consent, when applicable.
When consent has not been obtained, the WP recommends that the data controller should anonymise the data before repurposing it or sharing with other parties.
- Consent and opt-outs
Where users are choosing to opt-out, or are responding to a request for consent, the WP has highlighted the importance of user friendliness. It urges the adoption of accessible, visible and efficient tools for users to exercise their choice, including providing a “do not collect” option allowing the quick disabling of sensors. The WP also supports granular options for opt-outs, such as offering the ability to opt-out of the collection of specific types of data, any type of data, or a specific type of processing. In addition, the WP has recommended that manufacturers should be able to communicate a users’ withdrawal of consent or opposition to processing to all other stakeholders.
The WP has recommended that non-users whose data may be collected be given the ability to object to processing. Similarly, device users should respect non-users’ preference to not have their data collected by the device. The WP has also recommended that users should inform any non-users whose data may be collected of the presence of IoT devices and the type of collected data.
- Data minimisation
EU regulators are continuing to push data minimisation as a core principle of EU law. The WP has highlighted the principle, saying that it should play an “essential” role in the IoT and data should not be stored “just in case”. The WP recommends the speedy deletion of raw data, as close to the point of collection as possible, especially where the data are not needed. It has suggested that, where possible, raw data should be transformed into aggregated data on the device itself. Similarly, where developers can achieve the purposes using aggregated data, they should not have access to raw data.
- Health data
The WP also highlighted the issue of sensitive data, particularly around the ‘quantified self’ movement and the wellbeing of the individual. It stated that while the majority of raw IoT data is not directly health data, in time IoT devices may quickly provide such information. The WP has also noted that developers should pay attention to the type of personal data being processed and the possibility of inferring sensitive personal data.
- Location data
The WP made recommendations around location tracking, stating that manufacturers should limit device fingerprinting by disabling wireless interfaces when not in use or using random identifiers to prevent a persistent identifier being used for location tracking.
- Transparency and fair processing
Considering the importance of transparency and fair processing (i.e. disclosing the purposes for processing and other information to the individual), the WP has suggested that the necessary information could be provided via a physical interface, such as a QR code or flash code on the relevant device. It has also recommended that individuals whose data are being collected (both users and non-users) be informed of such collection by broadcasting a signal on a wireless channel. The WP also recommends that app developers design notices or warnings to frequently remind users that sensors are collecting data.
Security is a considerable focus of the Opinion. The WP highlighted the lack of encrypted communications in current offerings due to device design and cost control. It noted that many devices are difficult to secure, for both technical and business reasons, and threats include physical attacks, eavesdropping and proxy attacks. The WP has recommended that when security vulnerabilities are discovered, simple tools should notify user and update devices. It has also urged the development of standard lightweight encryption and communication protocols adapted to the specificities of IoT.
- Standards and data portability
The WP has made a number of recommendations around standardisation. With regard to users’ rights, the WP expressed support for the right to portability (as provided in the draft General Data Protection Regulation). While users rarely have access to the raw sensor data, the WP has recommended the adoption of “data interoperability standards”, giving users the option to switch services and data controllers. This could be achieved by providing user-friendly interfaces for accessing and exporting data, both in aggregated and raw formats. In developing these standards, however, the WP has stated that data formats should contain as few strong identifiers as possible in order to facilitate the proper anonymisation of IoT data.
What do these recommendations mean?
The recommendations reveal the difficulty in applying current privacy law to the range of IoT devices. While the WP has attempted to tackle the various challenges arising from this new class of technologies, this is not an easy task. The opinion also demonstrates an increasing reliance on features of the draft General Data Protection Regulation, such as privacy by design, the right to data portability and the principle of data minimisation. This is interesting and questionable as it suggests that regulators are seeking to apply a draft (and highly controversial) piece of legislation while it is still working its way through the legislative process.