1. Here's the thing: Article 29 Working Party publishes opinion on the Internet of Things

The Article 29 Working Party (the "WorkingParty") has published an opinion aimed at stakeholders in the various product and service stages of the Internet of Things ("IoT"). These include device manufacturers, data aggregators and platforms, application developers and social media, many of which may be data controllers.

Background

The IoT refers to an infrastructure in which every electronic device has a sim card and its own presence on the internet. In its 2014 Hype Cycle for Emerging Technologies, Gartner placed the Internet of Things at the "peak of inflated expectations", predicting a further period of five to ten years before the technology becomes mainstream. However, "smart devices" are already being made available which monitor and communicate with people's homes, cars, work environment and physical activities. In particular, the opinion of the Working Party focusses on the following three specific IoT developments:

  • Wearable Computing - Wearable Computing refers to everyday objects and clothes, such as watches and glasses, in which sensors are included to extend their functionalities. For example, smart watches, glasses and clothing. Wearable things are likely to be adopted quickly as they extend the usefulness of everyday objects which are familiar to the individual. They may embed cameras, microphones and sensors that can record and transfer data to the device manufacturer.
  • Quantified Self - Quantified Self things are designed to be regularly carried by individuals who want to record information about their own habits and lifestyles. For example, an individual may want to wear a sleep tracker every night to obtain an extensive view of sleep patterns. Other devices focus on tracking movements, such as activity counters which continuously measure and report quantitative indicators related to the individual’s physical activities, like burned calories or walked distances.
  • Home Automation – Home Automation devices can also be placed in offices or homes. For example, "connected" light bulbs, thermostats, smoke alarms, weather stations, washing machines, or ovens that can be controlled remotely over the internet. Most home automation devices are constantly connected and may transmit data back to the manufacturer.

The opinion focusses on these three IoT developments and the ways in which they highlight the data protection issues raised by IoT to date.

Data Protection and the IoT

The IoT developments described above all involve the processing of data that relate to identified or identifiable natural persons (i.e. personal data). As such, IoT stakeholders must comply with their obligations under the Data Protection Directive in the EU. However, the processing of personal data in the context of IoT devices often involves the coordinated intervention of a significant number of stakeholders, making the data protection analysis extremely difficult.

The Working Party identifies a number of key data protection issues in its opinion.

  • Lack of control – The amount of personal data being processed will result in new varieties and volumes of data which cannot be adequately controlled using traditional data protection methods.
  • Quality of user's consent – In some cases, users may not be fully aware of the processing being carried out. In addition, it may be difficult in the context of IoT devices to be able to obtain the user's valid consent to such processing.
  • Inferences derived from data – Data may be cross-referenced or aggregated with other data in order to obtain new data not previously considered.
  • Behaviour patterns and profiling – Analytics based on information caught in an IoT environment might enable the detection of an individual's life and behaviour patterns.
  • Limiting the ability to remain anonymous – The number of sensors and the aggregation of data from multiple devices will make it increasingly difficult to remain anonymous and preserve one's privacy.
  • Security risks – There is a risk that IoT may turn an everyday object into a potential privacy and information security target, with less secure devices introducing potential new ways of attack.

Recommendations and Business Impact

Given the privacy concerns highlighted by the Working Party, it makes a number of recommendations in order to facilitate the application of EU data protection requirements to the IoT. These recommendations are addressed to the various stakeholders involved in the development of the Internet of Things (i.e. device manufacturers, application developers, social platforms, further data recipients, data platforms and standardisation bodies). However, the Working Party takes a broad view of data controllers, opining that both device manufacturers and suppliers should fall within the definition of data controller. The Working Party also does not rule out the possibility that other stakeholders such as social media platforms and third party app developers could also be data controllers.

Regardless of their status as data controller or otherwise, the Working Party lists a number of recommendations aimed at all stakeholders. For example, the Working Party recommends that all stakeholders should undertake privacy impact assessments, delete raw data when no longer required, apply principles of privacy by design and default, enable users to control their own data, make information regarding consent user-friendly, and generally design devices to inform user and non-user data subjects as to how their data will be used.

The IoT is still in the early stages of development and many stakeholders will be concentrating their efforts on functionality. However, the issue of adequate protection of personal data will need to be addressed by all stakeholders in the value chain to ensure that the IoT moves from its current "peak of inflated expectations" to the "plateau of productivity".

To view a copy of the Working Party's opinion, please click here.

2. Bring Your Own: Government guidance on managing BYOD risk

The Government has published new guidance for organisations on managing Bring Your Own Device ("BYOD") risk (the "Guidance"). BYOD is becoming increasingly popular amongst organisations with the rapid increase in the use of mobile devices and the growth of flexible and remote working. However, use of personal mobile devices for business purposes carries risk.

The Guidance is for organisations considering a BYOD approach, and describes the key security aspects to consider in order to maximise the business benefits of BYOD whilst minimising the risks:

  • Understand the legal issues – the legal responsibility for protecting personal information is with the data controller not the device owner.
  • Create an effective BYOD policy – Think carefully about what business information and services you want staff to access using their own devices.
  • Limit the information shared by devices – Highlight the risks of sharing business data with unauthorised users and manage the risk of automatic back-ups to cloud-based accounts.
  • Encourage staff agreement – Communicate your BYOD policy through employee training and education.
  • Consider using technical controls – Container applications, where data is contained within a specific application, can help manage information flows.
  • Anticipate increased device support – Ensure you have sufficient IT support capability and expertise to manage a growing range of devices and device platforms.
  • Plan for security incidents – Ensure you are able to revoke access to business information and services quickly, and understand how you will deal with any data remaining on the device.
  • Consider alternative ownership models – Consider giving staff a choice of approved devices which are approved and controlled by the organisation.

To view a copy of the Guidance, please click here.

3. Just the Essentials: Mandatory Cyber Essentials certification for government suppliers

On 25 September 2014, the Cabinet Office published Procurement Policy Note 09/14. The Policy Note makes it mandatory from 1 October 2014 for government suppliers to adopt the Cyber Essentials standards in relation to certain government contracts.

Cyber Essentials is a set of cyber security measures developed by the government in conjunction with industry. Two levels of certification are available:

  • Cyber Essentials is awarded on the basis of a validated self-assessment. An organisation undertakes their own assessment of their implementation of the Cyber Essentials control themes via a questionnaire, which is approved by a senior executive such as the CEO. The questionnaire is then verified by an independent Certification Body to assess whether an appropriate standard has been achieved, and certification can be awarded.
  • Cyber Essentials Plus offers a higher level of assurance through the external testing of the organisation’s cyber security approach. Cyber Essentials Plus comprises remote and on site vulnerability testing to check whether the controls claimed actually defend against basic hacking and phishing attacks.

In relation to government contracts, the Policy Note states that the contracting authority must select either Cyber Essentials or Cyber Essentials Plus as the required standard depending upon the level of assurance required.

The contracts for which at least the Cyber Essentials standard is mandatory are contracts which feature any of the following characteristics:

  • Where personal information of citizens, such as home addresses, bank details, or payment information is handled by a supplier.
  • Where personal information of Government employees, Ministers and Special Advisors such as payroll, travel booking or expenses information is handled by a supplier.
  • Where ICT systems and services are supplied which are designed to store, or process, data at the OFFICIAL level of the Government Protective Marking scheme.

In addition, the Policy Note leaves it open for contracting authorities to require the Cyber Essentials standard for other contracts on a case by case basis where appropriate.

This requirement for cyber security controls by the Cabinet Office will increase protection for data handled by the Government. It should also encourage uptake of the Cyber Essentials and Cyber Essentials Plus accreditations more widely.

To view a copy of the Policy Note, please click here.

4. Retain fundamental rights: Working Party view on data retention  

On 1 August 2014, the Article 29 Working Party ("Working Party") adopted a statement in which it welcomed the findings of the Court of Justice of the European Union ("CJEU") in the case of Digital Rights Ireland, where it was held that the Data Retention Directive was invalid.

In the Digital Rights Ireland case, the CJEU held that the Data Retention Directive 2006/24/EC (the "Directive") was invalid on the grounds that it was incompatible with the Charter of Fundamental Rights. In particular, the CJEU found that by requiring the retention of communications data and by allowing the competent national authorities to access those data, the Directive interfered in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.

The Working Party has encouraged Member States to "draw the consequences" from the ruling of the CJEU and has welcomed the CJEU's findings that the Directive seriously undermines the fundamental right to privacy and fails to protect personal data. The Working Party also supports the view of the CJEU that interference in such fundamental rights should only occur if strictly necessary.

The Working Party urges Member States to check the compliance of their national legislation with the remaining EU legislation. Specifically, Member States should ensure that there is no bulk retention of personal data, but rather retention should only occur when strictly necessary, as determined by precise and objective criteria.

In the UK, the Government has already passed emergency legislation in the form of the Data Retention and Investigatory Powers Act 2014 ("DRIP Act") to ensure that communications service providers continue to retain communications data. The DRIP Act received Royal Assent in July this year and has three key elements:

  • The first component of the DRIP Act relates to Government requirements for retention of communications data.
  • The second component of the DRIP Act relates to the extra-territorial effect of the interception and communications data requirements of the Regulation of Investigatory Powers Act 2000.
  • The third component of the DRIP Act provides for a review of investigatory powers to report by 1 May 2015.

Although the reports of the Working Party are non-binding on the European Commission or Member States, it will be interesting to see whether the Commission investigates the recently adopted UK Act to ensure that it is compatible with the EU legislation on data retention, as it now stands.

For further information regarding the DRIP Act, please see our IT & Outsourcing Bulletin from September, available here.

For a copy of the Working Party's statement, please click here.