The growth of the Internet of Things brought the attention of the European data protection regulators that through the European data protection advisory body, the Article 29 Working Party, issued an opinion on the Internet of Things providing specific recommendations.
We have already discussed about data protection issues relating to the Internet of Things, wearable technologies and remote patient monitoring systems and eHealth, but the opinion of the Article 29 Working Party goes more in detail on the issue. The opinion does not cover the entire scope of the Internet of Things, but focuses only on
- wearable technologies,
- quantified self or better eHealth technologies able to detect body conditions such as remote patient monitoring systems and
- home automation technologies or domotics.
Below is a snapshot of the addressed issues:
What data protection issues?
The Article 29 Working Party identified the following main data protection related areas of concern for the Internet of Things:
- Lack of control and information asymmetry: Internet of Things devices lead to the automatic flow of data between objects without any review by their users which, as in the case of big data and cloud computing, can lead to the processing of a very large amount of data about users without them being aware of it;
- Quality of the user’s consent: since in relation to technologies of the Internet of Things users are not often aware of the processing of their personal data, the Article 29 Working Party is of the opinion that “consent cannot be relied upon as a legal basis for the corresponding data processing under EU law“. Also, in some cases, users grant their consent without having been adequately informed about the modalities of processing of their personal data;
- Interferences derived from data and repurposing of original processing: data collected for specific purposes can then be used for completely different purposes by third parties without an additional consent from users;
- Intrusive bringing out of behaviour patterns and profiling: Internet of Things technologies can lead to the monitoring and profiling of users, of their habits and behaviours in a very detailed manner;
- Limitations on the possibility to remain anonymous: the proximity of wearable technologies to data subjects and the possibility of combining such information with information from other sources makes almost impossible to be anonymous in an IoT enviroment;
- Security risks – security vs. efficiency: as I covered in this previous post, the risks in terms of cybersecurity are massive with Internet of Things technologies that lead to a very large volume of exchanged data. At the same time the implementation of security measures might lead to inefficiencies.
Applicability of EU data protection law to data in the Internet of Things
As already mentioned in this post, the position of the Article 29 Working Party is that any equipment located in an EU country triggers the applicability of European data protection laws. The consequence of the above is that any Internet of Things device such as smartphones, wearable technologies, smart home devices, eHealth equipment sold to users located in the European Union will make the providers of such equipment subject to European data protection laws in the processing of data originating through such devices.
This scenario requires to identify the different roles and responsibilities in the processing of personal data by the entities involved in the service and the equipment provided. And indeed, it is crucial to properly identify which entity acts as data controller and which others operate as data processors. Also the Article 29 Working Party is of the opinion that device manufactures and third party application developers shall act as data controllers of personal data processed through the device, unless the data are anonymised and the same applies to companies managing IoT platforms collecting data from different devices.
In relation to the above, any data – even if originated from “things” – can be qualified as a personal data if able to reveal information about the personal life of individuals according to the Working Party.
Access to data on the device and consent required
In compliance with the principles set out by the European E-Privacy Directive the access to data that are stored on a device such as those relating to the health conditions of a user shall occur only with the prior consent from the user. Such consent shall be freely given by users while a narrow interpretation is adopted with reference to the applicability of the exemption to the need of prior consent for data processing activities necessary for the performance of the contract.
Also, users shall be always able to withdraw their consent in an accessible, visible and efficient manner with reference to (a) any data collected through the device (b) a specific type of data collected and (c) a specific data processing.
Limitations to the usage of data
Personal data collected through Internet of Things devices shall
- not be used for purposes other than the ones for which they have been collected,
- not exceed the amount of data necessary to provide the service and
- not be kept longer than necessary for the purpose for which data have been collected.
Based on the above the recommendations from the Article 29 Working Party are the following:
- A prior privacy impact assessment of Internet of Things technologies shall be performed based on the one adopted for RFIDs;
- Raw data shall deleted as soon as the data necessary for the data processing have been extracted;
- Privacy by Design and Privacy by Default principles shall be followed;
- Users shall be in control of processed data at any time;
- Methods of providing the privacy information notice, offering the right to refuse or requesting consent shall be as user friendly as possible;
- Devices shall be designed in order to inform both user and non-user data subjects of the data processing;
- Device manufacturers shall among others
- inform users of data collected and enable them to review and edit such data before they are transferred;
- notify all the other entities involved when consent is withdrawn;
- provide granular choices shall be given to users on the type of data processing as well as time and frequency of gathering of data and
- develop common protocols to avoid the issues outlined in this post;
- Application developers shall among others
- implement notices and warning to remind users of the data processing;
- develop functionalities to facilitate the access to data, their modification and deletion and
- minimise as much as possible the volume of data processed;
- Social platforms should ensure that information published by Internet of Things devices on social platforms do not become public or are indexed by search engines by default, and that default settings of social applications based on Internet of Things devices ask users to review, edit and decide on information generated by this device before publication on social platforms;
- Internet of Things device owners and additional recipients should not be economically penalised or have degraded access to the capabilities of their devices if they decide not to provide consent. Where the data subject’s data is being processed in the context of a contractual relationship with the user of a connected device (e.g. hotel, health insurance company or car rental company), the data subject should be in a position to administrate the device. Furthermore, users of Internet of Things devices should inform non-user data subjects whose data are collected of the presence of these devices and the types of data collected, and respect the data subject’s choice not to have their data collected.
The opinion is quite long and detailed and the above is a mere summary of the most relevant issues raised.