Article 29 Data Protection Working Party adopts Opinion 8/2014 on the Recent Developments on the Internet of Things, which stands for a common positioning of the Member States national data protection authorities which is expected to guide the future positioning of the latter on a sector challenging as it refers to privacy protection.
Internet of Things, a new concept based on the idea of digital interconnection of daily objects, is creating a new reality which finds support in the possibilities that digital world offers. This new concept includes essentially a system of devices equipped with data gathering technologies enabling the connection among these systems and the collection of information from subjects who use them.
The Internet of Things brings many advantages, among them, the collection of useful information for businesses addressing consumers or the creation of a more comfortable and more efficiently managed daily life for users of these technologies. However, some concerns arise in relation with its practical implementation. Internet of Things may lead to risks to individuals’ privacy to the extent that the user of the devices would lose control over the dissemination of his/her data. Sensors, cameras or microphones are added to devices such as watches or glasses whose aim is transmitting information to the manufacturer of the device. In this sense, the information obtained in such a manner may be devoted to purposes other than those which motivated their transfer, for instance, to use such information to reveal users’ personal habits. Even if some devices do not process sensitive data, through isolated or cross-tab analysis, they might reveal personal information from users. Additionally, data transfers are usually carried out automatically, making it difficult for users to control the data flows generated, which sometimes are collected without users’ noticing.
Likewise, some questions arise on what could be understood as consent validly given. Traditional mechanisms for obtaining users consent often find uneasy application to Internet of Things’ devices insofar as users should be validly informed about the data processing and currently not many mechanisms are able to ensure such information level. Moreover, in some cases, the possibility for users to refuse some services or features of a connected device is more of a theoretical option rather than a real one.
Additionally, the Internet of Things entails a rather complex system of allocation of liabilities in relation with the processing of data. The practical implementation of the Internet of Things involves the joint participation of multiple stakeholders, such as manufacturers of devices or application developers. Manufacturers’ obligations are not limited to physical sales of the devices, but sometimes are extended to the development of the device, including parameters for data collection. In this case, they would be considered as data controllers under European law.
The Opinion specifies that if the parties are qualified as data controller, they shall comply with its obligations under Directive 95/46/EC and Directive 2002/58/EC. Thus, if, in addition to the manufacturer, third parties access to sensitive information stored on a device, they shall obtain consent under article 5(3). The consent shall also be obtained by any data controller that intends to store additional data on the device.
Moreover, according to the principle of “data minimization”, only the necessary data should be collected. The Opinion recalls that this principle implies that when personal data is not required to provide a service, stakeholders should ensure the use of the service anonymously.
Authorities remind that entities should ensure that users have given effective consent after having received clear and complete information on the data collected, on how they are actually gathered and for what purpose it is processed, as well as the way they might exercise their rights of access, rectification, cancelation and opposition. Moreover, these data must be processed in a lawful and legitimate manner, and the user shall be informed at all times. In the event that the consent had not been obtained, anonymisation techniques should be considered.
In relation with security, the Opinion specifies that the Internet of Things could create security risks, so data transfers shall be based on secure systems designed to avoid potential risks. It also states that Privacy Impact Assessment should be performed before any new applications are launched in the Internet of Things and stakeholders should proceed to erasure the data that are not needed. Finally, it is recommended that devices and applications are designed including mechanisms to inform subjects, both users and non-users, through the device physical interface or by producing a signal on a wireless channel.
In this Opinion the European Union lays down the creation of some guidelines which can be followed by companies engaged in the production of smart devices. In this sense, the Opinion specifies that the interest of undertakings in the protection of personal data of individuals and the security is a competitive differentiator that users will take into account. Attention to stakeholders’ following positioning is highly advisable.