Smart buildings: what are the key European data privacy and cyber security issues?

The data collected, shared and derived from smart buildings as well as the manner in which infrastructure itself is linked is becoming increasingly important to the success of smart buildings and smart cities and also a source of potential revenue. However, these developments raise potential issues relating to data privacy and cyber security, which need to be addressed and resolved if smart buildings are to evolve to their full potential. In addition, the laws in Europe covering personal data and security are set to change significantly over the next couple of years as a result of the new European General Data Protection Regulation and one of the key changes is the territorial scope of European data protection laws, which will mean that even organizations outside of the EU will have to comply if they offer goods or services to individuals in the EU or monitor their behavior in the EU.

Whilst in this note we flag some of the key issues relating to existing European data protection and privacy laws and how these apply to smart buildings and what is on the horizon, there are also consumer, marketing and employment laws that play an important role in relation to smart building technologies that can be purchased by individuals and those used in the workplace.

Key European data protection and privacy issues

In a smart buildings and smart cities context, the European Data Protection Directive (“DP Directive”) gives rise to challenges, which an overhaul in European data protection laws in the form of the European General Data Protection Regulation (“GDPR”) from 2018 will seek to address. The new Network and Information Security Directive (also known as the “Cyber Security Directive”) will also be relevant to those operating key infrastructure, such as buildings and networks. For now, companies operating in this arena have to fit within a patchwork of laws across Europe which can be difficult to apply. In addition to that, future proofing their technologies and activities now to ensure compliance with the new GDPR is neither an easy, nor clear task.

We have summarized below some high level guidance on the key topics which will help you to understand the existing issues and get a head start on compliance with the new GDPR.

• Who is responsible for compliance and how to manage subcontractors/suppliers?

Any organization which decides what personal data is collected and the purposes for which it is used in the context of an establishment in the EU, or using equipment in the EU, will be a data controller and therefore have to comply with the local laws implementing the DP Directive. An organization which is processing personal data on behalf of a data controller, such as a subcontractor, is a data processor and currently has no direct obligations to comply with the DP Directive.

However, one of key difficulties with the application of this key concept in a smart building context is identifying and then allocating responsibility to the multiple stakeholders involved in the creation, development, operation, maintenance and use of smart buildings technology. All of these stakeholders could potentially be collecting and using personal data either as a data controller or data processor or both. The key task is to identify the roles and interfaces of those entities so that obligations and liability can be assigned appropriately. The risk of not allocating responsibility properly is that key compliance measures could be incomplete or missed leading to breaches and potentially regulatory action. Once the roles have been identified, then the obligations need to be captured clearly in the contracts put in place between the various parties.

Another challenge is that organizations starting off as merely data processors can easily drift into data controller territory if they start to collect and use the data for their own purposes or combine it with information obtained from elsewhere, an opportunity that can be difficult to ignore.

• How to get consent and be transparent?

In a smart buildings context where there are multiple stakeholders, there are practical challenges with making sure that individuals are told about how their data is used and also give meaningful consent if required. It will also be more difficult to be upfront about data usage as smart buildings evolve and the uses of data become more complex and potentially unknown. In particular where information is shared in different and evolving ways and there are secondary uses of data, this could lead to more detailed and potentially intrusive profile creation and the risk of re-identification of anonymized data.

In addition to it being difficult to be completely transparent in privacy notices and statements, there are practical constraints which introduce significant hurdles in the effective delivery of notices, such as, a long chain of data controllers, no or limited screen/space and timing issues which all restrict delivery of adequate disclosures about data collection and use.

• Keeping data to a minimum?

In the context of smart buildings where large volumes of data are being collected, controllers must remember that they should only be collecting the personal data that they need and not what they might need or wish to have in the future. In any area of developing technology, there is always a temptation to collect as much information as possible and there can be a disconnect between those developing the technology who may be thinking about what data could be collected on the basis that it could be potentially useful or interesting, instead of considering what should be collected from a legal perspective. The drawback of collecting a large volume of information is that in addition to having to ensure that it is all processed in a compliant way, there are also potentially higher costs to maintain and keep the data secure.

• Security

A connected environment involving large numbers of data points inevitably results in security risks and vulnerabilities. Many of the most infamous recent security breaches have been caused by poor security in infrastructure hardware, such as air-conditioning units, connected to the internet which allows hackers access to an organization’s network and systems. It is also a key requirement of both the DP Directive and GDPR to keep data secure and the implications of a security breach are potentially severe, both in terms of financial and reputational damage.

Looking at security not just from a technical perspective, such using encryption measures, but also an organizational one, is important because everyone involved in the handling personal data needs to be aware of best practices and issues and also act quickly in the event of a security breach. Likewise, having protocols in place to effectively manage security breaches is important so that any issues can be identified and resolved quickly and the impact can be minimized.

The future of smart buildings and data protection laws

As mentioned above there are some significant changes on the horizon as a result of the GDPR and Cyber Security Directive. In addition to a broadening of the territorial scope of European data protection laws, the GDPR will also introduce other key changes covering extra accountability and record keeping requirements, mandatory security breach notification requirements, the appointment of a Data Protection Officer, and new data subject rights including the ‘right to be forgotten’. In a smart buildings context, the new concept of ‘privacy by design’ and obligation to carry out privacy impact assessments will require organizations to consider how they will ensure compliance at the outset and throughout the implementation of any new product, service or technology. Finally, the eye-watering amount of potential fines, which could be up to 4% of worldwide group company revenue or €20,000,000 means that any organization using personal data will need to think carefully about how they comply with the GDPR and take measures now to prepare for its implementation in May 2018.