Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Stephen Gardner
Sept. 24 — Companies and organizations developing Internet of things (IoT) applications should go beyond current European Union compliance requirements to ensure that personal privacy is safeguarded, the Article 29 Working Party of EU data protection commissioners said in an opinion made public Sept. 23.
In particular, the opinion said that: privacy impact assessments should be performed for IoT applications; there should be quick communication between device manufacturers and other involved parties in cases in which data subjects withdraw consent for the processing of their data; and IoT devices and applications should be developed according to privacy by design and security by design principles. The Article 29 Party adopted the opinion at a Sept. 16-17 meeting.
Hans Graux, founding partner of information technology firm time.lex in Brussels, told Bloomberg BNA Sept. 23 that the opinion marked a departure for the Working Party and was more “political” than previous opinions, which tended to emphasize rigorous legal compliance.
Instead, “you can read between the lines” of the IoT opinion that the Article 29 Party wanted companies involved in IoT development to consider broader societal issues when assessing new potentially intrusive products and services, Graux said.
The Working Party's opinion said that for development of IoT “beyond legal and technical compliance, what is at stake is, in fact, the consequence it may have on society at large,” and that compliance with the EU data protection framework is critical to meeting the “societal challenges” posed by IoT.
The Article 29 Working Party opinion defined IoT as “an infrastructure in which billions of sensors embedded in common, everyday devices … are designed to record, process, store and transfer data and, as they are associated with unique identifiers, interact with other devices or systems.”
“The viability of many projects in the IoT still remains to be confirmed,” the opinion said, but the technology offers “significant prospects of growth for a great number of innovating and creative EU companies.”
The opinion concentrated on “wearable computing,” such as Internet-connected watches and glasses, “quantified self” devices, such as sensors that collect health data, and domotics, or home automation systems that, for example, modify heating and lighting.
For such devices and services, “users must remain in complete control of their personal data throughout the product lifecycle,” based on freely-given consent, the Article 29 Party opinion said.
The main challenges in the IoT, according to the opinion, are: the lack of data subject control or data subjects being unaware of what data devices are collecting, which might render consent meaningless; the “repurposing” of data after initial processing; the collation of data from different sources to create profiles; the lack of anonymity of data subjects; and the potential for data breaches.
IoT developers should be aware of the rights of data subjects, which include rights of access to data and withdrawal of consent, the opinion said.
The opinion recommended that: privacy impact assessments be performed for all new IoT applications; the principles of privacy by design and privacy by default be applied; data subjects have the ability to exercise their rights; and information and consent policies be understandable and specific.
Graux said that many of the recommendations were based on “soft pushes” that had been incorporated in the proposed EU general data protection regulation, and which were designed to “require companies to stop and think” about privacy and to be more proactive about data protection as they develop IoT products and services.
For example, privacy impact assessments aren't in the current EU Data Protection Directive (95/46/EC) but have been proposed in the regulation, Graux said.
In March, the European Parliament approved the European Commission's proposed data protection regulation to replace the nearly 20-year old EU Data Protection Directive. But the approval process has been bogged down during negotiations at the European Council of the 28 EU member states.
Alistair Maughan, a partner with Morrison & Foerster LLP in London, told Bloomberg BNA Sept. 24 that IoT “definitely has significant privacy issues.”
IoT is an “area where regulators are running to stand still,” and the “industry is running in thousands of different directions” developing new ideas involving data, Maughan said.
He added that “the excesses need to be controlled,” but data protection principles should be applied “sensitively” to avoid unnecessary or unrealistic restrictions.
“There are lots of implementations of the IoT that don't touch on personal data,” such as sensors for weather forecasting and industrial automation, Maughan said.
To contact the reporter on this story: Stephen Gardner in Brussels at email@example.com
To contact the editor responsible for this story: Katie W. Johnson at firstname.lastname@example.org
The Article 29 Working Party's opinion 8/2014 on the Internet of things is available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)