EU Data Protection Body Publishes Opinion On Safeguarding Privacy in Internet of Things

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Sept. 24 — Companies and organizations developing Internet of things (IoT) applications should go beyond current European Union compliance requirements to ensure that personal privacy is safeguarded, the Article 29 Working Party of EU data protection commissioners said in an opinion made public Sept. 23.

In particular, the opinion said that: privacy impact assessments should be performed for IoT applications; there should be quick communication between device manufacturers and other involved parties in cases in which data subjects withdraw consent for the processing of their data; and IoT devices and applications should be developed according to privacy by design and security by design principles. The Article 29 Party adopted the opinion at a Sept. 16-17 meeting.

Hans Graux, founding partner of information technology firm time.lex in Brussels, told Bloomberg BNA Sept. 23 that the opinion marked a departure for the Working Party and was more “political” than previous opinions, which tended to emphasize rigorous legal compliance.

Instead, “you can read between the lines” of the IoT opinion that the Article 29 Party wanted companies involved in IoT development to consider broader societal issues when assessing new potentially intrusive products and services, Graux said.

The Working Party's opinion said that for development of IoT “beyond legal and technical compliance, what is at stake is, in fact, the consequence it may have on society at large,” and that compliance with the EU data protection framework is critical to meeting the “societal challenges” posed by IoT.

Focus on Personal, Home Devices

The Article 29 Working Party opinion defined IoT as “an infrastructure in which billions of sensors embedded in common, everyday devices … are designed to record, process, store and transfer data and, as they are associated with unique identifiers, interact with other devices or systems.”

“The viability of many projects in the IoT still remains to be confirmed,” the opinion said, but the technology offers “significant prospects of growth for a great number of innovating and creative EU companies.”

The opinion concentrated on “wearable computing,” such as Internet-connected watches and glasses, “quantified self” devices, such as sensors that collect health data, and domotics, or home automation systems that, for example, modify heating and lighting.

For such devices and services, “users must remain in complete control of their personal data throughout the product lifecycle,” based on freely-given consent, the Article 29 Party opinion said.

Privacy Impact Assessments

The main challenges in the IoT, according to the opinion, are: the lack of data subject control or data subjects being unaware of what data devices are collecting, which might render consent meaningless; the “repurposing” of data after initial processing; the collation of data from different sources to create profiles; the lack of anonymity of data subjects; and the potential for data breaches.

IoT developers should be aware of the rights of data subjects, which include rights of access to data and withdrawal of consent, the opinion said.

The opinion recommended that: privacy impact assessments be performed for all new IoT applications; the principles of privacy by design and privacy by default be applied; data subjects have the ability to exercise their rights; and information and consent policies be understandable and specific.

Graux said that many of the recommendations were based on “soft pushes” that had been incorporated in the proposed EU general data protection regulation, and which were designed to “require companies to stop and think” about privacy and to be more proactive about data protection as they develop IoT products and services.

For example, privacy impact assessments aren't in the current EU Data Protection Directive (95/46/EC) but have been proposed in the regulation, Graux said.

In March, the European Parliament approved the European Commission's proposed data protection regulation to replace the nearly 20-year old EU Data Protection Directive. But the approval process has been bogged down during negotiations at the European Council of the 28 EU member states.

Careful Application of Principles

Alistair Maughan, a partner with Morrison & Foerster LLP in London, told Bloomberg BNA Sept. 24 that IoT “definitely has significant privacy issues.”

IoT is an “area where regulators are running to stand still,” and the “industry is running in thousands of different directions” developing new ideas involving data, Maughan said.

He added that “the excesses need to be controlled,” but data protection principles should be applied “sensitively” to avoid unnecessary or unrealistic restrictions.

“There are lots of implementations of the IoT that don't touch on personal data,” such as sensors for weather forecasting and industrial automation, Maughan said.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Katie W. Johnson at

The Article 29 Working Party's opinion 8/2014 on the Internet of things is available at


Request Bloomberg Law Privacy and Data Security