Until recently, the Internet of Things (IoT) industry has been left to grapple with the challenge of complying data protection laws and specifically EU data protection laws which are often considered the most thorny. These challenges arise from a disconnect between existing data protection law and the IoT sector, as – for example – the ‘data minimisation’ principle and transparency / consent requirements currently enshrined in law don’t sit comfortably with IoT technology and use of data within the IoT data supply chain. As the industry is growing at such a rapid rate, however, the IoT sector is finally coming to the attention of regulators from the UK, the EU and most recently globally.
The Mauritius Declaration
At the 26th International Privacy Conference in October this year, global data protection and privacy commissioners from various national authorities discussed the fast developing area of the IoT and the increasing amount of data that devices and platforms in this industry capture. The regulators came together to issue the Mauritius Declaration on the IoT providing a collective approach on how to treat data collected from the IoT.
The Declaration states that data amassed from the IoT should be regarded and treated as personal data. This is due to its nature; often large in volume, high quality and the inferences which can be drawn from it which are extensive and sensitive. It also considers that as well as devices themselves generating value, the data gathered and the wider services associated with the IoT are also of high commercial value. In ensuring data protection compliance, transparency will be essential, requiring device and service providers to clearly set out details of the data collected; its use and the length of time it is retained for. In addition, these factors must be built in from the conception of devices and services with privacy by design should be seen as a central selling point.
In addition, security in the IoT must also now be considered in the light of enhanced data privacy compliance. The Declaration suggests that to minimise risk to personal data, where possible, data should be processed locally on the device itself and if this is not possible, end-to-end encryption should be implemented.
The Declaration is not binding and has come under some criticism for being over simplistic. However, it seems to be broadly in line with the EU advisory body opinion published earlier this year and notes that the debate must continue and engagement in this area is fundamental to ensure that stakeholders actively help to raise awareness and ensure that the appropriate course of action is reflected in future legal developments.
The Article 29 Working Party Guidance
In autumn if this year, the EU advisory body, the Article 29 Data Protection Working Party (29WP), released an Opinion on privacy issues in the IoT sector. In particular, this focused on: (a) wearable technology; (b) quantified self; and (c) home automation (‘domotics’):
The Opinion discussed the data protection risks that lie within the IoT sector, such as users’ lack of control over their data and the quality of their consent, intrusive profiling and behavioural analysis which may go beyond the original purpose for processing, security risks and the issue of data minimisation/big data, in particular the limitation of the remaining anonymous.
Helpfully the Opinion set out some practical recommendations for the key stakeholders such as device manufacturers, application developers, social platforms and standardisation bodies. These are to help compliance with existing data protection law and address wider compliance issues in the IoT industry including:
– Privacy Impact Assessments to be implemented before any new applications are launched into the IoT.
– IoT stakeholders should consider if only aggregated data is needed or the raw data collected by IoT devices is needed too. Once businesses have extricated the data they need for their processing, raw data should deleted, and as a rule of thumb, data should be deleted at the nearest point of collection i.e. on the same device that processing occurs.
– Privacy by Design and Privacy by Default should be applied as standard by all parties in the IoT.
– Data subjects and users must be ‘in control’ of their data so that they are able to exercise their rights at any time according to the principle of self-determination of data.
– Users and non-users should be informed by devices and application where data is being captured either by the physical design of the device or by emitting a signal on a wireless channel for example. Devices and applications should be designed to incorporate this.
The aim of the guidance is to help these stakeholders comply with existing data protection law and address wider compliance issues in the IoT industry and further specific guidelines are set out for OS and device manufacturers, application developments, social platforms, IoT device owners and additional recipients.
Notably, the Opinion also emphasises the importance of standardisation within the industry, and recommends that standardisation bodies and data platforms need to take an active role in:
1. Promoting data portability and interoperability
2. Focusing on the emergence of formats for aggregated data
3. Facilitating the proper anonymisation of data
4. Working on security standards
5. Developing lightweight encryption protocols that are specifically adapted to IoT
While the Opinion gives some practical recommendations for stakeholders to use, including performing privacy impact assessments, the big question is whether these recommendations are workable.
The Information Commissioner’s Office (ICO)
The Information Commissioner’s Office (ICO) also recently posted a blog which provided an overview of the IoT and set out, at a high level, the data protection and privacy challenges for those businesses collecting personal data from the devices. Whilst it did not provide much practical guidance, it did highlight that the ICO is taking an interest in the IoT, highlighting the value of connected devices in the IoT often giving users time and cost efficient options.
Using the example of data collected in relation to the home for smart metering, the blog emphasises that such data could link back to the individual. Therefore, it should be treated as personal data which emphasises the need to secure your personal network where multiple devices are often using the same router to connect. Recent research by consumer group Which? on the use of Smart TVs, is also used to evidence the degree to which smart devices are being utilised already. These Smart TVs allow for future additional services to be personalised to the user based on information received by the TV and the manufacturer, including targeted advertising (which all but one manufacturer in the research used).
The ICO’s role as advisers to companies regarding compliance with the Data Protection Act in the IoT, is set out in the blog as being as equally important as ensuring that that the users of the IoT fully understand how the technology works and how this will impact them. The blog stresses that it is not just the manufacturers who can help provide this transparent environment, but also through all participants in the IoT engaging and raising questions about what is being provided and how.
The road ahead
It is likely that the regulatory landscape for the IoT will develop – indeed, the Working Party and The Mauritius Declaration stated its commitment to continue to monitor the developments of the IoT and to cooperate with other national and international regulators and lawmakers on these important data protection issues.
Whilst ‘risk’ and ‘principle’ based recommendations are perhaps more suitable for technology based advancement, it remains to be seen whether privacy law can match the pace of technology pervading into our everyday lives. In the meantime, where the dividing line between protection of privacy and encouraging innovation will be drawn remains to be seen.