Opinion 8/2014 on the Recent Developments on the Internet of Things
Art. 29 Data Protection Working Party, Opinion 8/2014 on the Recent Developments on the Internet of Things, 16.09.2014
|Abstract|| The Internet of Things (IoT) is on the threshold of integration into the lives of European citizens. The viability of many projects in the IoT still remains to be confirmed but “smart things” are being made
available which monitor and communicate with our homes, cars, work environment and physical activities. Already today, connected devices successfully meet the needs of EU citizens on the large- scale markets of quantified self and domotics. The IoT thus hold significant prospects of growth for a great number of innovating and creative EU companies, whether big or small, which operate on these markets. The WP29 is keen that such expectations are met, in the interests of both citizens and industry in the EU. Yet, these expected benefits must also respect the many privacy and security challenges which can be associated with the IoT. Many questions arise around the vulnerability of these devices, often deployed outside a traditional IT structure and lacking sufficient security built into them. Data losses, infection by malware, but also unauthorized access to personal data, intrusive use of wearable devices, or unlawful surveillance are as many risks that stakeholders in the IoT must address to attract prospective end-users of their products or services. Beyond legal and technical compliance, what is at stake is, in fact, the consequence it may have on society at large. Organisations which place privacy and data protection at the forefront of product development will be well placed to ensure that their goods and services respect the principles of privacy by design and are equipped with the privacy friendly defaults expected by EU citizens. For now, this analysis has only been stated in very general terms by a number of regulators and stakeholders, in the EU and elsewhere. The WP29 has decided to take the issue further by adopting this opinion. In this way, it intends to contribute to the uniform application of the legal data protection framework in the IoT as well as to the development of a high level of protection with regard to the protection of personal data in the EU. Compliance with this framework is key to meeting the legal, technical but also, since it relies on the qualification of data protection as a fundamental human right, the societal challenges described above. Thus, this opinion identifies the main data protection risks that lie within the ecosystem of the IoT before providing guidance on how the EU legal framework should be applied in this context. The Working Party supports the incorporation of the highest possible guarantees for individual users at the heart of the projects by relevant stakeholders. In particular, users must remain in complete control of their personal data throughout the product lifecycle, and when organisations rely on consent as a basis for processing, the consent should be fully informed, freely given and specific. To help them meet this end, the Working Party designed a comprehensive set of practical recommendations addressed to the different stakeholders concerned (device manufacturers, application developers, social platforms, further data recipients, data platforms and standardisation bodies) to help them implement privacy and data protection in their products and services. Indeed, empowering individuals by keeping them informed, free and safe is the key to support trust and innovation, hence to success on these markets. The Working Party firmly believes that stakeholders meeting such expectations will hold an exceptionally strong competitive advantage over other players whose business models rely on keeping their customers unaware of the extent to which their data is processed and shared and on locking them into their ecosystems. Considering the major data protection challenges raised by the IoT, the WP29 will keep monitoring its developments. To this end, it remains open to cooperation with other national or international regulators and lawmakers on these issues. It also remains open to discussion with representatives of 3the civil society as well as of the relevant industry in particular where those stakeholders are operating as a data controller or data processor within the EU.
|Topics||Competition, Data Protection, Security, Information Security, Technology, Interoperability|
Three major actual trends in the IoT: domotics, quantified self, wearable computing.
Use of IoT in combination with cloud computing and big data (predictive analytics).
IoT’s privacy and security challenges:
- Lack of control on the flow of information about us and on its subsequent control (more challenging if we think that this lack characterizes also big data and cloud computing);
- Low quality (because of the lack of adequate information provided to the data subject about data processing) or absence of data subject’s consent (data processing requires her consent, which is valid only if it is preceded by information about the processing itself);
- Repurposing of the gathered data (for the data processing to be lawful, it must aim at purposes known by the data subject, and to which the data subject has expressed her consent);
- The combination and/or the analytics of raw data may reveal in detail data subjects’ behaviors, habits and preferences; this surveillance may drive people to behave differently in order to conceal their real habits and preferences, particularly when non-usual;
- It becomes difficult to use services in an anonymous way and to remain unnoticed;
- Risks for information security, caused by the need to save energy and grant battery efficiency; moreover, security non only has to be granted in relation to smart devices, but also to the networks the devices are linked to, and to the platforms that store data.
Then EU privacy legal framework (Directives 95/46/EC, 2002/58/EC, 2009/136/EC) applies to IoT when article 4 of Directive 95/46/EC is satisfied: the data processing must be carried in the context of an activity of an establishment (interpreted by the EUCJ in a broad way) of the controller (the person who establishes the means and purposes of data processing) situated in the EU, or the equipment (all objects used to collect and process data constitute equipment, e.g. devices themselves and individuals’ terminal devices) the controller uses for the purposes of processing data must be situated in the EU.
We have personal data when we have “any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (art. 2 Directive 95/46/EC). See WP29’s Opinion 4/2007 about the notion of personal data (subjective or objective information about living individuals, not necessarily true or verified, in any form, about sensitive or non-sensitive data; the Opinion hosts also definition of and considerations about biometric data; information relates to an individual because of its content, purpose or result; if an information directly relates to an individual, the privacy legal framework always applies; if, on the contrary, information relates directly to events, objects or processes, and only directly to individuals, the applicability of the privacy legislation depends on the circumstances; the individual must be identified or identifiable through that information, directly or indirectly; we have to consider if the person is identifiable through “means likely reasonable to be used”; it is important the purpose of the data controller: if the purpose is not to identify, great importance will belong to identity protection technical measures; in some cases, protection occurs also when information is related to legal persons, unborn children or dead persons; moreover, Member States can extend protection beyond the boundaries of the EU Directive). Also data that will be processed only after anonymisation (disguising identities in a non-reversible way) or pseudonimysation (disguising identities in a reversible way: here, privacy legislation applies, but in a more flexible way) may be considered personal data, because the large amount of data gathered may lead to re-identification (SEE also IoT Expert Group, Final Meeting Report, p. 9).
There are a lot of stakeholders involved in the implementation of the IoT:
- Device manufacturers (who can also establish and install the operating system and software of the devices; they can also collect and process data gathered by the devices data controllers);
- Social platforms (users can program their devices in order to automatically publish their data on social platforms, and sometimes this option is even a default setting; social platform thus have the opportunity of processing these data for the purposes and through the means they choose data controllers);
- App developers (users can install applications in order to access their data, and installing these applications often means providing the app developer with an access to the data; if these data are not anonymized, such access constitutes a data processing data controllers; moreover, the authorizations required during the installation are often too vague to give rise to an user’s informed and specified consent);
- Other third parties (they may collect and process data for specific purposes established by themselves data controllers);
- IoT data platforms (created by device manufacturers in order to gather and organize the data collected through the devices, especially when the formats, standards and interfaces applied are not interoperable: indeed, in these cases we have an Intranet of Things, characterized by the impossibility of transferring data from a device to another; we therefore use smartphones and tablets as gateways to the Internet, and platforms are useful in order to organize the data; these platforms may collect these data for purposes established by themselves data controllers);
- Subscribers, users and non-users ( data subjects, unless the Household Exemption of Recital 12 of the Directive 95/46/EC applies: protection principles don’t apply to data processing carried out by a natural person for personal or domestic purposes).
Data controllers have to respect, inter alia, these provisions:
- Art. 5(3) ePrivacy Directive (Directive 2002/58/EC): store of data and/or access to data stored on a IoT device require user’s consent, unless it’s an activity necessary in order to provide a service explicitly required by the user;
- Art. 7 Directive 95/46/EC: personal data processing requires consent, or necessity, or legitimate interest of the data controller (but this legitimate interest legitimates processing only if it isn’t overridden by data subjects’ fundamental rights and freedoms);
- Art. 6 Directive 95/46/EC: data controllers have to respect the principles set out in this provision: fair and lawful collection and processing (data subject’s awareness of the collection and processing; it is a challenge in the IoT world, because IoT technologies tend to be non-obtrusive); purpose limitation principle (collection and processing only for specified, explicit and legitimate purposes); data minimization principles (collection of the sole data that are necessary to the purpose); accuracy principle; data keeping for no longer than is necessary to the purpose.
- Art. 8 Directive 95/46/EC: sensitive data processing requires consent, or that the data have been made public by the data subject;
- Art. 10 and 11 Directive 95/46/EC: controller have to inform data subjects of the identity of the controller and of the data recipients, of the purposes, of the rights of access and of the tight to oppose (including information about how disconnect the device in order to avoid disclosure of further data);
- Art. 17 Directive 95/46/EC: security principle: data controllers have to apply appropriate organizational and technical measures in order to prevent accidental or unlawful alteration, loss, destruction, unauthorized disclosure or unlawful processing; otherwise, they will be responsible for data breach (the IoT world produces particular security challenges, because of the wireless communications infrastructure usually applied, the limited resources in terms of energy and computing power, moreover, IoT involves a complex supply chain, and security breaches can come from any of the stakeholders involved; for these reasons, it’s even more important to comply with the data minimization principle, to realize a privacy-by-design and to provide alternative solutions against unfixed security flaws when the device manufacturer doesn’t support anymore the device with updates):
- The data subject has also the right to revoke any prior consent given, and to oppose to processing of data relating to him.
User empowerment is essential in the context of IoT.