29/09/14

Internet of Things: European privacy recommendations

Call it a coincidence or not: exactly one week after the Apple Watch was officially introduced by Apple CEO Tim Cook on 9 September 2014, the European data protection advisory body - Article 29 Data Protection Working Party (‘Working Party 29′) - adopted its Opinion 8/2014 on the Recent Development on the Internet of Things.

While the Working Party 29 acknowledges the potential of these ‘smart' devices monitoring and communicating (in) our daily lives, it stresses that the privacy and security challenges generated by this should not be overlooked. The key to support trust and innovation - and to being successful on the market of the Internet of Things - is to keep the individuals concerned informed, free and safe.


The analysis and recommendations made by the Working Party 29 in its Opinion are focused on three specific Internet of Things developments, selected due to their direct interface with the user, and the fact that they correspond to devices and services that are currently being used in practice, notably:

  1. Wearable computing - everyday objects and clothes such as watches and glasses, in which sensors are included to extend their functionalities. The most well-known examples of wearable computing are Google Glass, and the Apple Watch; 
  2. Quantified Self - devices designed to be regularly carried by individuals who want to record information about their own habit and lifestyle. Examples include sleep trackers and activity counters monitoring a person's physical activities and the effects this has on the person's health; 
  3. Home automation (‘domotics') - the Internet of Things can also be placed in offices or homes through ‘connected' light bulbs, smoke alarms or ovens that can be controlled remotely over the internet.

The privacy and data protection challenges identified by the Working Party 29 with respect to these three specific Internet of Things developments relate inter alia to the lack of control and information asymmetry for the user due to third-party monitoring, the user's consent not being obtained in each case where this is required, the use of the data for different purposes than those communicated to the data subject, profiling and security risks.

In view of mitigating these risks, and apart from the general data protection obligations imposed by the EU e-Privacy Directive and EU Data Protection Directive that must be complied with, in its Opinion, the Working Party 29 foresees a set of specific and practical recommendations tailored to the different industry players to ensure that their developments safeguard the data subject's privacy:

All stakeholders should perform a privacy impact assessment before launching new applications in the Internet of Things, must delete raw data as soon as the data required for the data processing has been extracted, apply the privacy by design and by default principles, respect the user's principle of self-determination of data and adequately inform and obtain consent from the users in a user-friendly manner;

OS and device manufacturers must inform users of the details of the processing of their data, should be able to efficiently communicate to all other stakeholders involved as soon as a data subject withdraws his consent or opposes to the data processing, should store the personal data in a format allowing data portability and enabling the user to exercise his right of access, follow a security by design process and provide tools allowing to notify users and update devices in case security vulnerabilities are discovered, transfer raw data into aggregated data directly on the device to limit the amount of data leaving devices, etc.;

Application developers should design notices or warnings to frequently remind users that sensors are collecting data, provide tools to allow data subjects to exercise their rights and export both raw and/or aggregated data in a standard and usable format, apply the data minimisation principle and pay attention to the types of data being processed and to the possibility of inferring sensitive personal data from them;

Social platforms should ensure that information published by Internet of Things devices on social platforms do not become public or are indexed by search engines by default, and that default settings of social applications based on Internet of Things devices ask users to review, edit and decide on information generated by this device before publication on social platforms;

Internet of Things device owners and additional recipients should not be economically penalised or have degraded access to the capabilities of their devices if they decide not to provide consent. Where the data subject's data is being processed in the context of a contractual relationship with the user of a connected device (e.g. hotel, health insurance company or car rental company), the data subject should be in a position to administrate the device. Furthermore, users of Internet of Things devices should inform non-user data subjects whose data are collected of the presence of these devices and the types of data collected, and respect the data subject's choice not to have their data collected.

Standardisation bodies and data platforms should promote portable and interoperable as well as clear and self-explanatory data formats containing as few strong identifiers as possible, and focus on formats for aggregated data apart from formats for raw data. Standardisation bodies should work on certified standards setting the baseline for security and privacy safeguards for data subjects, and develop lightweight encryption and communication protocols adapted to the specificities of the Internet of Things all while guaranteeing confidentiality, integrity, authentication and access control.
With the Internet of Things domain quickly evolving, the Working Party 29 indicated to be receptive to cooperating with national and international regulators on this topic, as well as to enter into a dialogue with representatives of the relevant industry, especially those stakeholders subject to EU data protection law.

The WP opinion can be consulted here: (2014) wp223_en

dotted_texture