October 21, 2021

Volume XI, Number 294

Advertisement
Advertisement

October 20, 2021

Subscribe to Latest Legal News and Analysis

October 19, 2021

Subscribe to Latest Legal News and Analysis

October 18, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

European DPA’s (Deferred Prosecution Agreements) Give Privacy Recommendations to Stakeholders Regarding the “Internet of Things”

The Article 29 Working Party, which is composed of representatives of DPA’s from every European country, has recently rendered an opinion on data privacy issues surrounding the development of the “Internet of Things” (IoT), which includes wearable computing, quantified self devices, and domotics. Although such data is generated by “things” or devices, it is considered personal data because it may enable the life pattern of a specific individual to be discerned. After identifying the major privacy issues raised by such devices, the Article 29 Working Party made a series of recommendations to IoT stakeholders.

According to this Opinion, the Internet of Things is a concept that currently includes three different types of devices:

  1. Wearable computing — such as watches and glasses — embedded with sensors, cameras, and microphones that can record and transfer data.

  2. Quantified self devices that a person carries to record information about his or her lifestyle, such as sleep patterns, calorie intake, or distance walked. These devices record information that may be considered health data, which EU law classifies as sensitive data.

  3. Domotics, which are connected devices placed in homes or offices that are used to remotely control items such as light bulbs, thermostats, and smoke alarms.  The data these devices record and transfer may reveal a person’s lifestyle habits and choices.

The IoT poses several data protection challenges. The Article 29 Working Party identified six majors risks related to data collected and transferred by IoT devices :

  1. Users lack control over data collection and transfer because communication between objects may be triggered automatically and without individual controls. This may result in excessive self-exposure.

  2. User consent may not be solicited before an IoT device processes data, and users are sometimes not even informed that such data processing will occur. In addition, wearable computing devices with recording cameras or microphones may record individuals without their knowledge or consent.

  3. IoT data is sometimes used for secondary purposes, and users may not have been informed that third parties may “repurpose” the data. A user may be comfortable sharing the information for its primary purpose, but not for a different secondary purpose.

  4. Sensors may make it easy to intrude on individual privacy within the home. The Article 29 Working Party draws a comparison between the IoT and the use of CCTV in public spaces.

  5. The IoT may limit possibilities for individuals to remain anonymous, as wearable devices sometimes collect and transmit a user’s exact physical location.

  6. The IoT raises security challenges and could be a potential target of hackers, resulting in personal data being stolen with widespread effects on an individual’s rights.

Users of the IoT (for example, quantified self device users) are data subjects, but  individuals that are not users of IoT devices can also be data subjects: smart glasses may collect data about individuals other than the person wearing the device. Moreover, several companies are considered joint data controllers: as examples, device manufacturers that collect and process personal data generated by the devices, social platforms where users share their data with other users, and application developers.

The Article 29 Working Party applied the cornerstone principles of data protection law to IoT devices and stakeholders, including:

  • Fairness and lawfulness of the collection and processing of data: implying that data subjects must be aware that data is being collected. This is crucial, especially in the case of “invisible” sensors such as the cameras contained in wearable computing.

  • The purpose limitation principle, which prohibits “repurposing” data collected without data subject consent for the new purpose.

  • The data minimization principle, which provides that only data strictly necessary for the purpose is collected; data should not be collected just in case it could be useful in the future.

  • Data should not be kept for a longer period than necessary.

  • Sensitive data, such as health data, requires explicit consent.

  • Security of the data must be provided for.

In addition, data subjects must be informed about data collection, have a right to access the data,  and have a right to withdraw consent and to oppose such data collection and processing.

Finally, the Article 29 Working Party made a series of recommendations, including (i) the performance of Privacy Impact Assessments (PIAs) prior to launch of new IoT applications, (ii) the aggregation of individual data as soon as possible, (iii) using privacy by design, and (iv) making the method for consent as user-friendly as possible.

© 2021 Proskauer Rose LLP. National Law Review, Volume IV, Number 317
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

As innovations in technology make it easier to track, collect and process personal information about individuals, companies of all kinds are challenged to manage the way that they use data to both comply with U.S. and non-U.S. laws and to protect such data from unauthorized access. In addition to maintaining compliance in a continuously evolving legal landscape, companies must also contend with industry standards promulgated by a wide array of diverse and sometimes overlapping industry groups. Yet, on a daily basis we hear reports of companies having suffered data...

212.969.3265
Advertisement
Advertisement
Advertisement