Internet of Things (IOT) and EU Data Protection

Internet of Things (IOT) and EU Data Protection

On September 16, 2014 a European advisory body on data protection and privacy gave their opinion regarding the privacy of “smart things” are being made available which monitor and communicate with our homes, cars, work environment and physical activities.

Companies and organizations developing Internet of things (IoT) applications should go beyond current European Union compliance requirements to ensure that personal privacy is safeguarded,

Article 29 Data Protection Working Party – Opinion of the Recent Developments on the Internet of Things

Internet of Things

IOT refers to an infrastructure in which billions of sensors embedded in common, everyday devices…designed to record, process, store and transfer data and…interact with other devices or systems using networking capabilities.

Privacy and Data Protection Challenges

The team identified multiple privacy and data protection challenges with the IoT:

  • lack of control and information asymmetry;
  • quality of the user’s consent;
  • inference and repurposing of data;
  • invasive profiling and surveillance of behavior patterns;
  • limitations on using services anonymously;
  • security risks (security versus efficiency such as lack of encyrption or absence of automatic updates)

Obligations of Stakeholders

The analysis highlights key obligations for sensor manufacturers, development houses, and connectivity vendors in the IoT space:

1. Application of Article 5(3) of the e-Privacy directive

2. Legal basis for the processing of the data (Article 7 of Directive 95/46)

3. Principles relating to data quality

4. Processing of Sensitive Data (Article 8)

5. Transparency Requirements (Articles 10 and 11)

6. Security (Article 17)

7. Protect the privacy rights of users

Recommendations beyond the current EU Data Protection Directive (95/46/EC)

The upshot of the analysis urges technology companies in the IoT space to go beyond the data protection directive as approved, and proactively take steps to include key privacy recommendations that have been on the table for future directives including:

1. Conducting Privacy Impact Assessments

2. Using Aggregated Data when possible

3. Applying the principles of “Privacy by Design” and “Privacy by Default

4. Empowering users to have control over their personal information



Leave a Reply

You must be logged in to post a comment.