The Internet of Things — do the privacy risks outweigh the advantages?

On 16 September 2014, the Article 29 Data Protection Working Party, ("WP29") adopted Opinion 8/2014 on Recent Developments on the Internet of Things.

The IoT describes the development of the internet’s function to enable commonplace devices and objects to communicate through digital connection, using data-gathering technologies to transmit, collect and evaluate data from individuals using them. It refers to an infrastructure where multiple sensors incorporated into everyday "things", or things connected to other people or objects, record, process, transfer and store information and interact with other devices or systems using networking capabilities. This often involves large amounts of data processing, including personal data of identifiable individuals (both device users and third parties).

Personal data processing in the IoT often involves multiple stakeholders e.g. device manufacturers (which may also act as data platforms), application developers, device lenders/renters, social platforms, data brokers and aggregators and standardisation bodies. Once data is remotely stored it may be shared with further third parties (sometimes without the relevant data subjects’ knowledge) and in these cases, onward transmission of personal data is imposed on users who cannot stop this without disabling most of their devices’ functionality.

Smart devices bring many benefits. However, the IoT also raises a number of data protection and security issues that need to be addressed by relevant stakeholders. The Opinion is likely to be of interest to all stakeholders involved in the IoT.

Scope of the opinion

The Opinion focuses on three specific (non-exclusive) IoT developments, which involve most major privacy issues raised by the IoT as it currently stands:

• Wearable Computing — This refers to everyday objects and clothes, e.g. watches and glasses in which technology (e.g. sensors) is incorporated to extend their functionalities, which record and transfer data to device manufacturers.
• Quantified Self — This refers to technologies intended to be carried frequently by individuals which record data about their own lifestyles and habits, e.g. activity counters (this data is often health-related and potentially sensitive).
• Domotics — This refers to IoT devices installed in homes or offices and includes home automation systems, such as washing machines that can be controlled remotely over the internet. Such devices can often detect and record when a user is at home and their movements and can also often initiate specific actions.

Data protection challenges

The Opinion highlights the main privacy issues raised by the IoT:

Lack of control and information asymmetry

The IoT can lead to users losing all control of the distribution of their personal data, especially if they are subject to third party monitoring, depending on the transparency of the data collection and processing. Interaction between, variously, objects, individuals’ devices, individuals and back end systems leads to data flows that are difficult to control in the traditional ways used to protect data subjects’ rights adequately. In some cases, data subjects are unaware that their personal data is being collected and processed.

Quality of the user's consent

Under EU law, data subjects must be informed that their data is being processed. If users are unaware of data processing being carried out by specific objects, then whether valid consent can be obtained is questionable and could not be relied on to justify data processing.

Wearable devices (e.g. smartwatches) may record and transfer data without data subjects being aware of this and without consent being obtained. Consent that is not freely given and low-quality consent can also cause issues.

Inferences derived from data and repurposing of original processing

The increase in amounts of data generated by the IoT can result in data collected for specific purposes also being used for totally different purposes. Certain apparently insignificant data collected by devices can be used to infer other information with completely different meanings in respect of individuals. The Opinion stresses that stakeholders should ensure "… that the data is used for purposes that are all compatible with the original purpose of the processing and that these purposes are known to the user."

Intrusive bringing out of behaviour patterns and profiling

Although different objects will separately gather isolated pieces of data, further analysis of sufficient amounts of data can lead to profiling of users and identify specific aspects of individuals’ behaviours and preferences. In this way, the IoT could permeate extremely private aspects of individuals’ lives without consent.

Limitations on anonymity when using services

The Opinion observes that full development of IoT capabilities may mean anonymous use of services eventually becomes impossible, raising significant data protection concerns.

Security risks: security v efficiency

The IoT leads to increased cyber security risks and increased volumes of data being exchanged. For example, insecure connected devices offer possible new ways of attack, e.g. easy surveillance and data breaches.

Legal basis for processing

The Opinion considers the various applicable legislation and the obligations of IoT stakeholders pursuant to it. It looks at the legal basis for processing in the context of the IoT, stressing that stakeholders who are acting as data controllers need to satisfy one of three potential legal bases for the processing of personal data to be legitimate: data subject consent; the processing being necessary for the performance of a contract to which the data subject is party; or the processing being necessary for the purpose of the legitimate interests pursued by the data controller, or the third party or parties to whom the data are disclosed.

The Opinion also looks at certain principles relating to data quality in the context of the IoT. For example, the principle that personal data should be collected and processed fairly and lawfully means that personal data should not be collected without the individual’s knowledge. This is particularly important regarding the IoT, as devices are non-obtrusive.

The purpose limitation principle means that data can only be collected for specified, explicit and legitimate purposes and any further processing incompatible with the original purposes would infringe EU law. This means that the purposes of processing must be defined before such processing takes place. Further, all relevant IoT stakeholders should note that personal data should be kept for no longer than necessary for the purposes for which the data was collected or further processed.

If sensitive personal data is involved, for example, through Quantified Self devices (which often register data regarding individuals’ well being and may provide health-related information), the Opinion suggests that IoT data controllers should obtain the data subjects’ explicit consent before such processing, unless the data subject has made the relevant data public himself.

Security

The Opinion stresses that IoT data controllers will remain responsible for the security of data processing. It suggests that security assessments of whole systems should be implemented, certification for devices should be obtained and that they should be aligned with international security standards to improve the IoT ecosystem’s overall security. Data controllers should also ensure any relevant subcontractors adhere to high-security standards.

Security measures should be implemented taking account of the specific operational constraints of IoT devices. IoT devices attract increased data security risks for a number of reasons, for example, multiple stakeholders with differing roles mean that security breaches may originate from any of them and the absence of automatic updates leading to many unpatched vulnerabilities that are easily discoverable.

The Opinion recommends, among other things, the use of secure and lightweight protocols in low resource environments, minimisation of personal data processing and storage on devices and security practices based on network restrictions and disabling by default non-critical functionalities.

Data subjects’ rights

Data subjects’ rights are also discussed. IoT users tend to be locked to specific systems, potentially preventing free choice regarding which service interacts with users’ devices. Also, end-users do not often have access to the raw data registered by IoT devices, which can be useful in understanding what device manufacturers can deduce from it about end-users and which would also allow end-users to switch services. Currently, end-users’ only real option is to cease using their devices, which may prevent the effective exercise of data subjects’ access rights.

The Opinion stresses that data subjects must be able to withdraw any prior consent to specific processing and to object to the processing of their personal data without any technical or organisational constraints and through accessible, visible and efficient tools to register withdrawal. Users should also be given an option to disable the ‘connected’ feature of a device and for the device to still work.

Recommendations

WP29 makes various recommendations to all stakeholders, for example, performing Privacy Impact Assessments (PIAs) before the launch of new IoT applications and deleting raw data collected on IoT devices if not required by stakeholders following extraction of the data required for their processing.

Various specific recommendations are also made to particular groups of stakeholders. Device manufacturers are encouraged, for example, to inform users about the types of data collected by sensors and further processed, the types of data received and the method by which they will be processed and combined, while application developers are recommended, among other things, to ensure that applications enable the exercise of data subjects’ rights of access, modification and deletion of personal data collected by devices.

Social platforms are encouraged to ensure that default settings of social applications based on IoT devices require users to review and decide on information generated by their device prior to publication on social platforms, while IoT device owners and additional recipients are recommended to ensure that freely given, informed consent is given to use of connected devices and resulting data processing, with no degraded access to device capabilities or economic penalty for users if they decide not to use the device or specific services.

Data platforms and standardisation bodies are encouraged, for example, to promote data formats containing the minimum number of strong identifiers to enable effective anonymisation of data.

Conclusion

The Opinion notes that empowering individuals by keeping them informed, free and safe is essential for trust and innovation and to be successful in IoT and smart device markets. If stakeholders meet the privacy-friendly expectations of EU citizens they are likely to have a strong competitive advantage over those who do not. It will be interesting to watch the development of the IoT and to see how the privacy and data protection challenges it raises are tackled in practice.