Article 29 Data Protection Working Party (A29WP) adopts a new Opinion on recent developments on the Internet of Things
From CloudWATCH's legal experts ICT Legal Conslutling.
On 16 September 2014, the Artilce 29 Working Party adopted the Opinion n.8/2014, which analyses the risk profiles and the critical issues related to data security in the ecosystem of the Internet of Things (IoT). The Opinion aims to promote the uniform application of the legal data protection framework and the growth of the level of protection of data users and provides some recommendations addressed to different stakeholders concerned.
But what exactly is IoT? According to the definition given by A29WP, it is a set of “infrastructure in which billions of sensors embedded in common, everyday devices” (watches, glasses, smoke alarms, detection sensors, ovens or washing machines controlled remotely) capable of recording, processing, storing and transferring data, as well as of interacting between them and with other devices.
The interaction between these instruments presents a possible source of problems for privacy: for example, difficulty in managing the flow of data with the traditional tools that have been used up to now; loss of data control; inadequate information to data users, which in some cases not allowing users to disable services or provide consent with standard mechanisms: possible use of data for purposes other than those originally intended; decrease in the possibility of remaining anonymous; risk, not remote, of manipulating lifestyle and daily habits.
Therefore it is important to identify the exact role and legal status of different stakeholders, to determine applicable laws and their responsibilities. In particular, the measure qualifies as:
- data controllers, device manufacturers, social platforms (when they process data pushed by users onto them for different purposes), third party who develop applications. It is a category which in turn may involve other parts; and
- data subjects, the subscribers, users, and subject to whom the data refers to the tools that can pick up (even individuals taken or recorded).
The Opinion also examines the different aspects connected with the IoT and the relative data processing. Among them are the principles of fairness, necessity and consistency with the purposes of the collection and the minimisation of the data processing.
With regard to the information, the A29WP has identified the need for informing data users about the identity of the data controller, the purposes of the processing, the existence of their rights (e.g., the right to withdraw consent and to object to the processing), and also the information about how to disconnect the connected device to prevent disclosure of further data.
The Opinion also focuses on safety measures to be implemented, noting the importance of (i) the compliance with the international standards, (ii) the certificates, (iii) the careful choice of reliable partners, and (iv) the application of safeguards already at the stage of production of smart devices, according to the principles of “privacy by design” and “privacy by default”.