What are the most relevant juridical implications derive from the use of IoT devices, in particular in terms of personal data? What are the profiles that must be kept into account when developing IoT solutions?

This magazine has described the Internet of Things in the “Word of the Day” column and in last issues we had an article dedicated to the protection of IoT devices.
The interest on the topic is easily justified: a recent study by Aruba Networks, “The Internet of Things: Today and Tomorrow”, highlighted that the economics advantages of a business due to the adoption of IoT devices appear to exceed the expectations, so we can forecast a boom of the trend in the near future, in particular in sectors like industrial, health, retail, “wearable computing” (ie wearable devices like glasses, dresses, watches, etc.. connected to the Network), Public Administration, domotics and where companies create a “smart workplace”.
Therefore, as a consequence of the ample variety of sectors and the general interest on the topic, a lot of complications and implications might arise in terms from the use of IoT devices, in so as far legal aspects are concerned.

What are the main legal problems related to the use of IoT devices?

First of all, there’s a topic about the safeguard from IT violations which imply some precautionary security measures to protect devices from virus and attacks.
Privacy safeguard is strictly related to that: in order to work properly, devices collect a considerable amount of personal data, sometimes sensitive.
As the Italian privacy authority, the “Garante della Privacy”, stated about the Privacy Sweep 2016 report (an international extended study which has a certain topic each year; last year it was about privacy in the IoT world), “The Internet of Things is full of promises which span from a better health care to an improved energetic efficiency in our houses. But these goals must be reached in a transparent manner by informing people about the use of their own personal data, by protecting such data from violations and improper uses with adequate security measures and by respecting people’s freedom. It’s of the uttermost importance to adopt an international approach to the IoT question: a company that doesn’t behave correctly with respect to users might violate, regardless of where it is located, norms of the safeguard of data and undermine the trust in the new intelligent objects that communicate and interact between them.

And the result of the Privacy Sweep 2016 report?

Out of more than 300 IoT devices -wearables including watches, meters and thermostats-, more than 60% haven’t passed the exam of Privacy Authorities in 16 Countries.
The most important open questions span from which information are provided to how personal data are collected, used and communicated to third parties, how to delete data from a device and how to contact a provider to ask for more detailed information about your own privacy.
The lack of a specific discipline dedicated to the topic -which is nevertheless one of the biggest problems of the sector, both on a development profile for companies and regarding users safeguard- has been partially fixed by the adoption of the General Data Protection Regulation -Regulation (EU) 2016/679-, which we have talked about in the previous issue in connection to the responsibilities of Providers following a Data Breach.

In addition to the obligations related to a Data Breach, what are the other aspects of the European Regulation an operator in the IoT field should be interested in?

First, in general, the GDPR states some main principles (Art.5) about personal data, which shall be: “processed lawfully, fairly and in a transparent manner in relation to the data subject [...]; collected for specified, explicit and legitimate purposes [...]; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed [...]; processed in a manner that ensures appropriate security [...]”.
Then the concept of ‘privacy by design’ is introduced: the attention to the protection of privacy has to be implemented since the planning phase of the object.
Furthermore, a Privacy Impact Assessment (Art.35) is introduced, ie “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. [...] The assessment shall contain at least a systematic description of the envisaged processing operations and the purposes of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data [...].”
Lastly, let’s briefly mention a figure that is depicted in Art.37, the Data Protection Officer (DPO), whose tasks (Art.39) are “to inform and advise the controller or the processor and the employees who carry out processing of their obligations [...], to monitor compliance with this Regulation”.

The legal world will face new challenges in this sector for sure in the near future.

About the Author

Veronica Morlacchi

Laureata a pieni voti in giurisprudenza, è Avvocato Cassazionista, iscritta all’Albo degli Avvocati di Busto Arsizio dal 2004 e all’Albo degli Avvocati abilitati al Patrocinio davanti alla Corte di Cassazione e alle altre Giurisdizioni superiori. Si occupa principalmente, nell’interesse di Privati, Professionisti, Aziende ed Enti pubblici, di diritto civile, in particolare responsabilità civile e risarcimento danni, diritto delle nuove tecnologie e privacy, contratti, persone e famiglia. Ha conseguito un master in Responsabilità civile e un corso di perfezionamento in Tecniche di redazione dei contratti e, da ultimo, si è perfezionata in Data Protection e Data Governance all'Università degli Studi di Milano e in Strategie avanzate di applicazione del GDPR. Pubblica periodici aggiornamenti e articoli nelle materie di cui si occupa sul suo sito www.studioavvmorlacchi.it e da giugno 2016 collabora con Guru Advisor

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...


The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...


The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...


Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...


In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

Read also the others...

Download of the Day


Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...



Fiddler is a proxy server that can run locally to allow application debugging and control of data in...


Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.


DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...


SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

All Download...

Issues Archive

  •  GURU advisor: issue 21 - May 2019

    GURU advisor: issue 21 - May 2019

  • GURU advisor: issue 20 - December 2018

    GURU advisor: issue 20 - December 2018

  • GURU advisor: issue 19 - July 2018

    GURU advisor: issue 19 - July 2018

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1