What are the most relevant juridical implications derive from the use of IoT devices, in particular in terms of personal data? What are the profiles that must be kept into account when developing IoT solutions?
This magazine has described the Internet of Things in the “Word of the Day” column and in last issues we had an article dedicated to the protection of IoT devices.
The interest on the topic is easily justified: a recent study by Aruba Networks, “The Internet of Things: Today and Tomorrow”, highlighted that the economics advantages of a business due to the adoption of IoT devices appear to exceed the expectations, so we can forecast a boom of the trend in the near future, in particular in sectors like industrial, health, retail, “wearable computing” (ie wearable devices like glasses, dresses, watches, etc.. connected to the Network), Public Administration, domotics and where companies create a “smart workplace”.
Therefore, as a consequence of the ample variety of sectors and the general interest on the topic, a lot of complications and implications might arise in terms from the use of IoT devices, in so as far legal aspects are concerned.
What are the main legal problems related to the use of IoT devices?
First of all, there’s a topic about the safeguard from IT violations which imply some precautionary security measures to protect devices from virus and attacks.
Privacy safeguard is strictly related to that: in order to work properly, devices collect a considerable amount of personal data, sometimes sensitive.
As the Italian privacy authority, the “Garante della Privacy”, stated about the Privacy Sweep 2016 report (an international extended study which has a certain topic each year; last year it was about privacy in the IoT world), “The Internet of Things is full of promises which span from a better health care to an improved energetic efficiency in our houses. But these goals must be reached in a transparent manner by informing people about the use of their own personal data, by protecting such data from violations and improper uses with adequate security measures and by respecting people’s freedom. It’s of the uttermost importance to adopt an international approach to the IoT question: a company that doesn’t behave correctly with respect to users might violate, regardless of where it is located, norms of the safeguard of data and undermine the trust in the new intelligent objects that communicate and interact between them.”
And the result of the Privacy Sweep 2016 report?
Out of more than 300 IoT devices -wearables including watches, meters and thermostats-, more than 60% haven’t passed the exam of Privacy Authorities in 16 Countries.
The most important open questions span from which information are provided to how personal data are collected, used and communicated to third parties, how to delete data from a device and how to contact a provider to ask for more detailed information about your own privacy.
The lack of a specific discipline dedicated to the topic -which is nevertheless one of the biggest problems of the sector, both on a development profile for companies and regarding users safeguard- has been partially fixed by the adoption of the General Data Protection Regulation -Regulation (EU) 2016/679-, which we have talked about in the previous issue in connection to the responsibilities of Providers following a Data Breach.
In addition to the obligations related to a Data Breach, what are the other aspects of the European Regulation an operator in the IoT field should be interested in?
First, in general, the GDPR states some main principles (Art.5) about personal data, which shall be: “processed lawfully, fairly and in a transparent manner in relation to the data subject [...]; collected for specified, explicit and legitimate purposes [...]; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed [...]; processed in a manner that ensures appropriate security [...]”.
Then the concept of ‘privacy by design’ is introduced: the attention to the protection of privacy has to be implemented since the planning phase of the object.
Furthermore, a Privacy Impact Assessment (Art.35) is introduced, ie “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. [...] The assessment shall contain at least a systematic description of the envisaged processing operations and the purposes of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data [...].”
Lastly, let’s briefly mention a figure that is depicted in Art.37, the Data Protection Officer (DPO), whose tasks (Art.39) are “to inform and advise the controller or the processor and the employees who carry out processing of their obligations [...], to monitor compliance with this Regulation”.
The legal world will face new challenges in this sector for sure in the near future.