Anyone reading recent articles in the SCL magazine and/or on its web site will be aware of the focus on the growing area of the Internet of Things. The Article 29 Working Party (WP29) has now weighed in with its Opinion 8/2014 on Recent Developments on the Internet of Things.
Opinions from the WP29 are not legally binding but, since they represent the views of the regulators across the EU (including the UK’s Information Commissioner’s Office), they are worth watching carefully.
Opinion 8/2014 makes some sensible comments and offers some useful analysis, although, having explained the conundrum of the clash between advancing technology and the growing privacy challenges, its recommendations do not give enough practical answers to the problem. That said, the Opinion is worth reading for its analysis and the way in which it highlights the issues as well as for its recommendations on best practice in this fast-moving area.
What the Opinion covers
The Opinion starts with a definition of the Internet of Things (IoT). It says the IoT is an infrastructure in which billions of sensors embedded in common, everyday devices – ‘things’ as such, or things linked to other objects or individuals – are designed to record, process, store and transfer data and, as they are associated with unique identifiers, interact with other devices or systems using networking capabilities.
IoT stakeholders offer new services through collecting and further combining data about individuals, to measure a user’s environment-specific data or to specifically observe and analyse their habits. There are a number of interlinking IoT stakeholders, including device manufacturers, data aggregators, app developers, social platforms and others.
The Opinion identifies that the development of the IoT offers great opportunities, but also new and significant privacy and data protection concerns. There is the potential for data to be shared and further analysed, without the user (the data subject) being aware of it. Communication between objects can be triggered automatically and by default, without the user knowing. Further processing by third parties could then take place. The big dangers are of users losing control of their data and not being aware of this, especially if there is a lack of transparency.
The WP29 regard it as impossible to predict the future with any certainty, and therefore decided to concentrate on three specific IoT areas which were in use now. It therefore did not even consider issues like M2M (machine to machine developments), smart city and smart transportations, although the principles in the Opinion may apply to those developments too.
The three specific areas that the Opinion considered were:
(a) Wearable Computing, ie everyday objects and clothes like watches and glasses, which contain sensors;
(b) Quantified Self – things which are regularly carried by people to record information about their habits and lifestyles, such as sleep pattern, pulse, steps and other trackers;
(c) Home automation, or domotics – connected light bulbs, thermostats, smoke alarms and other home electrical items.
These three areas may overlap and so are not mutually exclusive.
A key feature of the Opinion is the analysis of different types of data – (i) raw data, (ii) aggregated data and extracting information and (iii) displayable data. The example given was an accelerometer that is worn on the user’s belt and measures abdomen moves; that raw data can be extracted to form aggregated data, which shows the person’s breathing rhythm; and from that the displayable data is the measurement of the user’s stress levels. These different levels are important, because the more granular level of data could be used later to analyse more information.
Consent
One of the best ways to show compliance with the obligation to process data fairly and lawfully is by obtaining consent. This is particularly so in the context of data gathered through Wearables and Quantified Self, which would often be sensitive personal data, as it involves data about people’s health.
The WP29 remind the reader that for it to be valid, consent has to be informed, freely-given and specific. In other words, people must be given sufficient information about what is done with their data, by whom and for what purpose, if their consent is to be meaningful. Likewise, it must be genuinely free, so that people have the right to consent or not; otherwise, it is not really consent. And the consent must relate to the specific purposes rather than something generic. Low-quality consent based on a lack of information is simply not good enough.
Extra care is needed in the IoT environment, particularly as the greater amounts of data, coupled with better data analysis techniques could lead to secondary uses of data for totally different purposes. What IoT stakeholders must ensure is that each level of data (ie raw data, extracted data or displayed data) is used in ways which are compatible with their original purpose.
Linked to consent (but regardless of whether another ground justifies the processing of data), there is the principle that individuals are informed of the data that is collected and processed about them. The requirement is even more important in the IoT environment, as sensors are designed to be as non-obtrusive and invisible as possible.
Meanwhile, under the purpose limitation principle, data can only be collected for specified, explicit and legitimate purposes. Any further processing would be illegal under EU law. This expectation should happen before the data processing occurs.
The WP29 state that today’s sensors are not designed to provide sufficient information or to get consent. Therefore, new ways of obtaining valid consent would need to be explored by IoT stakeholders. There should not just be a standard privacy policy, but obtaining consent needs to be an on-going process.
In addition, the Opinion refers to the data minimisation principle. Data that is unnecessary for a particular purpose must not be collected and stored ‘just in case’ or in case it proves useful subsequently. The WP29 profoundly disagreed with arguments that the data minimisation principle is a barrier to innovation as the benefits may arise only from exploratory analysis. It takes that stance because data minimisation plays such an essential role in protecting data protection rights. At the very least, data subjects should be offered the chance for data to be processed anonymously.
One final point in relation to consent was that users should be able to withdraw or revoke their consent at any time.
Security
The Opinion also highlights some issues with security. It states that all IoT stakeholders who are data controllers are fully responsible for security in data processing. Data controllers must consider security assessment in terms of the system as a whole.
The Opinion goes on to address the fact that devices operating today in the IoT are hard to secure due to technical and business reasons. The components that use wireless infrastructure mean that devices are vulnerable to physical attacks and eavesdropping. The IoT also involves a complex supply chain with several stakeholders. Devices may not always be configured by the user. The scope for security vulnerability is therefore great, and users may not be aware of this.
This is all the more important given the sort of data being processed (sometimes sensitive personal data) and the scope for wider and further processing already mentioned.
Practical Recommendations
So now, on p 21 of the Opinion, comes the bit that the reader was waiting for: the practical recommendations. The WP29 start with recommendations for all stakeholders. They include:
· ensure privacy impact assessments are performed before any new applications are launched in the IoT environment;
· apply the principles of Privacy By Design and Privacy By Default, so privacy is built in to any process from the beginning and not as an afterthought;
· delete the underlying, raw data as soon as it is extracted for the processing and seek just to use aggregated data;
· empower users so that they always feel in control of their data;
· provide information about the processing and the right to refuse and make this as user-friendly as possible.
There then follow some further focused recommendations for specific stakeholders.
For operating system and device manufacturers, it is suggested that they must inform users about the type of data collected and what they receive, and how it is combined and processed. They should also communicate with all other stakeholders when the user withdraws their consent. The choices that a user is faced with should be as granular as possible in the categories of data, time and frequency, and with ‘do not disturb’ options. Users should also be given easy access to data portability and a user-friendly interface to get aggregated and raw data. Further, there should be simple tools to inform users when there is a security vulnerability.
App developers are provided with some specific further obligations too. They should ensure that warnings are designed to inform users frequently when sensors collect their data. The app should facilitate the user’s right to access, modify and delete his or her data. App developers should also enable export of raw and aggregated data in a usable format. And likewise, they should follow the Privacy By Design approach and minimise the data collected.
Comment
The WP29 clearly describe the great opportunities and the corresponding data protection and privacy problems, but do not give many genuinely useful suggestions for what IoT stakeholders can do about it. It is all very well saying that the potential data issues are even greater given the sort of data being processed, the potential further analysis and users, the lack of single person accountable, the security holes, and the lack of an environment for obtaining genuine consent at the moment- but if the IoT is going to become a reality, whether the WP29 likes the data protection and privacy challenges or not, then what are the solutions to this conundrum? Despite the reference to ‘practical recommendations’, these are sadly lacking in the Opinion.
In addition, while it is clear that in some cases the data collected is clearly personal data, the case has not been made out that this is always the case, particularly where it involves data collected about several people from the same sensor. In a building occupied by more than one person, is it possible to attribute every action recorded by domestic equipment to any one particular person? It would be wrong always to assume this. It seems that the WP29 is taking the line of greatest caution.
A lot of questions remain unanswered, including how different data controllers will obtain genuine, freely given, informed and specific consent. The WP29 is certainly right about one thing: the more transparent any IoT stakeholder is in providing information about what is collected and what is done with the data and by whom and the more specific information that is given (rather than bland one-off privacy statements), the more likely are users to trust them with their data. And until the EU data protection reforms come through, reputational damage is still the main driver behind compliance with data protection law.
Paul Gershlick is a Commercial/IP/IT Partner at Matthew Arnold & Baldwin LLP, and has a particular interest in the application of technology to the life sciences and healthcare sector.