New EU Data Protection Guidance on the Internet of Things

The EU's main data protection body, the Article 29 Working Party, recently published an Opinion on the application of European data protection rules to the Internet of Things. It shows an interesting evolution in the Working Party's opinions as the priorities of the anticipated General Data Protection Regulation are now cautiously shining through.

The Internet of Things has been around as a buzzword for a very long time. As technology has matured, actual applications and services are now also increasingly becoming a reality. The Internet of Things generally refers to the fact that more and more physical items are interconnected via the Internet. That development facilitates exchanging information about our needs and wants, analysing our behaviour and making (hopefully) beneficial decisions on how to help us. Common examples include domotics that regulate the temperature of our houses, cars that communicate with each other to avoid accidents, and wearable devices such as smart watches or smart glasses that keep track of where we are, who we meet, and what we do.

The possibilities are endless, but they raise significant privacy questions as well. Do we really understand what data is collected, who can access it, and what they are using it for?

The EU has a relatively strict legal framework for protecting privacy through the Data Protection Directive but the application of the law is not always straightforward.

To clarify how the rules apply to the Internet of Things, an authoritative opinion was published in September 2014 by the Article 29 Working Party, the EU's leading data protection body, comprised principally of the Member States' national data protection authorities (such as the Privacy Commission in Belgium).

The Opinion as such does not contain many surprises or novelties for those familiar with EU data protection law and/or the prior guidance of the Working Party. It principally reaffirms the applicability of the rules, and provides some practical guidance on key questions such as transparency, lawfulness, end-user consent, and security.

However, the Opinion is interesting from a different perspective, as the recommendations it provides show a shift in focus to the topics that will also be included in future data protection laws. One example, the Opinion focuses on the importance of privacy-by-design and privacy-by-default, two principles that aim to ensure that privacy protection is built into technology and automatically switched on, even without any prior user choice. This development shows the increasing focus on pragmatic protection over formalities that do not necessarily support privacy in reality.

A second example is the recommendation to conduct a Privacy Impact Assessment (PIA) before launching Internet of Things services or applications. This recommendation ensures that privacy questions are asked and answered before a service goes live, and embodies an important shift for service providers: they need to think about what they are doing in advance, and consider whether they could do more to protect privacy.

Globally, the Opinion offers a preview of the new priorities that are also likely to become legally mandatory if and when the hotly-debated General Data Protection Regulation is adopted, showing a move towards pragmatic protections and user empowerment.

Hans Graux comments:

"The Opinion on the Internet of Things is very relevant, not only for service providers operating in this sector, but also to other businesses offering online services or connected products. It shows the new priorities of European data protection law, and it's only a matter of time before these priorities become legally-binding. Businesses would do well to evaluate whether their own products, services and processes are aligned with this new approach."