Privacy & Information Security Law Blog

On September 22, 2014, the Article 29 Working Party (the “Working Party”) released an Opinion on the Internet of Things (the “Opinion”) that was adopted during the last plenary session of the Working Party in September 2014. With this Opinion, the Working Party intends to draw attention to the privacy and data protection challenges raised by the Internet of Things and to propose recommendations for the stakeholders to comply with the current EU data protection legal framework.

In its Opinion, the Working Party specifically addresses (1) “wearable computing” such as glasses and clothes that contain computers or sensors, (2) “quantified self” such as fitness devices carried by individuals who want to record information about their own habits and lifestyles and (3) “domotics” which are devices in the home that can be connected to the Internet such as smart appliances.  These are three important recent developments related to the Internet of Things and considered by the Working Party to exemplify the current Internet of Things.

According to the Working Party, the main privacy, data protection and security issues that are currently raised by the Internet of Things are (1) the user’s lack of control over his or her data and information asymmetry; (2) the quality of the user’s consent; 3) the repurposing of original data processing; (4) intrusive profiling and behavioral analysis; (5) difficulties to ensure anonymity and (6) security risks.

The Opinion highlights the fact that the EU Data Protection Directive 95/46/EC on the protection of personal data and the e-Privacy Directive 2002/58/EC as amended in 2009 are fully applicable to the processing of personal data through different types of devices, applications and services used in the context of the Internet of Things.

The Opinion provides a comprehensive set of practical recommendations addressed to various stakeholders involved in the development of the Internet of Things (i.e., device manufacturers, application developers, social platforms, further data recipients, data platforms and standardization bodies) in order for them to develop a sustainable Internet of Things. The  recommendations are intended to assist with compliance with most of the obligations provided by the EU data protection legal framework (e.g., consent requirements, legal bases for processing personal data, data quality and data security, specific requirements for processing sensitive data, transparency requirements, the rights of the data subjects).

The Working Party will continue to monitor the developments of the Internet of Things and cooperate with other national and international regulators and lawmakers on these issues.