Privacy & Information Security Law Blog

On September 23, 2016, the French Data Protection Authority ("CNIL") published the results of the Internet sweep on connected devices. The sweep was conducted in May 2016 to assess the quality of the information provided to users of connected devices, the level of security of the data flows and the degree of user empowerment (e.g., user’s consent and ability to exercise data protection rights).

As we previously reported, the sweep was coordinated by the Global Privacy Enforcement Network, a global network of approximately 50 data protection authorities ("DPAs"). The CNIL and 24 other member DPAs, including the UK Information Commissioner’s Office, participated in the coordinated online audit. More than 300 connected devices were tested and audited around the world by the participating DPAs. The sweep revealed that, of these 300 devices:

• 59 percent failed to provide users with clear and complete information on how their personal data is collected, used and disclosed;
• 68 percent failed to provide information on how personal data is stored;
• 72 percent failed to explain how users could delete their data off the device; and
• 38 percent failed to include contact details if users had privacy concerns.

In France, the CNIL tested 12 connected devices in the following sectors: home automation (connected fire alarms and camera systems); health (connected scales and blood pressure monitors); and well-being (connected watches and activity bracelets), and found the following:

• Users of connected devices are not sufficiently informed of the processing of their personal data. In particular, the CNIL found that the information was not specific to the connected device used but covered the entire product range of the supplier, and did not provide users sufficient information to understand how their personal data will be used (e.g., whether or not the data will be shared with third parties, who it will be shared with, the purposes for which it would be shared, etc.).
• Users have a satisfactory degree of control over their personal data. The CNIL found that the personal data collected by the devices appeared necessary for the performance of the service performed by that device and/or were subject to the user’s consent. In addition, three-quarters of the tested devices had security measures in place to prevent unauthorized access to the data collected or to the device itself (e.g., identification was required).

The CNIL, like the other DPAs, reserves the right to conduct more extensive testing by carrying out inspections on the data processing activities related to the use of connected devices.