Smart objects are progressively becoming a part of our daily life. There is no general definition of a "smart object." However, with "smart objects" here we are not referring to the popular Photoshop tool, but to our everyday objects that are "smart", i.e. that can elaborate data and information though web connections, cooperating in IoT systems, and often "learn" from experience. Smart objects may vary due to their nature, purpose and the scope of the smart object. The legal issues implied by smart objects may vary consequently. The issues relating to a smart watch, for example, are different from those related to a home assistant or a smart toy.

In this article, we examine the main data protection and security issues arising with reference to the smart objects that are most commonly used in everyday life—wearable smart objects and toys—and look at how these issues may be addressed under applicable law. For the sake of clarity, we will refer to EU Regulation 2016/679 (General Data Protection Regulation or GDPR).

Smart objects may also include "home assistants" and "smart" household appliances. For a detailed analysis, please read our article " Smart homes and (new) IT housemates".

Wearable technologies: Are they safe to wear?

Wearable smart objects are becoming more common in our everyday life, from smart watches with a number of features and functions (often directly connected to our smartphones or other devices), to smart bands and bracelets, which monitor fitness activities.

Are such wearable technologies safe to use and enjoy without concerns? Obviously, there is no univocal answer, as it may depend on the scope and nature of the device and even on the "awareness" of possible legal issues by the manufacturer/designer. Generally, wearable technologies raise material issues in particular about a user's personal data protection and security.

By way of example, from a data protection perspective wearable technologies aim to process and elaborate – or in any way infer – health data (e.g. heart rate, calories burned, steps walked, distance covered) and further information pertaining to a user's lifestyle (for example, the nature of physical exercise performed). Since such personal data and information belong to special categories of data, provisions of Article 9 of GDPR would apply (that is, personal data should be processed only under the legal bases provided by Article 9(2)), and particularly strict security measures will have to be adopted to minimize the risks of unauthorized access and processing.

Such measures are not always applied. By way of example, in many instances, in order to increase the speed and accuracy of personal data transmission between two or more smart objects within an IoT system, personal data is not encrypted (encryption is generally considered as a basic security measure to be adopted when transferring personal data, especially data belonging to special categories). Failure to adopt valid encryption solutions has led already to relevant security incidents, with unauthorized third parties hacking the personal data of wearable technology users.

Data security issues may also arise with respect to personal data, which wearable technologies do not process directly. For example, it could be possible that an unauthorized third party who fraudulently accesses the data of a wearable smart watch or bracelet, could "track" the forearms and wrist motions to detect what the user is handling, holding or even writing (in particular with regard to passwords and private correspondence).

Smart toys: not just for play

Toys and objects for children (e.g. baby monitors) are increasingly equipped with smart features and devices such as cameras, microphones, geo-localization and motion sensors, which allow interactions with the users (children), and—through web connections—with additional people or other devices (e.g. smartphones, tablets, home automation systems, etc.) In addition, smart toys can carry out some specific activities automatically, such as taking photos or videos, recording sounds, connecting to social media, etc.

The basic idea is remarkable: Adults can use smart toys to control the activities of their children or to cause them to interact and learn in a safe mode. However, smart toys also imply some data protection and security issues that will have to be addressed carefully, due to, primarily, (i) failure to provide sufficient security measures and (ii) the potential intrusiveness of such devices.

With regard to security measures, the same issues generally discussed above for wearable technologies arise: unsuitable security measures may allow unauthorized third parties to process personal data fraudulently. The risk of smart toys being hacked is in fact more dangerous than the risk of wearable devices being hacked, as such smart toys are designed to process children's personal data, who are by definition less aware of risks and consequences related to the processing of their personal data. In addition, some privacy concerns about smart toys have arisen because of their potential intrusiveness: They may continue to film and record, even when they are not used or appear to be in switch-off mode.

Which safeguards may be adopted to address the data privacy risks?

The GDPR provides some basic tools and procedures that may enhance the level of security of data processing performed by smart objects. First, the Data Protection Impact Assessment (DPIA) under Article 35 of GDPR requires a detailed description of the data processing carried out by the smart object, the related purposes and the security measures adopted: The DPIA may give an exhaustive recap of all features of the data processing. Then, under Article 36 of GDPR, should the DPIA show that the measures adopted by the controller are unsuitable to mitigate the risks for the data subjects, a prior consultation of the Data Protection Authority is needed. Additionally, Article 25 of GDPR sets out the implementation of data protection principles of privacy by design and privacy by default: Smart objects will be designed and set up to minimize the data processing and reduce the risks for the data subjects. Obviously, data controllers will have to allow the effective exercise of data subjects' individual rights under Articles 16-22 of the GDPR.

Finally, we should not forget that Data Protection Authorities carry out some interesting initiatives, including increasing consumers' awareness about data privacy issues pertaining to smart objects. The Italian Data Protection Authority, as an example, has issued a useful set of suggestions and guidelines for the use of smart toys (see this link, in Italian).

Let us know if you want to discuss this topic in further detail. Please contact our Dentons Italy TMT Team at tmtbites.italy@dentons.com and do not forget to sign up to our TMT Bites Newsletter!

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.