On 16 September 2014, the Article 29 Working Party (the "Working Party") adopted Opinion 8/2014 (the "Opinion") on recent developments in the so-called 'Internet of Things' ("IoT"). The Working Party is an independent European advisory body on data protection and privacy comprised of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission. It issues opinions on the level of protection of individuals with regard to the processing of personal data in the EU.

IoT refers to an infrastructure in which billions of sensors embedded in common, everyday devices are designed to record, process and store data. The devices are associated with unique identifiers and interact with other devices or systems using networking capabilities. Technology in this area is fast evolving, thus creating an increased amount of data processing which entails a higher risk to data protection rights.

The Opinion, while not legally binding, intends to pinpoint the risks to data protection which are incurred by such usage and provides advice on how the existing EU data protection regulatory framework should apply to the notion of IoT. Three particular IoT devices are focused on; wearable computing such as connected watches; 'quantified self' things which are designed to record information about a person's own habits and lifestyles (e.g. a run-tracking app or a sleep tracker); and home automation, i.e., household appliances which may be accessed remotely and can transfer data to the manufacturer.

The Opinion points out that the IoT raises specific data protection concerns such as the content not being able to be adequately reviewed by the data subject. There is a real risk of user consent being merely theoretical as there is often no realistic option to revoke consent. Moreover, it is not always obvious that an IoT device collects data, for example a smart watch that has data sending capabilities is not easily distinguishable from a regular watch. Repurposing of data collected by way of an IoT device is also problematic. For example, an individual may have consented to use an accelerometer app but not to the use of data to draw conclusions about driving habits.

The use of sensors or tracking devices makes profiling even easier by facilitating the compilation of separately collected data. IoT devices make it more difficult to be certain of the anonymous use of services as information on a person's location may be transmitted. The Working Party suggests that data security is not always the number one priority for connected device manufacturers. Moreover, sensor data is more susceptible to re-identification attacks or unauthorised monitoring.

The Opinion then clarifies the applicable regulatory framework. While Directive 95/45/EC (the "Data Protection Directive") is the main point of reference for IoT devices, the e-Privacy Directive 2002/58/EC ("e-Privacy Directive") is also relevant. The Data Protection Directive sets out different legal responsibilities depending on whether the user qualifies as a data controller or a data processor. Under the Data Protection Directive, a data controller that is not established in the EU but makes use of equipment situated within the EU will fall under the EU's regulatory framework. The Working Party states that all IoT objects qualify as equipment as per the Data Protection Directive.

There are numerous stakeholders involved in IoT such as device manufacturers and app producers. Manufacturers qualify as controllers when they use data for development purposes. Social networks may qualify as data controllers by targeting advertisements based on app usage. Third party app developers may be regarded as controllers if the installation requires access to data.

The Working Party points out that the amount of data collected through the IoT lends itself to secondary use. Third parties may wish to use data for purposes which are different to those for which the data had been initially collected. This carries a risk for the data subject since he or she may be comfortable with sharing data for a specific purpose, but may not wish to share this secondary information for totally different purposes. Therefore, the Working Party believes that IoT stakeholders should make sure that the data are used for purposes that are all compatible with the original purposes and that these purposes are known to the user.

The e-Privacy Directive contains similar notions of equipment and consent as under the Data Protection Directive and will have application where an IoT stakeholder has access to information already stored on an IoT device. For example, a pedometer manufacturer would have to obtain the user's consent before uploading the collected data onto its servers.

If IoT stakeholders qualify as data controllers under the Data Protection Directive, any processing carried out must have a legal basis such as consent; where the processing is necessary to perform a contract; or where it is necessary to pursue a legitimate interest. IoT stakeholders must also comply with the cornerstone principles of the Data Protection Directive, such as purpose limitation, fair and lawful processing, data minimisation, and temporal limitation of data retention. The Working Party advises that a user should be categorised as inactive if the service has not been used for a specific period of time.

Under the Data Protection Directive 'sensitive data' such as data on race, ethnicity or political opinions, as well as health-related data are afforded special protection. The Working Party notes that there is a risk that such data is processed without consent by connected devices. IoT devices can be subjected to security flaws as they can be difficult to secure.

As regards the rights of data subjects, the Working Party notes that the exercise of the right of access as provided for under the Data Protection Directive is rarely possible with IoT devices. The Working Party recommends that in order to fully comply with the EU regulatory framework a real right to withdraw consent must be provided for. For instance, wearable connected devices should offer an option to use the device "unconnected".

The Working Party makes a number of suggestions. Of particular interest is the recommendation that all IoT stakeholders should carry out Privacy Impact Assessments before launching new applications and should apply the principles of "privacy by design" and "privacy by default". Application developers should design warnings to remind users if sensors are collecting data. Manufacturers should offer realistic opt out choices by way of a "do not collect" option.

The full text of the Opinion can be consulted here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.