The Internet of Things, Personal Data and the Article 29 Working Party: no Extraordinary Revelations, but a Useful Summary

The adoption of an Opinion on the Internet of Things and personal data protection in the EU by the Article 29 Working Party (WP) last September had a certain resonance. Yet the document brings no sensational revelations (nor it is remarkable for its timeliness); however, it does provide a summary of the European Data Protection Authorities’ stand on the subject matter and for that reason alone is a useful reference for all those professionally involved with personal data protection issues.

The expression Internet of Things describes the proliferation in modern society of everyday “smart” and “connected” objects, capable of collecting, processing and transmitting information on the surrounding environment and activities, including personal data. The WP identifies three categories of such “things”: that of wearable computing (such as smart glasses and watches), that of the “quantified self” (pedometers, sleep trackers etc.) and that of domotics (“connected” thermostats, lights, appliances, alarm systems and other home automation devices). Naturally, this is a subdivision of mere convenience: the reality is that several devices already on the market fall within more than one, or all, of these categories.

There is no doubt that from the commercial success of these “things” there derives an exponential risk of intrusion into the life of individuals. Such objects make it possible to access an incredible amount of their users’ or third parties’ personal data, and further circulate them without any real awareness or control by the individuals concerned. Home automation devices, for example, can reveal detailed information about the lifestyle of the inhabitants of the home in which they are installed. “Quantified self” devices potentially allow access to sensitive data on the health of individuals. Many devices can reveal the user’s geo-location and movements. The WP comments on the possibility, by means of inference methods, of cross-matching and combining data from different sensors and/or different devices to extract meaningful information from raw data that has an apparently different meaning (e.g., infer driving habits from the data collected by the accelerometer and gyroscope of a smartphone), and the risk of the extracted data being used for purposes other than those declared.

The European personal data protection rules come into play only to the extent that there is a relevant processing of personal data (and provided that the conditions for their applicability exist: see below). In itself, the fact that a device is capable of collecting and transmitting personal information does not necessarily imply that the processing of personal data is relevant to the EU legal framework. In the abstract, data collected by the device might remain exclusively available to its user(s), and the latter in turn could use it only for personal purposes. Or the data might be completely anonymised, severing any ties to an identifiable individual.

But there is also another very real possibility, namely that the data related to an identified or identifiable individual is transmitted from the device to an entity other than the user that will store it, process it and possibly share it with third parties — this is indeed the typical business model of the IoT according to the WP. The opinion identifies various stakeholders potentially involved in processing data from IoT devices: device manufacturers; device lenders or renters; application developers; social platforms; data brokers. Each of these stakeholders, if the conditions for the application of EU legislation are met, may qualify as a data controller to the extent that they collect and process personal information for purposes that have been pre-determined.

Social platforms, for example, may come into play because of the users’ tendencies to share data collected on these platforms through smart devices; where the operators of these platforms use shared data for purposes they determine, they become data controllers. To quote an example made by the WP, a social network could use the information gathered from a pedometer to infer that a particular user is a regular runner and show ads for running shoes.

App developers (note that apps on smart devices were the subject of a previous opinion by the WP) also become data controllers when they access personal data collected by means of the device, possibly in addition to the manufacturer.

Other third parties may also use connected devices to collect and process information about individuals; for example, the WP notes that insurance companies may provide their customers with pedometers produced by third parties in order to monitor how often they exercise, and adjust insurance premiums accordingly.

In this context, the WP recalls that, according to Directive 95/46/EC (the so-called Data Protection Directive), Community rules on the protection of personal data—more precisely, the implementing provisions of one or more Member States—apply whenever personal data is processed “in the context of the activities of an establishment” of the data controller in the territory of that State, or in all cases where the data controller is established outside the EU, but makes use of “equipment” situated in that territory.

That amounts to saying that stakeholders involved in the collection of personal information by means of IoT devices will have to deal with European national data protection laws (in some cases, more than one) much more often than they would like, even when they are non-EU companies (no doubt there for companies based in Europe). Both of the connecting factors mentioned, in fact, are now interpreted quite broadly.

As to the latter (“equipment”), perhaps the most important, the WP advocates an interpretation that embraces virtually all IoT devices used in Europe collecting and sending out personal data, including terminal devices (smartphones and tablets) “on which software or apps were previously installed to both monitor the user’s environment through embedded sensors or network interfaces, and to then send the data collected by these devices to the various data controllers involved”.

As to the former criterion, in its recent decision in the Google Spain case, the Court of Justice established the principle that even the opening in a Member State of a local branch dedicated to the promotion and selling of advertising space related to a particular service may be sufficient to determine the application of local data protection laws.

If application of the EU legal framework is thus established, the first rule to be observed by the data controller(s) is that provided for by Article 5(3) of Directive 2002/58/EC, or the “e-Privacy Directive” (the same rule that applies to the use of cookies): the mere storage of information, or access to information already stored on an IoT device requires that the user is informed in detail of the storage or access and is given the opportunity to opt out, unless they are technically necessary to provide a service the user requested.

Any further processing operation must, in order to be legitimate, be based on one of the legitimacy requirements provided for by Article 7 of Directive 95/46; in this context, they are: the express consent of the person concerned (a requirement that partially overlaps the one just seen above); the fact that the processing is necessary for the performance of a contract to which the data subject is a party; or the pursuit of a legitimate interest, which may not be overridden by conflicting interests or rights or freedoms of the data subject and in no case can be purely economic. The data controller shall, the WP recommends, provide the opportunity to express granular consent: for example, allow the processing of certain personal information and not others.

Where the Italian law applies, these requirements will be even stricter, because Italy has implemented Directive 95/46 restrictively. In particular, the possible processing of “sensitive” data, which include health-related information (typically collected by “quantified self” devices) requires authorisation by the Italian DPA and the written consent of the data subject (Article 26 of the Italian Personal Data Protection Code), and there seem to be no other ways to provide written consent in our legal system other than by hand or certified digital signature. As for cases of pursuit of legitimate interests, in the Italian legal system, they must be expressly recognised by the DPA with an ad personam order upon the motion of the data controller.

Basic principles of EU data protection laws also require the data controllers to inform data subjects of their identity and of the characteristics and purposes of the data processing before commencing it; the WP, however, believes that the information should be provided not only to the device user but to all those who are in the “geographical or digital” vicinity, when data relating to them is collected.

The WP also recalls the obligations to process the data solely for purposes compatible with those stated in the information notice; to only collect data that is strictly necessary for the fulfilment of those purposes; to take the necessary security measures to protect the data from risk of loss, destruction and unauthorised access.

The data subjects should be able to exercise the rights granted to them by Articles 12 and 14 of the Directive (article 7 of the Italian Personal Data Protection Code): right of access; right to rectification; right to oppose processing, which must be exercised without entailing the renunciation of the functionality that the device can offer regardless of the connection. The WP recommends that users of IoT devices are able to read and edit the data collected locally and export it in a common format through user-friendly interfaces.

In the coming months it will be interesting to see how EU DPAs (or judges) will follow up on this opinion in applying data protection rules to the “Internet of Things”.