Out-Law News | 29 Sep 2014 | 5:07 pm | 4 min. read
The Article 29 Working Party said that businesses wishing to rely on individuals' consent as the legal basis for processing personal data in the IoT environment must ensure that the consent they obtain is "fully informed, freely given and specific".
The watchdog warned that "classical mechanisms used to obtain individuals’ consent may be difficult to apply in the IoT" environment (24-page / 618KB PDF) because their use may produce "'low-quality' consent" that does not conform to legal standards required under EU privacy rules.
It called on device manufacturers to develop lead work on the creation of a new "common protocol to express preferences with regard to data collection and processing by data controllers especially when such data is collected by unobtrusive devices".
The watchdog also said the manufacturers should enable more decentralised control over and processing of personal data in the IoT environment. This would help consumers gain a clearer understanding of the data collected by their devices and cut down on the storage by and transferring of personal data to the device manufacturers, it said.
Data protection expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said: "The Working Party's guidance and recommendations underpins the idea that the process of obtaining consent has evolved from being a one-time exercise that businesses could achieve by stating terms of data use in consumer contracts or privacy policies. Instead, it is now clear that businesses need to have an ongoing dialogue with consumers about how they plan to use their data to account for the fact that technological change is delivering new ways for that data to be used that were previously unforeseen."
"The challenge for businesses is finding a technological mechanism that enables them to explain data use plans to consumers and simultaneously allows consumers to manage their preferences and which is not a cumbersome tool," Wynn said.
The IoT is a term used to loosely describe the increasing interconnection of devices and the associated rise in the creation and flow of data between those machines. The term accounts for developments in wearable technology, connected cars as well as smart metering and other in-home applications that now generate and transfer data over telecommunication networks.
In its new guidance, the Article 29 Working Party said that businesses that store personal information on IoT devices or have access to the data on those devices must gain individuals' consent to that storage or access. This is unless the storage of or access to the data is “strictly necessary" for the purposes of providing individuals with a service they have "explicitly requested".
Device manufacturers and other businesses that wish to store or access stored personal data on individuals' IoT devices must comply with the consent rules, it said.
Consumers must be given "accessible, visible and efficient" tools for withdrawing their consent and there must be no "technical or organisational constraints or hindrances" imposed on them doing so by businesses operating in the IoT environment, the Working Party said.
"Some recent developments in this field are trying to empower data subjects by giving them more control over consent management features, for example through the use of sticky-policies or privacy proxies," the guidance said.
Under data protection rules, personal data must be processed fairly and lawfully. Under those rules there are other legal bases for processing personal data other than by having individuals' consent to do so.
However, the Working Party's new guidance said that it is unlikely that businesses will be able to be able to claim that their "economic interest" in processing personal data generated in the IoT environment gives them a legal basis for conducting that activity without consent and on the basis of the 'legitimate interests' rules under EU data protection laws.
This is because of the "potential seriousness" of the implications on privacy that arise with the processing of data relating to individuals' private life in the IoT environment, the Working Party said.
The Working Party also reminded businesses that personal data can only be used for "specified, explicit and legitimate purposes" that individuals have been notified of. Only if consumers are presented with information about other proposed uses of their data "before the data processing takes place" can businesses use that data for those other purposes, it said. "This implies that IoT stakeholders have a good overview of their business case before they start collecting any personal data," it said.
The Working Party warned businesses that decide to collect personal data that is not necessary for the purposes they wish to pursue on the hope that they will find a use for it in future that they could be found in breach of EU data protection laws.
"Some stakeholders consider that the data minimisation principle can limit potential opportunities of the IoT, hence be a barrier for innovation, based on the idea that potential benefits from data processing would come from exploratory analysis aiming to find non-obvious correlations and trends," the watchdog's guidance said. "The Working Party cannot share this analysis and insists that the data minimisation principle plays an essential role in the protection of data protection rights granted by EU law to individuals, so that it should be respected as such."
"This principle specifically implies that when personal data is not necessary to provide a specific service run on the IoT, the data subject should at the least be offered the possibility to use the service anonymously," it said.
The watchdog's guidance also highlighted how rules relating to transparency, data access, data retention and data security apply in the IoT environment. It encouraged businesses to have "an adequate policy of data breach notification" to ensure that "the negative effects of software and design vulnerabilities" are minimised.