GDPR and Internet of Things (IoT)

As defined by CASAGRAS the Internet of Things (IoT) is understood to be “a global network infrastructure, linking physical and virtual objects through the exploitation of data capture and communication capabilities.” 

Obviously, IoT devices became a very important part of our daily life. We could hardly imagine a routine without using such helpful tools. Most of the gadgets need to be connected to another machine to function properly. Which means they operate under the same personal data as email address, IP address, phone number as connected laptop and mobile. Even though the lack of privacy measures will have the same data leakage, IoT developers still shall take all appropriate actions to protect the personal data of its users. 

Internet of Things and General Data Protection Regulation. Is it applicable? For sure, yes. Then what to consider when creating IoT devices for compliance with the GDPR? Under this article, I would like to emphasize its main GDPR requirements concerning IoT. There are 5 things to consider to make IoT gadgets GDPR compliant:

  1. Design consideration;
  2. Lawful ground for the processing of personal data;
  3. Processing personal data of minors;
  4. DPIA;
  5. Personal data breach.

Let’s look separately at each of the major aspect.

Design considerations

Privacy and data protection measures for IoT should be addressed at the design stage. This follows from the basic privacy by design principle. The developers are tasked to implement appropriate technical measures to protect personal data literally in the functionality of the technology. For example:

  1. data subject should not be subject to a decision based solely on automated decision-making, according to Article 22 of the GDPR;
  2. it is necessary to reduce the possibility of identification of persons when accessing the information available in the IoT device (like anonymisation or pseudonymisation);
  3. it is advisable to remember that data subjects granted the right to erasure their personal information. It means that if AI is applicable to the device, IoT developers have to ensure that it will not use the personal data anymore even if its working principle is based on studying and analysis.

Lawful ground for the processing of personal data

The major aspect of the GDPR for IoT is ground for the processing. One of them and the most commonly used is consent. Mostly, explicit consent is required. Especially, in situations where serious data protection risks emerge, hence, where a high level of individual control over personal data is deemed appropriate, as it was mentioned by Working Party 29. The GDPR is meant to force companies developing IoT devices to offer more opt-in or opt-out clauses for consumers. Inactivity can no longer be assumed as consent for the processing of personal data. 

Processing personal data of minors

Because of the technologically fast-developing 21st century, it is not a rare situation that children under 16 years old use IoT devices. Therefore, the issue of obtaining consent for data processing from persons younger than 16 (or another age, depending on the requirements of the national legislation of the EU Member, but not less than 13 years) becomes more relevant than ever. 

Any information addressed specifically to a child should be adapted to be easily accessible, using clear and plain language (for example, in cookies policy, cookies consent form, privacy policy). It is also necessary to obtain parental consent to the processing for children who are under the age of 13, and make reasonable efforts to verify that the person providing consent holds parental responsibility for the child taking into consideration available technology. It is wise to consider that parental consent mechanisms shall be implemented into devices, since guardians will not always be there to monitor their child’s use of IoT technology and to give proper consent.

Data Protection Impact Assessment

IoT projects need to conduct a Data Protection Impact Assessment. Such requirement is not merely established in the General Data Protection Regulation but follows from the essence of Article 35. That Article makes a DPIA mandatory for types of personal data processing, in particular when using new technologies and when there is a high risk to the data subject’s rights and freedoms. Consequently, almost always apply such criteria to such technologies. 

Even though Working Party’s guidelines will not be necessary for consideration in 2021, it is wise to mention that in Guidelines on Data Protection Impact Assessment (DPIA) and determining whether the processing is “likely to result in a high risk” for Regulation 2016/679 the Party outlined the following:

Certain “Internet of Things” applications could have a significant impact on individuals’ daily lives and privacy, and therefore require a DPIA“.

Therefore, the chance is pretty high that you need to conduct a DPIA before you start your IoT project.

Personal data breach

No one will be surprised by stories that thieves hacked smartwatches providing information on the owner’s presence at home, which gave the opportunity to better prepare for thefts. Such situations raise security issues. Article 34 of the GDPR concerning the communication of a personal data breach to the data subject stipulates that the controller (the person defining the purpose of personal data collection) shall communicate the personal data breach to the data subject without undue delay. Notification is not applicable if appropriate technical measures have been taken (like encryption, anonymisation etc.), it involves disproportionate effort or the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise.

Also, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent. 

!!! Should remember that GDPR works under the principle of accountability, meaning it is under your responsibility to show compliance with the GDPR. Therefore, it is necessary to document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

It is clear there are much more General Data Protection Regulation requirements for Internet of Things technologies needed to be considered for its compliance. Such a list depends on business mechanics features of a particular IoT technology. For a better understanding of all required data protection measures, we advise you to contact a lawyer directly to fill all potential gaps.

    Your question to IT lawyers