IoT and Data Protection
Smart technologies are increasingly finding their way into the daily lives of many people, whether out of affinity for technology, practicality or convenience.
In the context of the Internet of Things (IoT) and the Industrial Internet of Things (IIoT), the networking of a wide variety of devices is steadily increasing. However, many users are not necessarily aware of the potential risks involved. Apart from the fact that the benefits of some products are at least questionable, the attack surface for criminals is increasing.
Even if such technologies make our lives easier, we should be aware that each of these devices collects data about us. IoT is an automated exchange of information between the physical and digital worlds, as well as between devices themselves and their manufacturers. The basic principle here is the transfer of data between numerous different systems using network technologies. The smart, networked devices can perform more and more tasks automatically for their users and provide information for other devices. More and more data is being collected and processed electronically. Products are equipped with a variety of sensors for this purpose in order to measure a wide range of things, such as temperature, and report them to other systems that make decisions based on them.
The GDPR applies exclusively when personal data is processed. The following aspects must then be taken into account:
Personal Data in IoT Applications
A personal reference can come about on several levels:
- Acoustic, optical or biometric sensors that process personal data are used.
- The location of a sensor makes it possible to draw conclusions about a person’s habits (e.g., motion sensors).
- If a user communicates with an IoT application, the processing of IP addresses or the evaluation of MAC addresses, for example, can lead to presence detection and personal reference.
- Finally, personal reference can result from users logging in with names or other identifiers to make use of the IoT application.
Exception for Private Households
Even when personal data is processed, the GDPR does not always apply. An exception exists under Article 2 para. 2 (c) of the GDPR for natural persons who use IoT exclusively in a personal or family context.
Determination of the Data Protection Controller
The data protection controller could be, for example, the manufacturer, device rental company or third-party service provider. If a third party is involved, the user’s consent to the transfer of his or her data or another legal basis is essential. According to Art. 4 No. 7 GDPR, the body which alone or jointly with others determines the purposes and means of the processing of personal data is the controller under data protection law. If IoT applications are operated by a clearly defined entity, this entity is therefore the controller. If several entities jointly operate an IoT application, they may have to conclude a so-called joint controller agreement pursuant to Art. 26 GDPR, in which the rights of the data subjects are standardized.
Legal Basis for Data Processing
With the application of the GDPR, the collection, processing and storage of personal data is generally prohibited if there is no legal basis for it or the data subject has not consented (processing of personal data is prohibited but subjected to the possibility of authorization). If data processing falls within the scope of the GDPR, there are several legal bases for this data processing. In this context, obtaining consent in a legally secure manner can be difficult, especially for IoT applications. This includes, in particular, that the manufacturers provide information about functions and data flows in an understandable form. With many IoT solutions, however, it is not even technically possible to request or grant consent. In addition, the data subject must be able to revoke this consent at any time. However, it is often not even possible to object to data processing as a user of the IoT.
In addition, there is the possibility of data processing being lawful if the data processing is necessary for the performance of a contractual relationship or the processor has a legitimate interest in the use of the sensors. This should be checked before the application and this check should be documented. Each application must be carefully considered here in the specific context.
Information Obligations and Data Protection Rights
Regardless of the legal basis of the data processing, it is essential to observe the information rights of the data subjects. For example, the GDPR stipulates in Art. 13 and 14 that a data subject must be provided with a variety of information when data is collected. Exceptionally, there is no obligation to provide information if providing the information would involve a disproportionate effort. However, this only applies if the data was not collected directly from the data subject (Art. 14 para. 5 (b) GDPR). IoT providers therefore urgently need a concept for implementing the information obligations from Art. 12 et seq. GDPR.
Privacy by Design and by Default
Article 25 of the GDPR contains provisions on data protection through technology design and through data protection-friendly default settings (privacy by design and by default).
Operators of IoT applications are thus obliged to develop a data protection-compatible and data protection-friendly IoT design. However, manufacturers of individual components often do not fall under the GDPR because they do not operate the components themselves. In practice, the ultimate operators of IoT applications then often receive unsafe or poorly configurable components for whose use they have to answer under data protection law.
Data Protection Impact Assessment (DPIA) According to Art. 35 GDPR.
IoT may also meet the requirements for the data protection impact assessment (DPIA) required by Art. 35 GDPR. If a processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons by virtue of the nature, scope, context and purposes of the processing, the controller must carry out a DPIA. A DPIA provides the opportunity to identify security vulnerabilities at an early stage and to implement adequate measures to increase data security. However, this is not a one-time procedure, but a continuous process. If details of a data processing operation change, a new audit may be required.
Companies should pay attention when using IoT applications to ensure that their sensors do not collect more data than is strictly necessary to fulfil the purpose of the component.
GDPR Principles of Data Minimization and Purpose Limitation.
According to the GDPR, the principles of data minimization and purpose limitation must be adhered to. According to the principles of data minimization and purpose limitation, the use of anonymized data in particular is only permitted if it is truly anonymized. Data is often referred to as “anonymous”, but from a GDPR perspective it is by no means so, because other information collected along with it still makes identification possible. Data is only anonymous if no conclusions about individual persons are possible from the combination of different anonymized data sets.
Data Control for Users
Users should have control over the data that is processed. They must be enabled to recognize individual data processing functions and, if necessary, be able to switch them off. However, in many IoT solutions, such options are not provided at all or are very limited.
Technical and Organizational Protection Measures, Especially Encryption
According to Gemalto, a global leader in digital security, about two-thirds of IoT companies encrypt all data collected by their devices and used for analysis. For all other devices, plain data can be easily read and potentially misused.
Protection against Profiling
In many cases, users can be identified directly or indirectly, be it through device identification or user registration for a particular device, for example. IoT data can thus lead to user profiles and so-called tracking. Often, location data of the devices and their users is collected, stored, and analysed in this way, which allows conclusions to be drawn about individuals and their behaviour. IoT providers must have an appropriate legal basis for this (e.g., user consent).
Protection of Sensitive Data
IoT solutions often process data that fall under the special categories of personal data according to Art. 9 GDPR, e.g., health data. With regard to the legal basis, the special requirements of Art. 9 GDPR must be observed here.
Conclusion
In conclusion, it must be stated that there is a great need for action regarding IoT data protection. General recommendations for action are hardly possible due to the diversity of designs and areas of application of IoT. It is therefore necessary to take a holistic view of the specific IoT application. The data protection aspects listed above are a point of reference to be taken into account here. In particular, the principles of data protection by design and by default should be considered.
Diploma-Lawyer (Univ.) Nora Lynn Rodiek, B.Sc., Senior Consultant & Legal Counsel at mip Consult GmbH, Studies: Law & Economics. Data Protection Officer (DEKRA), Data Protection Specialist (DEKRA), Company Health Manager (TÜV).