Internet of Things and privacy: which European Union regulatory guidance?

Smart home, connected car, smart city, e-health ... the scope of the Internet of Things (IoT) is increasingly growing and could lead to a so-called “third internet” revolution, partly linked to the increasing volume of data uploaded. By 2020, the number of connected objects is an estimated between 20 and 50 billion, with an impact on the world economy between 2,000 and 5,000 billion per year. The spread of the Internet of Things today raises many technical issues (5G initiatives in Europe and the United States, network management costs, implementation of complex value chains) and many challenges in terms of protection of privacy, confidentiality, cyber security or regarding to the supervision of the generated and collected personal data.

While these technologies operate without boundaries and are designed mostly with global ambition, their deployment can not ignore the requirements of the European Union with regard to the right to the protection of personal data, right enshrined in Article 16 of the Treaty on the functioning of the European Union (TFEU) and the Charter of fundamental rights.

There is currently no specific legislation applicable to IoT at European level but its fundamentals and principles are being subject to thorough discussion in Brussels. And the adoption of the "data protection" package could give new impetus to these debates.

Indeed, the future of the Internet of Things - with the exponential growth of the mass of data generated, collected, stored and possibly processed or transferred - is an issue that the EU can’t ignore. First to achieve the development of this sector (in terms of safety or reliability) but also to provide it with strong guarantees.

Are the provisions of a specific framework necessary to the IoT or could the existing rules be sufficient?

If there is no consensus regarding the added value that a specific European legislation may bring, there is a discussion committed to the framework or principles that should regulate the IoT.

Thus, a first contribution was made by the Article 29 Group (established by Directive 95/46 and said WP29). The WP29 issued an opinion in September 2014 on the Internet of Things, to contribute to a uniform application of existing EU framework with practical recommendations.

The WP29 has immediately pointed out that uncontrolled developments of the Internet of Things could lead to illegal forms of surveillance contrary to the European Union law. The WP identified six types of risk:

- Lack of control and information asymmetry flows;

- Quality of the user’s consent;

- The potential uses of the "raw data” transmitted and their use for purposes unrelated to their original collection (secondary uses);

- Risk profiling and privacy monitoring with the proliferation of sensors;

- Limitations on the possibility to remain anonymous when using services;

- Security with the need to ensure at all steps of the development of these tools, confidentiality, integrity and maximum safety criteria;

The WP29 also underlined the obligations of stakeholders of the Internet of Things, in the legal framework provided for by Directive 95/46 and Directive 2002/58 ("e-privacy") when applicable, namely: conditions of consent, legal basis of data processing, fair and proportionate collection of data, specific processing for sensitive data, requirements for transparency and security of processing. For example, the WP29 recalled the requirement for explicit consent regarding sensitive data and especially health data.

In its provisional findings, the WP29 requested:

- The systematic use of impact assessments;

- The deletion of unused collected data;

- The possibility for "users" to control their data and the use made of it (beyond the information that must be given to them);

- The limitation of the possibilities to locate or identify an individual continuously.

Secondly, the European Parliament issued a working document in September 2015[1], during the negotiation of the “data protection package”. The document dedicated to Big Data  had quite an offensive stance by recalling that the regulation of “IoT” should respect the fundamental right to personal data protection guaranteed by the Charter of fundamental rights.

It also included the conclusions of the WP29 Opinion to strengthen the effective control of users over their personal data, improve the quality of consent when collecting data and ensure a high level of protection of personal data when data are transferred to third parties outside the European Union –which is a constant concern of the European Parliament.

Lastly, the adoption of the "data protection" package (regulation plus directive) on April 2016 led to a new framework for the Internet of Things.

Even though it does not include specific provisions in this field, the regulation contains some recommendations of the G29, notably enshrining the principles of privacy-by-design (protection of privacy by design of the object) and privacy -by-default (protection of privacy by default), providing a toolbox for compliance or increasing the level of sanctions (eg in the situation of security breaches). The new provisions strengthening privacy (right to forget or to data portability) are also heading in the direction of greater information towards users from digital companies.

The regulation which will be applicable by May 2018, will be one of the regulatory basis of the Internet of Things and will provide a legal ground for any future consideration of more specific provisions.

The major players of the “IoT” will also be interested in by the revision of the e-privacy Directive.

The European Commission has launched a public consultation on the text until the 5th of July, with three issues:

- how to ensure consistency between this directive and the data protection package (eg on reporting data breaches)?

- Should the rules of the E-privacy Directive be modified, regarding new technological innovations and new players emerging in the field of electronic communications?

- How to strengthen the security and confidentiality of communications across the European Union?

Although the Commission has not yet reported on the provisions of the directive worth to be re-considered, the challenge is considerable for operators and players in the telecommunications sector since the revised directive will be -with the "data protection" regulation- a new regulatory scheme to the “IoT” field.

When these legislative projects will be passed, what shall be the added value of any new European legislation? And why should the European Commission propose one?

The European Commission has already raised some concerns[2] and reported problems such as fragmentation between national industrial policies, lack of interoperability standards or legal uncertainty of the transfers of datas outside the European Union.

The Commission knows it will be hard to advocate for specific legislation in the field of IoT. This is also the position of a majority of players in the sector including the AIOTI (Internet of Things Alliance for Innovation) who fear a regulation that would not be "technology neutral" and would freeze the extremely rapid evolution of this sector. This was often often said during the negotiation of the "data protection package".



[2]  Working document – Advancing the Internet of Things in Europe. 19 avril 2016 SWD(2016)110/2