Article 29 Data Protection Working Party, Opinion 8/2014 – the Internet of Things (“IoT”)

The Internet of Things (“IoT”) is “a scenario in which objects, animals or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.” (from: http://whatis.techtarget…)*

IoT (example: wearable devices) raise personal data protection and privacy concerns.

The Article 29 Data Protection Working Party (independent advisory body on data protection and privacy, which was set up under Article 29 of the Data Protection Directive 95/46/EC and consists of representatives from the EU members’ data protection) (“WP29”) has issued Opinion 8/2014 (14/EN, WP 223) to reach a “uniform application of the legal data protection framework in the IoT” and “to contribute to the “identification and the monitoring of the risks derived from those activities, where the fundamental rights of citizens of the EU are at stake”.

WP29 identified the following privacy challenges in IoT: (i) lack of control and information asymmetry; (ii) quality of the user’s consent; (iii) inferences derived from data and re-purposing of original processing; (iv) intrusive bringing out of behavior patterns and profiling; (v) limitations on the possibility to remain anonymous when using services; and (vi) security risks.

WP29 opined that the IoT stakeholders are obliged to comply with: (i) Article 5(3), Directive 2002/58/EC (consent to storage); (ii) Article 7, Directive 95/46/EC (legitimate data processing); (iii) Article 6, Directive 95/4/EC (fair and lawful data collection and processing); (iv) Article 8, Directive 95/46/EC (processing of sensitive data); (v) Articles 10 and 11, Directive 95/46/EC (transparency requirements); and (vi) article 17, Directive 95/46/EC (security requirements).

The rights of the data subject shall be respected (Articles 12 and 14, Directive 95/46/EC): the right of access and the possibility to withdraw consent and to oppose of the data subject shall be granted.

To facilitate the application of EU privacy law to IoT, the Opinion includes a list of recommendations, which are divided as follows: (i) all stakeholders, (ii) device manufacturers; (iii) application developers; (iv) social platforms; (v) IoT device owners; or (vi) standardisation bodies and data platforms.

From the Opinion Summary:

The Internet of Things (IoT) is on the threshold of integration into the lives of European citizens. … [The] expected benefits must also respect the many privacy and security challenges which can be associated with the IoT… Thus, this opinion identifies the main data protection risks that lie within the ecosystem of the IoT before providing guidance on how the EU legal framework should be applied in this context.”


* The WP29 defines the Internet of Things as the “infrastructure in which billions of sensors embedded in common, everyday devices – “things” as such, or things linked to other objects or individuals – are designed to record, process, store and transfer data and, as they are associated with unique identifiers, interact with other devices or systems using networking capabilities”.


Related Documents:


Open Pdf