EU data protection and cybersecurity law as applied to the IoT – some thoughts about why it is inadequate

Franci0498_GOODimagesInternet-of-Things (IoT) (or internet-of-everything as it is often interchangeably called-) is a buzzword and it is all over. At present, the news is more technological than legal. Nonetheless, the IoT triggers some worrisome legal issues, among which data collection, data security, and invasion of privacy are among the most compelling. Actually, these issues are imposing because of the potential magnitude of the phenomenon, which is big already and will be huge in the near future. Very little explicit regulation on the IoT exists and there is confusion about which existing laws should apply to the IoT.

The first problem we encountered with the IoT is definitional. In fact, there is no set definition of the IoT. One of the best definition of IoT is given by the Article 29 Data Protection Working Party (“WP29”) which defines the IoT as the “infrastructure in which billions of sensors embedded in common, everyday devices –‘“things’ as such, or things linked to other objects or individuals – are designed to record, process, store and transfer data and, as they are associated with unique identifiers, interact with other devices or systems using networking capabilities.” The WP29 identified the IoT with the principle of “extensive processing of data through … sensors.” Because these sensors communicate unobtrusively and with a “seamless” exchange of data, the WP29 characterizes the IoT as pervasive and “ubiquitous computing.” Opinion 8/2014 on the on Recent Developments on the Internet of Things, adopted on 16 September 2014 (“Opinion on IoT”), http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdfhttp://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf

According to a pessimistic view the IoT raises such imposing privacy issues that in an IoT environment, privacy would be simply “indefensible.” See opinion expressed by NIST fellow Ron Ross and Robert Bigman, former chief information security officer at the CIA, as reported in the article of Sean Lyngaas, NIST official: Internet of Things is “indefensible”), https://fcw.com/articles/2015/04/16/iot-is-indefensible.aspx   However, for scholars and regulators resignation is unacceptable. How can the daunting issues of privacy and data protection be addressed in this new environment? In Europe, the WP29 has tackled data protection and privacy issues of the IoT in the above mentioned Opinion 8/2014.

There is no doubt that the IoT – at least until regulated by special legislation – is subject to the general EU data protection law. Today it means that it is subject to Directive 95/46/EC (“Directive”) and its national implementations. In the near future, it will be subject to the General Data Protection Regulation (“GDPR”),expected to be formalized soon, to enter into force in 2018, and to substitute for the Directive. Why? because EU data protection applies to the “processing of personal data” and  “processing” means “any operation or set of operations which is performed upon personal data (Directive, Article 3 and  Article 2(d)) and because “personal data” is “any information relating to an identified or identifiable natural person (Directive, Article 2(a)). The GDPR’s definition of “processing”and “personal data”will not affect the conclusion that the general EU data protection will control the IoT.

The WP29 identified the following privacy challenges in IoT:  1. Lack of control and information asymmetry; 2. Quality of the user’s consent; 3. Inferences derived from data and repurposing of original processing; 4. Intrusive bringing out of behavior patterns and profiling; 5. Limitations on the possibility to remain anonymous when using services; 6. Security risks.

In dealing with these privacy challenges, the WP29 has clarifiedthat the IoT is subject to the framework of the general Data Protection Directive (and the national implementation therefore) and of the Data Protection in the Electronic Communications Sector Directive 2002/58/EC. While often the application of the Directives may be difficult (because the data are not provided by users but are collected by sensors and also for the other reasons discussed above as privacy challenges), the WP29 has not exempted the IoT from the application of any of the general data protection rules.  The WP29 concludes that at least the following provisions  come into play with IoT:  1) Article 7 (legitimate data processing); Article 6 (fair and lawful data collection and processing); 2) Article 8 (processing of sensitive data); 3) Articles 10 and 11 (transparency requirements); 4) Article 17 (security requirements).

The WP29 recommend IoT stakeholders to implement security measures “taking into account the specific operational constraints of IoT devices,” such as the absence of encryption and the “limited resources in terms of energy and computing power.” To respond to these security issues, the WP29 advises the IoT stakeholders to apply the principle of “data minimization” and to restrict the processing of personal data to no more than strictly required.Other recommended practices are “network restrictions, disabling by default noncritical functionalities, preventing use of un-trusted software update sources” and again adherence to a “privacy by design” principle.

Another important document concerning the IoT under an EU perspective is the Mauritius Declaration on the Internet of Things. Mauritius Declaration on the Internet of Things, adopted on October 14, 2014 inside the 36th International Conference of Data Protection and Privacy Commissioners (“Mauritius Declaration”), http://www.privacyconference2014.org/media/16596/Mauritius-Declaration.pdf.  Privacy Commissioners from around the world (i.e., the national authorities with responsibility to supervise and enforce data protection in the several countries) adopted this short and principled Declaration after speakers from the private sector and from academia presented risks and benefits of the IoT. The Commissioners highlight the concern for individuals’ right to self-determination, which is an “inalienable right for all human beings” and which can entrench the IoT. The Commissioners indicate concerns and give practical suggestions to the IoT stakeholders and, in doing so, they echo the WP29’s concepts of clarity of information, informed consent, privacy by design, and encryption.

We mentioned the concept of “privacy by design.” In this regard, the eighty-page report of the European Union Agency for Network and Information Security, ENISA —   Privacy and Data Protection by Design – from policy to engineering December 2014 (“ENISA’s Report”) – is particularly useful. ENISA, Privacy and Data Protection by Design – from policy to engineering December 2014, available for download at https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design.

Generally speaking, privacy by design and by default should become the cornerstone of the IoT, and stakeholders should carefully study the ENISA’s Report.

European national privacy authorities (and other enforcement agencies) are also focusing their attention on the possible risks of the IoT. For example, the mentioned resolution of the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali). Garante per la Protezione dei Dati Personali, Avvio della Consultazione Pubblica su Internet delle Cose (Internet of Things) – Deliberazione del 26 marzo 2015, doc. web n. 3898704, available in Italian at http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3898704

The United Kingdom DPA, ICO (Information Commissioner’s Office), issued a document discussing, among others, the privacy issues of the IoT. ICO, The Information Commissioner’s Office response to the Competition & Markets Authority’s call for information on the commercial use of consumer datahttps://ico.org.uk/media/about-the-ico/consultation-responses/2015/1043461/ico-response-to-cma-call-for-evidence-on-consumer-data-20150306.pdf.

The Spanish DPA (Resolución de 20 de noviembre de 2015, de la Agencia Española de Protección de Datos, por la que se aprueba el Plan Estratégico 2015-2019http://www.agpd.es/portalwebAGPD/LaAgencia/common/Resolucion_Plan_Estrategico.pdf) and the French DPA (Commission Nationale de l’Informatique et des Libertés (CNIL), Rapport d’Activite’ 2014, https://www.cnil.fr/sites/default/files/typo/document/CNIL-35e_rapport_annuel_2014.pdf.pdf) discussed the IoT in their annual report.

In the EU, the trend is to apply the whole of the general data protection law to the IoT. This makes sense in the current legal framework, because the IoT performs operations on personal data (both of users and of unaware bystanders) and this is “processing” under the Data Protection Directive and under the GDPR. However, some of the data protection concepts are hardly appropriate for the IoT. For example, trying to elaborate and mandate the concept of “informed consent” to data processing in a hyperconnected world might be a band-aid solution. When everyone is connected 24/7 to others and/or to things (a kind of the “hive mind” or “collective” consciousness of the Borg in Star Trek), does the concept of “consent” become meaningless? But, already today, if the data are not conferred by users and are instead subject to ubiquitous capture by sensors, and if users must renounce certain key features of a service to preserve their privacy, is the denial of consent a real alternative?

If the framework changes from informed consent, what will be the basis for the protection of privacy? We have some hints of emerging alternatives. First, privacy by default and design, which means that privacy features (including encryption) are embedded in the machines from the “outset”. Second, data minimization and local processing, which means only collecting and transmitting data when strictly necessary. Third, multilevel cybersecurity, meaning that IoT stakeholders participating in the process should coordinate to secure the entire IoT “ecosystem,” not only their segment. Fourth, “privacy seals” to foster enhanced trust of users and nonusers. (Government could provide incentives for many of these alternatives through tax credits.) For these reasons and for other privacy challenges discussed above, the EU should consider specific legislation governing the IoT because the phenomenon has unprecedented features.

For more information, Francesca Giannoni-Crystal.

This is a modified extract from the following article: Francesca Giannoni-Crystal & Allyson Haynes Stuart, The Internet-of-Things (IoT) (or Internet of Everything) – privacy and data protection issues in the EU and the US, Info L. J., Spring 2016, vol. 7 issue 2, apps.americanbar.org/webupload/commupload/ST230002/sitesofinterest_files/INFORMATION_LAW_JOURNAL-volume7_issue2.pdf

Crystal logo