The EU’s Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data has released “Opinion 8/2014 on the on Recent Developments on the Internet of Things” (Working Party pdf; archive pdf). We’ve discussed before the “Internet of Things,” which is a computerized network of physical objects. In IoT, sensors and data storage devices embedded in objects interact with Web services. (For more on privacy and the IoT, see a Center for Democracy and Technology report that I consulted on and contributed to, “Building the Digital Out-Of-Home Privacy Infrastructure.”) The Working Party writes in its summary:
The Internet of Things (IoT) is on the threshold of integration into the lives of European citizens. The viability of many projects in the IoT still remains to be confirmed but “smart things” are being made available which monitor and communicate with our homes, cars, work environment and physical activities. Already today, connected devices successfully meet the needs of EU citizens on the large-scale markets of quantified self and domotics. The IoT thus hold significant prospects of growth for a great number of innovating and creative EU companies, whether big or small, which operate on these markets.
The WP29 is keen that such expectations are met, in the interests of both citizens and industry in the EU. Yet, these expected benefits must also respect the many privacy and security challenges which can be associated with the IoT. Many questions arise around the vulnerability of these devices, often deployed outside a traditional IT structure and lacking sufficient security built into them. Data losses, infection by malware, but also unauthorized access to personal data, intrusive use of wearable devices, or unlawful surveillance are as many risks that stakeholders in the IoT must address to attract prospective end-users of their products or services.
Beyond legal and technical compliance, what is at stake is, in fact, the consequence it may have on society at large. Organisations which place privacy and data protection at the forefront of product development will be well placed to ensure that their goods and services respect the principles of privacy by design and are equipped with the privacy friendly defaults expected by EU citizens. […]
Thus, this opinion identifies the main data protection risks that lie within the ecosystem of the IoT before providing guidance on how the EU legal framework should be applied in this context. The Working Party supports the incorporation of the highest possible guarantees for individual users at the heart of the projects by relevant stakeholders. In particular, users must remain in complete control of their personal data throughout the product lifecycle, and when organisations rely on consent as a basis for processing, the consent should be fully informed, freely given and specific. To help them meet this end, the Working Party designed a comprehensive set of practical recommendations addressed to the different stakeholders concerned (device manufacturers, application developers, social platforms, further data recipients, data platforms and standardisation bodies) to help them implement privacy and data protection in their products and services.