Data Protection and Privacy Issues of the Internet of Things
Introduction
The first toaster was connected to the Internet in 1990 [1]. Since then, more and more devices are being configured to connect to the Internet, giving existence to the Internet of Things (IoT)—a term often attributed to Ashton [2]—, or the so- called Internet of Everything—a term suggested to have been coined together by two corporations, Cisco and Qualcomm—popularizing the “everything (or anything) as a service” concept. By 2025, it is estimated that 80% of the total data processing will take place by smart connected objects [3]. Even though the term IoT has gained large popularity, in particular with respect to the Consumer IoT. a term like “Internet of Things which are connected to people” would seem more appropriate, given that many of them are equipped with tools aimed to record the sound, movement, image and other physical parameters of those owning them and/ or those using them [4, p. 9].
Those devices, w'hich did not traditionally connect to the Internet, are now capable to generate and share a large amount of data and therefore, be engaged in large-scale data processing. Thus, IoT in combination with another new technology, the fifth generation of connectivity technologies (5G), increases the possibility for deployment, innovation, and business. Several speak about a revolution that could finally lead to wholesome smart cities. Furthermore, according to the United Nations 2030 Sustainable Development Goals (SDGs), Smart Networks will lead the path toward the digitalization of the society and the economy both in developing and developed countries. The European Commission recognizes it as the next major breakthrough for the Information and Communication Technologies [5, p. 4]. This interconnection of everything supported by Smart Networks appears to be unavoidable and will be characteristic of competitiveness and advancement [6, p. 4]. Of course, 5G is not necessary for all IoT applications and other technologies can be used too. Radio Frequency Identification Technology (RFID) tags for the tracking of physical objects which constituted actually some of the first applications of IoT to track locations, date back a long time. RFID applications have already been widely used in healthcare, transportation, security control and retail [7, pp. 4-5].
Despite the benefits stated by those researching for, and investing in, this kind of technologies that would enable IoT, this unprecedented connection to the Internet, in particular of devices which were not originally intended for such use, can create several implications in relation to fundamental rights, and in particular the rights to privacy and data protection, not only for users of IoT services but also for nonusers. Let us take for example an area where a sensor network is installed; persons entering this area will not have control over the information being collected over their person [8, p. 2802]. The A29 WP calls those data subjects “people interacting” with the device as opposed to actual users [9].
This is more so apparent, w'hen considering that the IoT does not refer only to technologies, but also to applications and ecosystems, having as a result that more and more people from every corner of the world, obtain access to connected devices, often without realizing it. Data subjects can be of different ages, can come from different socioeconomic, cultural, and educational backgrounds, and may live in democratic societies or under authoritarian regimes. What they have in common, though, is that consciously or unconsciously, they generate every moment hundreds of pieces of information about themselves and their contacts landscape. In a human-centric Internet, information can have several receivers, known or even unknown to the data subject.
In 2016, the European Union (EU) adopted a new data protection framework, which entered into force in 2018. After 2 years of implementation, the first studies coming from the European Commission, the national supervisory authorities, and other relevant stakeholders show that implementation is slow [10]. The implementation is further challenged by the need for research, innovation and business modeling, and the urge for quick adoption of emerging and new technologies by the markets. For innovation to work, however, trust is key [8, p. 2801]. In the Impact Assessment of the draft General Data Protection Regulation [11], one reads:
Building trust in the online environment is key to economic development. Lack of trust makes consumers hesitate to buy online and adopt new services [...] This is why data protection plays a central role in the Digital Agenda for Europe [...].
[12]
In his Keynote speech to the Privacy and Security Conference 2016, the late European Data Protection Supervisor Giovanni Buttarelli stated: “Processing personal information is not prohibited, but it comes at a cost. It affects the rights and interests of the individual concerned by the data. So it is right for anyone who profits from the data to give account for what they have done and why” [13].
Trust goes hand in hand w'ith trustworthiness, which in the IoT context is being understood as encompassing several principles namely, security, privacy, reliability, safety, availability, resilience, ability to connect, inclusivity, transparency, and accountability [14. p. 16]. Trust and trustworthiness are seen as indispensable for growth in complex value chains related to innovation clusters, urging for cross-disciplinary contemplations: technological (human-machine interaction), cultural, societal, behavioral, psychological, and so forth [14, p. 17].
Apart from trust and trustworthiness, the IoT is dependent upon the free flow of data and open access to allow mutual cooperation among stakeholders in the so-called open digital environments [14]. The free flow of data is the primary aspiration of the EU Digital Single Market. IoT services and applications are in need of both personal and nonpersonal information.1 Nevertheless, even non personal data could be used to disclose personal information, for instance, a person’s or a family’s current location, travel patterns, or even behavioral characteristics.
The data protection law is applicable only on personal data. It is important to remember that the General Data Protection Regulation regulates both the protection of natural persons with regard to the processing of personal data and the free movement of such data. Manufacturers and developers as well as data controllers must ensure compliance with the envisaged legal obligations in order to safeguard a data subject against abuse and harm. A Next Generation Internet requires what Cunningham called already in 2014 a “next generation privacy” [15, p. 132].
This chapter will address the following topics. First, it will introduce the common definition of IoT to be used in this work and a basic taxonomy. It will focus explicitly on consumers’ devices, such as wearables and Smart Home equipment. It will then discuss the challenges raised from the point of view of European data protection law. Particular emphasis will be put on the principles of Data Protection by Design and by Default and the conduct of a data protection impact assessment as a theoretical exercise already at the conceptualization phase of each new device intended to be connected.
