The Legal Framework: Privacy and Data Protection
IoT, like other technological innovations and smart information systems, is governed by a multitude of regulatory frameworks, including intellectual property rights, product liability and accountability, contract and business law, consumer law, and so forth. In this particular chapter, the authors will exclusively examine the implications with respect to privacy and data protection in relation to Consumer IoT.
At the United Nations and Council of Europe (CoE) level, only the right to private life is expressly protected in the body of the conventions. At EU level, the rights to personal data protection and respect for private life are closely related, but they constitute two different rights enshrined in the EU treaties and in the EU Charter of Fundamental Rights (EUCFR). Neither right is absolute, which means that they can be limited under specific conditions in line with the EUCFR . The rights may have to be balanced toward other EU values, or other fundamental rights such as the freedom of expression and the access to information, and private or public interests, such as national security, which constitutes sole responsibility of each Member State .
Both rights safeguard personal autonomy and are considered prerequisite for the exercise of other fundamental freedoms. Often in practice, the right to data protection is considered a subset of the right to privacy and the terms tend to be used interchangeably. However, they diverge in formulation and scope. The right to data protection refers to the protection of information relating to an identified or identifiable natural living person. It equips individuals with further rights and control over their data, particularly given new risks emerging in the digital era .
A long scholarly discussion has taken place around privacy [24, p. 22]. The right to privacy or the right to a private life refers to the right to be autonomous, to be let alone or to be able to avoid state intrusion. It further refers to the inviolability of the home and the confidentiality of the communication [24, p. 23]. In some jurisdictions, it has been associated with freedom, the notion of human dignity, and that of person- hood or being human [24, p. 23]. Other theories have also proposed the so-called informational privacy or privacy of information, a discussion which was re-enforced with the introduction of the computers and seemed to have led in the adoption of the first data protection laws around the world in the 1970s.
Provided the massive amount of data being generated, collected, and processed, IoT developers, providers as well as consumers will have several questions to consider. What types of data are collected and by whom? Why are these data collected ? Could the device function properly without those data? Where are data sent to, where are they stored, and for how long are they retained? How are the data processed and who has access to them? Does the device collect information about others, third users, or nonusers or does it collect more information than what it is needed to provide the service? How are the data kept secure and how do users get notified in case of a data breach or who they should address w'hen they exercise their rights?
Intelligent "things” can revolutionize one’s daily life. Yet, they are objects found in the most intimate personal sphere of an individual. A striking characteristic of some of those smart objects is that many of them do not have an own interface. This lack poses challenges in providing sufficient information to the user about the respective data processing operations and often causes misconceptions about the actual collection of personal data, which may occur any time at any space even when someone does not actively interact with a device. This is why, in the IoT landscape, some authors speak about the need for a unicum between data protection and privacy, a so-called data protecy , simultaneously ensuring both rights, through tools which—in addition to a minimum protection threshold—allow the user to self-acti- vate different forms of protection.
In the next sections, the authors will present the different frameworks in relation to data protection and privacy at the international and European levels, paying particular attention to the EU framework.
The United Nations Approach
In the international human rights law, privacy is a fundamental right and can be found in all the international human rights instruments, including primarily the United Nations Declaration of Human Rights (UDHR) 1948, Article 12: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." UDHR is a nonbinding instrument, but it is of considerable symbolic importance, provided its historic significance.
The right to privacy is protected as well in the International Covenant on Civil and Political Rights (ICCPR) 1966. Article 17 ICCPR states:
- 1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour or reputation.
- 2. Everyone has the right to the protection of the law against such interference or attacks.
The ICCPR Signatory States are themselves bound to uphold the standards enhanced in the Covenant and despite the lack of a judicial body, a monitoring and complaints-handling committee—the Human Rights Committee—has been assigned for the implementation oversight. Individuals can launch complaints upon exhaustion of domestic remedies, given that the concerned state party has signed and ratified the First Optional Protocol to the Covenant. Even though the views, the reports and the interpreting comments of the Committee are not binding either, they carry a special weight.
The right to data protection is not explicitly protected at the United Nations level. Albeit, the right to data protection is considered to be protected under the right to privacy and this has also become obvious in the Report of the High Commissioner for Human Rights on the right to privacy in the digital age .