Carte blanche: Smart, connected devices are increasingly popular, but firms need to make sure their privacy policies are up to scratch and their customers fully informed, writes Catherine Di Lorenzo.
The “internet of things” (IoT), like the cloud and big data, is the newest innovation buzzword attracting the attention of IT professionals, users and lawyers alike.
So, what is it about? Put simply, the term covers “smart things”, i.e., devices with embedded technology that allow for the collection, storage and sending of data via the internet to the device user or other devices and individuals. Examples include a fridge that sends the grocery list to the shop or a watch that collects health data of its wearer and sends it to the person’s doctor.
The use of these smart devices triggers various legal questions relating to contractual or liability issues, regulatory issues, standards and security questions. For instance, who is responsible for the goods purchased by the fridge in the above example, or does a device collecting health data also qualify as a medical device and therefore have to comply with the specific regulations in this sector.
Moreover, when the device collects data which can directly or indirectly identify an individual (i.e., personal data), data protection laws come into play. Under today’s legal framework, the data controller, that is the person or entity deciding on the means and purposes of the data processing (i.e., the use, storage, transfer, etc. of personal data), should comply with applicable data protection laws.
When a data controller who is established on Luxembourg territory, or when a data controller who is established outside of the European Union uses equipment situated on Luxembourg territory, Luxembourg data protection law, and notably the data protection act of 2 August 2002 applies. In the case of IoT, data controllers can be device manufacturers or app developers.
The obligations of a data controller encompass amongst others that personal data must only be processed based on legitimate grounds. The main legitimate grounds in the case of an IoT data processing would be that the processing is necessary for the performance of a contract with the individual, consent of the individual or a legitimate interest of the data controller (but only where the interests and fundamental rights of the concerned person do not prevail).
Obtaining valid consent (which has to be free, informed and specific) for the processing can be a challenge in the IoT environment. In fact, a granular consent should be obtained to enable the concerned individuals to be in control over the processing of their data.
Another obligation of the data controller would be to protect the data against unlawful access, or any other unlawful forms of processing. Due to the nature of the devices, device manufacturers have often to balance device security and battery efficiency and in practice regularly choose to offer additional functionalities rather than strong security measures.
Going forward, IoT stakeholders should apply the principles of “privacy by design” (consider privacy protection from the outset of a project) and “privacy by default” (privacy protective settings of the device and apps), data minimisation (only collect and store necessary data), and ensure transparency (e.g., by clear information and granular consent).
Catherine Di Lorenzo holds a doctorate in law from the University of Trier. She was called to the Luxembourg Bar in 2006 and is a senior associate in Allen & Overy’s intellectual property and telecommunications, media and technology practices.