'Internet of things' data should be 'treated as personal data', say privacy watchdogs

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.out-law.com/en/articles/2014/october/internet-of-things-data-should-be-treated-as-personal-data-say-privacy-watchdogs/

Data generated by devices in the 'internet of things' (IoT) age should be
"regarded and treated as personal data", data protection authorities (DPAs)
from across the globe have agreed.

The watchdogs said it is "more likely than not" that such data can be
attributed to individuals.

"Internet of things’ sensor data is high in quantity, quality and
sensitivity," a declaration (2-page / 87KB PDF) published at the 36th
International Privacy Conference last week said. "This means the inferences
that can be drawn are much bigger and more sensitive, and identifiability
becomes more likely than not. Considering that the identifiability and
protection of big data already is a major challenge, it is clear that big
data derived from internet of things devices makes this challenge many
times larger. Therefore, such data should be regarded and treated as
personal data."

The document is not binding on the DPAs that attended the conference, which
included regulators from across Europe and Asia Pacific. However, it made
clear that businesses that embrace the IoT should consider the data
generated by devices to be subject to data protection laws, and therefore
collected, processed, stored and disposed of in line with those rules.

"Assuming that all data generated by IoT devices is personal data is too
simplistic and unhelpful insofar as it transfers the burden of proof onto
data controllers to demonstrate otherwise,” data protection law specialist
Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said. “A
better approach for all would be to undertake a considered analysis of the
data generated by IoT devices, including analytics derived from their
output, and use that as the basis for the organisation’s privacy strategy."

The declaration said that businesses using connected devices must be
"clear" with individuals "about what data they collect, for what purposes
and how long this data is retained". Consumers should not experience any
"out-of-context surprises" about the way in which their data is processed,
it said.

"When purchasing an internet of things device or application, proper,
sufficient and understandable information should be provided," the
declaration said. "Current privacy policies do not always provide
information in a clear, understandable manner. Consent on the basis of such
policies can hardly be considered to be informed consent. Companies need a
mind shift to ensure privacy policies are no longer primarily about
protecting them from litigation."

The declaration outlined the DPA's backing for new technology that accounts
for privacy by the way it has been designed. The concepts of 'privacy by
design' and 'privacy by default' "should become a key selling point of
innovative technologies", it said.

The watchdogs said "local processing" on devices should be encouraged in an
effort to minimise data security risks, but that "end-to-end encryption"
should be put in place if local processing is not possible to ensure the
data passing over a network between devices is not subject to "unwarranted
interference and/or tampering".

A separate resolution on 'big data' (3-page / 96KB PDF) was also adopted at
the conference. The resolution outlined the watchdogs' support for
principles such as data minimisation and called on businesses to give
consumers access to "effective tools to control their information".

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!