Earlier this year, the Global Privacy Enforcement Network ("GPEN") published the results of its global privacy review of 'Internet of Things' ("IoT") devices. This annual review, dubbed the 'Privacy Sweep', found that many companies failed to explain to users how their personal data is collected, stored and safeguarded via devices that boast internet connectivity. GPEN found that companies demonstrating good privacy communication practices were in the minority.
With IoT devices becoming increasingly prevalent in everyday life, we examine the results of this Privacy Sweep and what they mean for IoT stakeholders.
What is GPEN?
GPEN connects data protection authorities ("DPAs") from around the world and aims to promote cross-border cooperation and the strengthening of privacy practices. GPEN is comprised of over 60 DPAs based in 39 jurisdictions and was established in 2010 as the result of a recommendation by the OECD.
The IoT Sweep
25 DPAs from around the world examined the privacy communications and practices of 314 IoT devices in April 2016. The aim was to increase awareness of best practices and to encourage compliance with privacy legislation.
Each DPA chose a category of IoT device to review. This involved interacting with and using the device, examining the privacy notices that came packaged with it, and analysing the information provided on the device's website. In certain instances, DPAs also contacted the relevant organisations directly with questions related to privacy. This approach was aimed at recreating the consumer experience by requiring the DPAs to spend time checking the privacy performance of the device against a set of common indicators.
Connected toys, cars, TVs, wristwatches that monitor health, and smart household appliances were among the devices studied. In Ireland, the Office of the Data Protection Commissioner ("DPC") investigated 9 devices from the IoT environment, including smart electricity meters and fitness trackers. The DPC's national findings were broadly in line with global trends.
The results of the Privacy Sweep included findings, in respect of devices and/or organisations, that:
- 59% didn't adequately explain to customers how their personal data was collected, used and disclosed
- 68% failed to properly explain how information was stored
- 72% failed to explain how customers could delete their information off the device
- 38% failed to include easily located contact details should customers have privacy concerns
- 68% collected location data
- 64% asked for date of birth details and
- 41% collected photo, video or audio files
The majority of organisations did not indicate whether data gathered on the individual would be encrypted when stored or transferred.
The DPAs involved in the Privacy Sweep are now considering their next steps. This may include action against the developers and suppliers who have been found to be in breach of law. Concerns identified by the Privacy Sweep may result in enforcement action.
The DPC has stated that it plans to increase investigations audits of technology devices in 2017. Its aim is to gauge compliance with Irish data protection law and to work with developers and suppliers of IoT devices to ensure that their products are meeting the requisite standards.
There is an increasing regulatory focus on the principles of data protection by design and default and data minimisation, particularly in cases where large amounts of personal data are collected or used. When developing a product or service built around the IoT, developers and producers should ensure to:
- be transparent about how personal data is collected, used and disclosed
- implement privacy policies and just-in-time notices to inform users and other individuals
- design, optimise and adopt internal data protection policies and practices in line with these principles
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.