Data generated by devices – the so-called “internet of things” – should be considered personal data and therefore be governed by data protection laws.
That was the conclusion of data protection authorities from around the world in a two-page declaration published at the 36th International Privacy Conference.
“Internet of things’ sensor data is high in quantity, quality and sensitivity,” concluded the conference in its declaration.
“This means the inferences that can be drawn are much bigger and more sensitive, and identifiability becomes more likely than not. Considering that the identifiability and protection of big data already is a major challenge, it is clear that big data derived from internet of things devices makes this challenge many times larger. Therefore, such data should be regarded and treated as personal data.”
Furthermore, while business cases have not exactly been nailed down yet, the declaration believes that a value and trade in data fed from connected devices will almost certainly develop.
“Even though for many companies the business model is as yet unknown, it is clear that the value of the internet of things is not only in the devices themselves. The money is in the new services related to the internet of things and in the data,” continues the declaration.
It called for transparency about what data is, or will be, collected, and how it will be used. This information needs to be conveyed in a clear and transparent manner – which it isn’t at the moment – and “informed consent” required before organisations, including governments and companies, can use this data.
“Data processing starts from the moment the data are collected. All protective measures should be in place from the outset. We encourage the development of technologies that facilitate new ways to incorporate data protection and consumer privacy from the outset. Privacy by design and default should no longer be regarded as something peculiar. They should become a key selling point of innovative technologies,” it continues.
The data protection declaration also called for end-to-end encryption of data – something that many current devices don’t do – in order to protect people from eavesdropping. Indeed, the security risks have already been well-examined and found wanting.
However, the document is not binding on the data protection authorities that attended the conference, and some of its sweeping conclusions came in for criticisms from specialists in the field.
“Assuming that all data generated by IoT devices is personal data is too simplistic and unhelpful insofar as it transfers the burden of proof onto data controllers to demonstrate otherwise,” said data protection law specialist Marc Dautlich of Pinsent Masons. He continued: “A better approach for all would be to undertake a considered analysis of the data generated by IoT devices, including analytics derived from their output, and use that as the basis for the organisation’s privacy strategy.”
The declaration follows the publication of the results of an EU working party last month, which reached similar conclusions.