IoT: The privacy protection in EU

16th December 2016 by Marie-Claire Péroux LL.M

The connected things (IoT) and the protection of privacy in EU. New development, security requirements every consumer and IoT producer should be aware of: any “Thing” can potentially become connected, surrounding us with a growing number of computers never turned off.

Why Should We All Feel Concerned?

The numbers are staggering whichever study one looks at.

A report by Business Insider [1] mentioned for example that about 34 billions, (billions...), connected “things” will surround us by 2020.

They will not only sit around our daily life but also inside our body or taking complete hold of us in transportation (driverless cars for example).
Even if we do not want to buy one of these connected things, we are exposed to them, think connected surveillance cameras, connected light bulbs, our very own smart phone is the most connected thing we use at the moment.

Any “Thing” Can Potentially Become Connected, Surrounding Us with A Growing Number of Computers Never Turned Off.

Who will refuse state of the art connected insulin pump helping one’s doctor to remotely check the condition of our diabetes, who will refuse the convenience of a life supporting device in our body?
There will not even be a choice since these connected devices will be installed everywhere not only in public spaces but also in our private space, the only place where one could expect to be left alone and not snooped upon?

By The Way, What Is Private Or Public In Our Already Connected Life?

Privacy has different meanings in different cultures.

What sort of privacy would be common to every human in this ultra-connected world of things?

This is not a purely hypothetical question since it touches upon our liberty to have a “private” space where we can expect our liberty to think and act to be preserved.

An article [2] proposed that the EU will become a de facto reference for individual privacy since it is the region with the most stringent and protective view on the right to privacy enshrined as a human right [3]).

Art 8 “Everyone has the right to respect for his private and family life, his home and his correspondence“.
The article doesn’t define what is considered private since it is an evolving notion.

In convergence to privacy, the EU guards the right to the protection of personal data in The Charter Of Fundamental Rights Of The European Union [4].

Just 30 years ago who would have dared or even dreamt it necessary to post on one’s “door” (computer page), to be seen by a maximum of strangers or “friends”, whatever petty or great events in our day with a picture of us to prove it (hello Facebook, Twitter and the like)?

In 20 years, what will privacy mean?

Is There A Sense Of Privacy Common To All Humans?

Yes I think.
It is the right to have a personal physical and mental space to form one’s opinion without being watched over.
It is as well the right to behave as we wish, in the respect of the law, once our door is closed.

Do we act the same if we know someone is checking on our behavior? Do we act differently to be “liked” in our digital life?

I do hope that the sense of what is private remains important for the future generations.
One should not wait for the law to regain an acceptable level of protection of one’s personal life.

Each of us has extended one’s physical life to a parallel digital life, generated by data, produced and collected constantly through connected devices.

In a comment on the controversial collection of biometric features, digital prints, voice, iris or even heartbeat for digital identification, a common view reported that it would be more easily adopted by people in emergent economies since they did not have the same notion of privacy as in Europe or the USA [5].

Apart from the fact that consumers in emerging economies cherish probably their privacy as much as anybody else in the world, producers of IoT should not forget the ethical part of their responsibility in producing privacy respectful connected things.

Security And The Limit To IoT: What Is More Private Than Our Body Functions Or Our Behavior And Why EU Is Stepping Up Its Control?

Each one of these things is a new point of entry for malevolent hackers looking to disrupt the business of companies or even the functioning of a country (look at what happened to Ukraine in 2015 [6], its power grid was shut down by hackers taking advantage of industrial IoT).

And why not imagine the actual physical threat to a human trough a connected object used as a weapon (a car for instance [7])?

The problem with this army of connected object is that they are often connected through broadband connections and to private platforms collecting and processing a large amount of data.

EU Has Sufficient Economic Power To Impose Rules And, As Importantly, Ethics, On The World’s Producers Of Connected Devices. The GDPR (The General Data Protection Regulation [8])

The regulation will apply directly in EU states from May 25, 2018 but it should be integrated by producers selling to European consumers and collecting their personal data as well as by EU consumers when dealing with connected objects.

Apparently, a lot if not most, of connected devices put on the market so far have not been made with the thought of privacy protection of their users but only with commercial purpose.

Security is not only required in the component of the objects themselves but also in the communication and processing of the large amount of private data collected. The GDPR requires “privacy by design” but also restricts the use, processing and transfer of the collected data.

Final Thoughts

It is important that a large economy presses the industry in adopting a respectful behavior very quickly before the market is overwhelmed with unsecure things.

It is necessary that the producers themselves realise that it is in the best interest of their business to secure objects and prevent very expensive and harmful cyber- attacks through their devices.
They should go further than the minimum legal requirements and provide an ethical respectful management of the data and use of the IoT.

Consumers have to evolve as responsible in choosing devices for an immediate service, potentially physically harmful objects are invited next to us and our family.
They have to educate themselves on the risk involved by things that are in fact more computers controlling directly their life in an intimate way.

References:

[1] IoTSF conference: EU should become de facto regulator
[2] http://spdblotter.seattle.gov/2016/11/30/car-thief-foiled-by-police-nap-power-door-locks/
[3] European Convention on Human Rights and Fundamental Freedom
[4] Charter of fundamental rights of the European Union
[5] Biométrie: êtes-vous prêts à transformer votre corps en mot de passe?
[6] Russian Hackers Shut Down Ukraine’s Power Grid
[7] IoT: the connected things as weapons
[8] Official Journal of the European Union