Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Warning to those who covet the data of Internet of Precious Things

There's nothing for you here: it's personal data – watchdogs

Data generated by devices in the "internet of things" age should be "regarded and treated as personal data", data protection authorities from across the globe have agreed.

The watchdogs said it is "more likely than not" that such data can be attributed to individuals.

"Internet of things’ sensor data is high in quantity, quality and sensitivity," a declaration (2-page/87KB PDF) published at the 36th International Privacy Conference last week read.

"This means the inferences that can be drawn are much bigger and more sensitive, and identifiability becomes more likely than not. Considering that the identifiability and protection of big data already is a major challenge, it is clear that big data derived from internet of things devices makes this challenge many times larger. Therefore, such data should be regarded and treated as personal data."

The document is not binding on the DPAs that attended the conference, which included regulators from across Europe and Asia Pacific. However, it made clear that businesses that embrace the IoT should consider the data generated by devices to be subject to data protection laws, and therefore collected, processed, stored and disposed of in line with those rules.

"Assuming that all data generated by IoT devices is personal data is too simplistic and unhelpful insofar as it transfers the burden of proof onto data controllers to demonstrate otherwise,” data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said. “A better approach for all would be to undertake a considered analysis of the data generated by IoT devices, including analytics derived from their output, and use that as the basis for the organisation’s privacy strategy."

The declaration said that businesses using connected devices must be "clear" with individuals "about what data they collect, for what purposes and how long this data is retained". Consumers should not experience any "out-of-context surprises" about the way in which their data is processed, it said.

"When purchasing an internet of things device or application, proper, sufficient and understandable information should be provided," the declaration said. "Current privacy policies do not always provide information in a clear, understandable manner. Consent on the basis of such policies can hardly be considered to be informed consent. Companies need a mind shift to ensure privacy policies are no longer primarily about protecting them from litigation."

The declaration outlined the DPA's backing for new technology that accounts for privacy by the way it has been designed. The concepts of "privacy by design" and "privacy by default... should become a key selling point of innovative technologies", it said.

The watchdogs said "local processing" on devices should be encouraged in an effort to minimise data security risks, but that "end-to-end encryption" should be put in place if local processing is not possible to ensure the data passing over a network between devices is not subject to "unwarranted interference and/or tampering".

A separate resolution on "big data" (3-page/96KB PDF) was also adopted at the conference. The resolution outlined the watchdogs' support for principles such as data minimisation and called on businesses to give consumers access to "effective tools to control their information".

The DPAs also agreed on a new framework for "increased enforcement cooperation" at the conference.

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Similar topics

TIP US OFF

Send us news


Other stories you might like