The Internet of Things (IoT) is becoming exponentially reviewed by regulators. After the report from the Italian telecom regulator (AgCom), the Italian privacy authority just launched a consultation seeking inputs from the industry on how to regulate the IoT.
I had discussed in this blog post about the report issued by AgCom on the Internet of Things which raised considerable issues in terms of telecom compliance including whether or not B2C operators need to hold a telecom license in addition to the license held by the telecom operator.
As to the privacy issues relating to the Internet of Things, the European privacy regulators had already touched such issue in the past in the opinion of the Article 29 Working Party on the matter that we had covered the matter in this blog post. And the issue had been tackled also by the US regulators in the recommendations of the Federal Trade Commission on the Internet of Things covered in this blog post. Also, I had touched the data protection issues affecting the IoT as a whole as well as wearable technologies, eHealth, connected cars, drones and smart homes that are all part of the Internet of Things in previous posts.
The Internet of Things privacy consultation
The Italian data protection authority (the Garante) decided to launch a consultation to obtain a feedback from the market and identify potential issues in relation to:
- The level of transparency of the information communicated to individuals whose personal data is processed through IoT technologies, the purposes for which the data is processed and the term of storage of collected data also in order to ensure that a valid consent is given;
- The types of personal data that are processed, the reliability of such data with reference in particular to the health related data and the type of monitoring of data that often occurs without a full knowledge by the individuals;
- The security of processed data with reference also to the communications to third parties, their improper usage and the loss of personal data also taking into account the number of entities involved, the volume of data collected and the usage of radio communications that can be vulnerable.
- The need to put in place a privacy by design approach as outlined in the ENISA Report to ensure privacy compliance of an IoT apparatus;
- The cryptography techniques used in relation to the data communicated through the different IoT devices;
- The modalities of processing of personal data also in relation to the usage of anonymization techniques as outlined this blog post;
- The models of business implemented also in relation to the interoperability of the platforms, the portability of the information and the standards put in place to ensure that users have a full control of their personal data and the ways they are used;
- The potential certifications to be adopted also at the international level as well as protocols of authentication or mutual recognition.
What is the industry asked for and what are the deadlines?
The players of the IoT market are requested by the data protection authority to provide their feedback on the modalities in which the above mentioned principles can be adopted in an Internet of Things environment with reference in particular to
- The profiling activities of the users occurring also without their knowledge;
- The necessity to provide transparent information to users also for the purposes of obtaining a valid consent to the data processing;
- The risks related to the possible monitoring of the data as well as the security measures implemented;
- The applicability of a privacy by design approach;
- The business models used by the industry;
- The standardization aspects; and
- The potential usage of certifications.
This consultation will be crucial to identify solutions aimed at ensuring privacy compliance of Internet of Things devices according to modalities that preserve their efficiency and economic value.