SlideShare uma empresa Scribd logo

EU data protection issues in IoT

Transferir como PPTX, PDF
Francesca Giannoni-Crystal
Francesca Giannoni-Crystal
1 de 30
EU data protection issues in the Internet-of-Things (IoT) (or Internet of Everything)
IoT is subject to the general data protection law • Currently: Directive 95/46/EC (“Directive”), available at http://eur- lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML • Soon: General Data Protection Regulation (“GDPR”), expected entry into force Spring 2018, available at http://data.consilium.europa.eu/doc/document/ST-5455-2016- INIT/en/pdf
EU Authorities on IoT WP29’s Opinion 8/2014 on the Recent Developments on the Internet of Things, available at http://ec.europa.eu/justice/data- protection/article-29/documentation/opinion- recommendation/files/2014/wp223_en.pdf
Privacy challenges in the IoT (as identified by the WP29) • 1. Lack of control and information asymmetry – IoT, with its pervasive and “unobtrusive” presence, might cause data subjects to lose control under several perspectives and result basically in a “third-party monitoring.”
Privacy challenges in the IoT (as identified by the WP29) • 2. Quality of the user’s consent – EU law requires consent for the legitimate processing of personal data (save exceptions). Consent is a major problem with the IoT because often (i) often users are not aware that a specific object is collecting data (ii) the possibility to decline certain services or features of an IoT device is more theoretical than real.
Privacy challenges in the IoT (as identified by the WP29) • 3. Inferences derived from data and repurposing of original processing – The problem is that data collected by a specific device might be insignificant (e.g. accelerometers and gyroscope of smartphones), but this raw information might allow the controller to “infer” much more significant information (for example, driving habits)
Privacy challenges in the IoT (as identified by the WP29) • 4. Intrusive bringing out of behavior patterns and profiling – Due to the “proliferation of sensors,” a vast amount of separate (maybe insignificant) pieces of information will be collected and continuously cross-matched with one another, which “reveal specific aspects of individual’s habits, behaviours and preferences.” IoT stakeholders will be able to create general profiles of users.
Privacy challenges in the IoT (as identified by the WP29) • 5. Limitations on the possibility to remain anonymous when using services. – With the IoT everyone is traceable – Why? Think of wearable devices (e.g., smart watches), used in close proximity to data subjects so that they are able to collect “identifiers” (e.g., MAC addresses of other devices) that can track the location of users.
Privacy challenges in the IoT (as identified by the WP29) • 6. Security risks
Privacy challenges in the IoT (as identified by the WP29) • 6. Why cybersecurity risk is higher in IoT environment? – Manufacturers prefer battery efficiency over security; – the number of “security targets” will dramatically increase; – Need of multilevel cybersecurity multilevel, which involve securing devices, “communication links, storage infrastructure” and the entire IoT “ecosystem” – Since more IoT stakeholders involved to provide a service, need to provide cybersecurity coordination among them.
Privacy challenges in the IoT (as identified by the WP29) – Above IoT challenges are not uniquely European.
Relevant EU data protection principles – Data from things is often “personal data” (therefore subject to the general data protection) pursuant to Article 2(a) of Directive 95/46/EC because individuals are likely to be identified from that data. – Also in case of pseudonymisation or anonymisation because “the large amount of data processed automatically in the context of IoT entails risks of re-identification.” Opinion on IoT at 10.
Relevant EU data protection principles – Data subjects are not only the subscribers of an IoT service or the users of a device but also individuals that are neither subscribers nor users, such as people whose data is collected by wearables (such as smart glasses), sometimes without being aware of.
Relevant EU data protection principles • At least the following provisions of Directive 95/46/EC are relevant: • - Article 7 (legitimate data processing). Opinion on IoT at 14- 16. Note that “Lawfulness of processing” is in Article 6 of the new GDPR. – The main avenue for a legitimate data processing is data subject consent. Article 7(a). Consent must have the characteristics specified by WP29’s Opinion 15/2011. – Alternatives to consent possible.
Relevant EU data protection principles • Article 6 (fair and lawful data collection and processing). – “minimization” principle • Article 8 (processing of sensitive data). - “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and … concerning health or sex life”. Consent required (very limited exceptions). - Under GDPR wider definition - now includes genetic and biometric data.
Relevant EU data protection principles • Articles 10 and 11 (transparency requirements). – Data controllers must provide users with a privacy policy in a “clear and comprehensible manner.” • Challenging with the IoT and might require new methods of delivery. Opinion on IoT at 18. E.g., on the object itself using the wireless connectivity to broadcast the information. See Article 14 and 14(a) GDPR. The characteristics of the information are listed in Article 12 GDPR.
Relevant EU data protection principles Article 17 (security requirements). - Any data controller remains fully responsible for security of the data processing even when more than one IoT stakeholder intervenes in the delivery of service. - New security principles from GDPR (Article 30) - (i) security breach: data controller responsible if breach results from poor design or maintenance of device; - (ii) security assessments: “of system as a whole, including at components’ level.” Opinion on IoT at 18. - Data breach notification duty to the supervisory authority within 72 hours (Article 31).
Relevant EU data protection principles Cybersecurity recommendations from WP29: - Data controllers must supervise subcontractors that design and manufacture devices which are not processors (not bound by Article 17) and must seek “high security standards with regard to privacy.” - Use of principle of “data minimization”; - “Network restrictions, disabling by default noncritical functionalities, preventing use of un-trusted software update sources” ; - adherence to a “privacy by design” principle.
Relevant EU data protection principles Cybersecurity recommendations from WP29 (cont’d) - automatic updates to patch vulnerabilities always available to users OR alternatives offered (e.g., open-source) AND and notification to users of vulnerability. - Security of IoT devices tracking health values must be particularly protected. - Data breach notification policies useful to contain the consequences of vulnerabilities in software and design.
Relevant EU data protection principles • Rights of data subjects: the same they have in non-IoT environment (e.g., Articles 12 and 14), particularly the right of access, the right to withdraw consent, and the right to oppose the processing. – Access to raw data should be granted to users. Opinion on IoT at 20. Access to data is to switch to another provider (avoiding the lock-in). – GDPR provides a “right to portability”. Article 18 GDPR: • The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured and commonly used and machine readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided.
Relevant EU data protection principles • IoT stakeholders must also comply with Article 5(3) of Directive 2002/58/EC (consent to storage in E-Privacy Directive). – Unless storage or access (by IoT stakeholder) is “strictly necessary in order to provide a service explicitly requested by the subscriber or user,” consent is necessary.
Mauritius Declaration and other important authorities Mauritius Declaration on the Internet of Things. adopted on October 14, 2014 inside the 36th International Conference of Data Protection and Privacy Commissioners (“Mauritius Declaration”), http://www.privacyconference2014.org/media/16596/Ma uritius-Declaration.pdf.
Mauritius Declaration and other important authorities Mauritius Declaration highlights: individuals’ right to self-determination; drawing of broader and more sensitive inferences form the huge quantity of data; Identifiability; ubiquitous connectivity which requires trust in a connected world. To maintain trust, transparency is key.
Mauritius Declaration and other important authorities Concerns of Commissioners: Lack of clarity of information (which data is collected, for which purpose and retention policy); informed consent;  privacy by design and by default still not use Lack of encryption. End-to-end encryption necessary.
Mauritius Declaration and other important authorities - ENISA, Privacy and Data Protection by Design – from policy to engineering December 2014, available at https://www.enisa.europa.eu/activities/identity-and- trust/library/deliverables/privacy-and-data-protection-by- design. - privacy needs to be considered from the very beginning of system development. For this reason, [Dr. Ann] Cavoukian [former Information and Privacy Commissioner of Ontario, Canada] coined the term “Privacy by Design”, that is, privacy should be taken into account throughout the entire engineering process from the earliest design stages to the operation of the productive system.
Mauritius Declaration and other important authorities • Report discusses also – “privacy/data protection by default,” meaning that “in the default setting the user is already protected against privacy risks.” – “privacy design strategies” – several privacy techniques including authentication, attribute based credentials, secure private communications like encryption, and communications anonymity and pseudonymity.
Mauritius Declaration and other important authorities DPAs’ positions on IoT:  Italian DPA (Garante per la Protezione dei Dati Personali), Avvio della Consultazione Pubblica su Internet delle Cose (Internet of Things) - Deliberazione del 26 marzo 2015, doc. web n. 3898704, available in Italian at http://www.garanteprivacy.it/web/guest/home/docweb/- /docweb-display/docweb/3898704  UK DPA (ICO), The Information Commissioner’s Office response to the Competition & Markets Authority’s call for information on the commercial use of consumer data, https://ico.org.uk/media/about- the-ico/consultation-responses/2015/1043461/ico-response-to-cma- call-for-evidence-on-consumer-data-20150306.pdf.
Mauritius Declaration and other important authorities DPAs’ positions on IoT (cont’d):  Spanish DPA, Resolución de 20 de noviembre de 2015, de la Agencia Española de Protección de Datos, por la que se aprueba el Plan Estratégico 2015-2019, available in Spanish at http://www.agpd.es/portalwebAGPD/LaAgencia/common/Resolucion _Plan_Estrategico.pdf.  French DPA (Commission Nationale de L’informatique et des Libertés – CNIL), Rapport d’Activite’ 2014, in French at https://www.cnil.fr/sites/default/files/typo/document/CNIL- 35e_rapport_annuel_2014.pdf.pdf, discussing smart cars and smart cities.
More information Francesca Giannoni-Crystal & Allyson Haynes Stuart, The Internet-of-Things (#IoT) (or Internet of Everything) – privacy and data protection issues in the EU and the US, Information Law Journal, Spring 2016, volume 7 issue 2, available at http://apps.americanbar.org/dch/committee.cfm?com= ST230002 www.technethics.com (TAG IoT: http://www.technethics.com/tag/iot/)
Contacts Francesca Giannoni-Crystal (NY, DC, Italy, and SC foreign legal consultant- not a member of SC Bar) Crystal & Giannoni-Crystal, LLC (www.cgcfirm.com) fgiannoni-crystal@cgcfirm.com

Recomendados

Privacy and Data Protection in Research
Privacy and Data Protection in ResearchPrivacy and Data Protection in Research
Privacy and Data Protection in ResearchMarlon Domingus
 
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security PrinciplesLisa Catanzaro
 
Enisa and cyber security standards
Enisa and cyber security standardsEnisa and cyber security standards
Enisa and cyber security standardsEuropean Union Agency for Network and Information Security (ENISA)
 
NIST article I wrote
NIST article I wroteNIST article I wrote
NIST article I wroteLisa LaForge, JD, CIPP/E, CIPM
 
Personal data: Legal Issues in Research Data Collection and Sharing by EUDAT ...
Personal data: Legal Issues in Research Data Collection and Sharing by EUDAT ...Personal data: Legal Issues in Research Data Collection and Sharing by EUDAT ...
Personal data: Legal Issues in Research Data Collection and Sharing by EUDAT ...EUDAT
 
Legal framework for digital health innvoation - Protection through patents, d...
Legal framework for digital health innvoation - Protection through patents, d...Legal framework for digital health innvoation - Protection through patents, d...
Legal framework for digital health innvoation - Protection through patents, d...DayOne
 
CTO-CybersecurityForum-2010-Richard Simpson
CTO-CybersecurityForum-2010-Richard SimpsonCTO-CybersecurityForum-2010-Richard Simpson
CTO-CybersecurityForum-2010-Richard Simpsonsegughana
 
Wsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalWsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalValentin Korobkov
 

Recomendados

Privacy and Data Protection in Research
Privacy and Data Protection in ResearchPrivacy and Data Protection in Research
Privacy and Data Protection in ResearchMarlon Domingus
 
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security Principles
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security PrinciplesLisa Catanzaro
 
Enisa and cyber security standards
Enisa and cyber security standardsEnisa and cyber security standards
Enisa and cyber security standardsEuropean Union Agency for Network and Information Security (ENISA)
 
NIST article I wrote
NIST article I wroteNIST article I wrote
NIST article I wroteLisa LaForge, JD, CIPP/E, CIPM
 
Personal data: Legal Issues in Research Data Collection and Sharing by EUDAT ...
Personal data: Legal Issues in Research Data Collection and Sharing by EUDAT ...Personal data: Legal Issues in Research Data Collection and Sharing by EUDAT ...
Personal data: Legal Issues in Research Data Collection and Sharing by EUDAT ...EUDAT
 
Legal framework for digital health innvoation - Protection through patents, d...
Legal framework for digital health innvoation - Protection through patents, d...Legal framework for digital health innvoation - Protection through patents, d...
Legal framework for digital health innvoation - Protection through patents, d...DayOne
 
CTO-CybersecurityForum-2010-Richard Simpson
CTO-CybersecurityForum-2010-Richard SimpsonCTO-CybersecurityForum-2010-Richard Simpson
CTO-CybersecurityForum-2010-Richard Simpsonsegughana
 
Wsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalWsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalValentin Korobkov
 
CTO-CyberSecurityForum-2010-Charles Ward
CTO-CyberSecurityForum-2010-Charles WardCTO-CyberSecurityForum-2010-Charles Ward
CTO-CyberSecurityForum-2010-Charles Wardsegughana
 
Legal update
Legal updateLegal update
Legal updateRachel Aldighieri
 
Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Axon Lawyers
 
Legal Framework for Digital Health Innovation - Data Protection and Security
Legal Framework for Digital Health Innovation - Data Protection and SecurityLegal Framework for Digital Health Innovation - Data Protection and Security
Legal Framework for Digital Health Innovation - Data Protection and SecurityDayOne
 
CTO-CybersecurityForum-2010-Daisy francis
CTO-CybersecurityForum-2010-Daisy francisCTO-CybersecurityForum-2010-Daisy francis
CTO-CybersecurityForum-2010-Daisy francissegughana
 
PECB Webinar: The Internet of Things
PECB Webinar: The Internet of ThingsPECB Webinar: The Internet of Things
PECB Webinar: The Internet of ThingsPECB
 
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Hacking Health Camp Strasbourg health data & data protection in the Netherlands Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Hacking Health Camp Strasbourg health data & data protection in the Netherlands Axon Lawyers
 
2014 Update EU Cyber Law & Authentication Legislation
2014 Update EU Cyber Law & Authentication Legislation2014 Update EU Cyber Law & Authentication Legislation
2014 Update EU Cyber Law & Authentication LegislationMartenLinkedin
 
Good Practices and Recommendations on the Security and Resilience of Big Data...
Good Practices and Recommendations on the Security and Resilience of Big Data...Good Practices and Recommendations on the Security and Resilience of Big Data...
Good Practices and Recommendations on the Security and Resilience of Big Data...Eftychia Chalvatzi
 
Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...BCC - Solutions for IBM Collaboration Software
 
Dataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptxDataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptxMarco Gioanola
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017CloudWATCH Consortium
 
CTO-CybersecurityForum-2010-Jayantha Fernando
CTO-CybersecurityForum-2010-Jayantha FernandoCTO-CybersecurityForum-2010-Jayantha Fernando
CTO-CybersecurityForum-2010-Jayantha Fernandosegughana
 
250220 blockchain gdpr_blockchain_hillemann_presentation
250220 blockchain gdpr_blockchain_hillemann_presentation250220 blockchain gdpr_blockchain_hillemann_presentation
250220 blockchain gdpr_blockchain_hillemann_presentationDennisHillemann
 
'Connected healthcare - connected to legality?'
'Connected healthcare - connected to legality?''Connected healthcare - connected to legality?'
'Connected healthcare - connected to legality?'Lucy Woods
 
European Critical Internet Infrastructure: past, present and future challenges
European Critical Internet Infrastructure: past, present and future challengesEuropean Critical Internet Infrastructure: past, present and future challenges
European Critical Internet Infrastructure: past, present and future challengesEuropean Union Agency for Network and Information Security (ENISA)
 
My Privacy at Risk, is it Safe?
My Privacy at Risk, is it Safe?My Privacy at Risk, is it Safe?
My Privacy at Risk, is it Safe?Andreas Drakos
 
EU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart MeteringEU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart Meteringnuances
 
IT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestIT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestLilian Edwards
 
Data Privacy of the Internet of Things
Data Privacy of the Internet of ThingsData Privacy of the Internet of Things
Data Privacy of the Internet of Thingsmabualsh
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 
GUL Network Infrastructure
GUL Network InfrastructureGUL Network Infrastructure
GUL Network InfrastructureMuhammad Zeeshan
 

Mais conteúdo relacionado

Mais procurados

CTO-CyberSecurityForum-2010-Charles Ward
CTO-CyberSecurityForum-2010-Charles WardCTO-CyberSecurityForum-2010-Charles Ward
CTO-CyberSecurityForum-2010-Charles Wardsegughana
 
Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Axon Lawyers
 
Legal Framework for Digital Health Innovation - Data Protection and Security
Legal Framework for Digital Health Innovation - Data Protection and SecurityLegal Framework for Digital Health Innovation - Data Protection and Security
Legal Framework for Digital Health Innovation - Data Protection and SecurityDayOne
 
CTO-CybersecurityForum-2010-Daisy francis
CTO-CybersecurityForum-2010-Daisy francisCTO-CybersecurityForum-2010-Daisy francis
CTO-CybersecurityForum-2010-Daisy francissegughana
 
PECB Webinar: The Internet of Things
PECB Webinar: The Internet of ThingsPECB Webinar: The Internet of Things
PECB Webinar: The Internet of ThingsPECB
 
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Hacking Health Camp Strasbourg health data & data protection in the Netherlands Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Hacking Health Camp Strasbourg health data & data protection in the Netherlands Axon Lawyers
 
2014 Update EU Cyber Law & Authentication Legislation
2014 Update EU Cyber Law & Authentication Legislation2014 Update EU Cyber Law & Authentication Legislation
2014 Update EU Cyber Law & Authentication LegislationMartenLinkedin
 
Good Practices and Recommendations on the Security and Resilience of Big Data...
Good Practices and Recommendations on the Security and Resilience of Big Data...Good Practices and Recommendations on the Security and Resilience of Big Data...
Good Practices and Recommendations on the Security and Resilience of Big Data...Eftychia Chalvatzi
 
Dataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptxDataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptxMarco Gioanola
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017CloudWATCH Consortium
 
CTO-CybersecurityForum-2010-Jayantha Fernando
CTO-CybersecurityForum-2010-Jayantha FernandoCTO-CybersecurityForum-2010-Jayantha Fernando
CTO-CybersecurityForum-2010-Jayantha Fernandosegughana
 
250220 blockchain gdpr_blockchain_hillemann_presentation
250220 blockchain gdpr_blockchain_hillemann_presentation250220 blockchain gdpr_blockchain_hillemann_presentation
250220 blockchain gdpr_blockchain_hillemann_presentationDennisHillemann
 
'Connected healthcare - connected to legality?'
'Connected healthcare - connected to legality?''Connected healthcare - connected to legality?'
'Connected healthcare - connected to legality?'Lucy Woods
 

Mais procurados (16)

CTO-CyberSecurityForum-2010-Charles Ward
CTO-CyberSecurityForum-2010-Charles WardCTO-CyberSecurityForum-2010-Charles Ward
CTO-CyberSecurityForum-2010-Charles Ward
 
Legal update
Legal updateLegal update
Legal update
 
Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics'
 
Legal Framework for Digital Health Innovation - Data Protection and Security
Legal Framework for Digital Health Innovation - Data Protection and SecurityLegal Framework for Digital Health Innovation - Data Protection and Security
Legal Framework for Digital Health Innovation - Data Protection and Security
 
CTO-CybersecurityForum-2010-Daisy francis
CTO-CybersecurityForum-2010-Daisy francisCTO-CybersecurityForum-2010-Daisy francis
CTO-CybersecurityForum-2010-Daisy francis
 
PECB Webinar: The Internet of Things
PECB Webinar: The Internet of ThingsPECB Webinar: The Internet of Things
PECB Webinar: The Internet of Things
 
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Hacking Health Camp Strasbourg health data & data protection in the Netherlands Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
 
2014 Update EU Cyber Law & Authentication Legislation
2014 Update EU Cyber Law & Authentication Legislation2014 Update EU Cyber Law & Authentication Legislation
2014 Update EU Cyber Law & Authentication Legislation
 
Good Practices and Recommendations on the Security and Resilience of Big Data...
Good Practices and Recommendations on the Security and Resilience of Big Data...Good Practices and Recommendations on the Security and Resilience of Big Data...
Good Practices and Recommendations on the Security and Resilience of Big Data...
 
Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...
 
Dataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptxDataprotectionpackage 2015pptx
Dataprotectionpackage 2015pptx
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
 
CTO-CybersecurityForum-2010-Jayantha Fernando
CTO-CybersecurityForum-2010-Jayantha FernandoCTO-CybersecurityForum-2010-Jayantha Fernando
CTO-CybersecurityForum-2010-Jayantha Fernando
 
250220 blockchain gdpr_blockchain_hillemann_presentation
250220 blockchain gdpr_blockchain_hillemann_presentation250220 blockchain gdpr_blockchain_hillemann_presentation
250220 blockchain gdpr_blockchain_hillemann_presentation
 
'Connected healthcare - connected to legality?'
'Connected healthcare - connected to legality?''Connected healthcare - connected to legality?'
'Connected healthcare - connected to legality?'
 
European Critical Internet Infrastructure: past, present and future challenges
European Critical Internet Infrastructure: past, present and future challengesEuropean Critical Internet Infrastructure: past, present and future challenges
European Critical Internet Infrastructure: past, present and future challenges
 

Semelhante a EU data protection issues in IoT

My Privacy at Risk, is it Safe?
My Privacy at Risk, is it Safe?My Privacy at Risk, is it Safe?
My Privacy at Risk, is it Safe?Andreas Drakos
 
EU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart MeteringEU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart Meteringnuances
 
IT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestIT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestLilian Edwards
 
Data Privacy of the Internet of Things
Data Privacy of the Internet of ThingsData Privacy of the Internet of Things
Data Privacy of the Internet of Thingsmabualsh
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 
GUL Network Infrastructure
GUL Network InfrastructureGUL Network Infrastructure
GUL Network InfrastructureMuhammad Zeeshan
 
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...Konstantinos Demertzis
 
20131009 aon security breach legislation
20131009 aon security breach legislation20131009 aon security breach legislation
20131009 aon security breach legislationJos Dumortier
 
TelcoME2015_IOTRegulation
TelcoME2015_IOTRegulationTelcoME2015_IOTRegulation
TelcoME2015_IOTRegulationEamonHolley
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...e-SIDES.eu
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...IDC4EU
 
EU cybersecurity requirements under current and future medical devices regula...
EU cybersecurity requirements under current and future medical devices regula...EU cybersecurity requirements under current and future medical devices regula...
EU cybersecurity requirements under current and future medical devices regula...Erik Vollebregt
 
#MWC15Health Giussepe Busia mHealth Enablers Panel
#MWC15Health Giussepe Busia mHealth Enablers Panel#MWC15Health Giussepe Busia mHealth Enablers Panel
#MWC15Health Giussepe Busia mHealth Enablers Panel3GDR
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingIT Governance Ltd
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obamaLilian Edwards
 
The death of data protection
The death of data protection The death of data protection
The death of data protection Lilian Edwards
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
 

Semelhante a EU data protection issues in IoT (20)

My Privacy at Risk, is it Safe?
My Privacy at Risk, is it Safe?My Privacy at Risk, is it Safe?
My Privacy at Risk, is it Safe?
 
EU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart MeteringEU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart Metering
 
IT law : the middle kingdom between east and West
IT law : the middle kingdom between east and WestIT law : the middle kingdom between east and West
IT law : the middle kingdom between east and West
 
Data Privacy of the Internet of Things
Data Privacy of the Internet of ThingsData Privacy of the Internet of Things
Data Privacy of the Internet of Things
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?
 
GUL Network Infrastructure
GUL Network InfrastructureGUL Network Infrastructure
GUL Network Infrastructure
 
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
 
20131009 aon security breach legislation
20131009 aon security breach legislation20131009 aon security breach legislation
20131009 aon security breach legislation
 
TelcoME2015_IOTRegulation
TelcoME2015_IOTRegulationTelcoME2015_IOTRegulation
TelcoME2015_IOTRegulation
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
 
EU cybersecurity requirements under current and future medical devices regula...
EU cybersecurity requirements under current and future medical devices regula...EU cybersecurity requirements under current and future medical devices regula...
EU cybersecurity requirements under current and future medical devices regula...
 
#MWC15Health Giussepe Busia mHealth Enablers Panel
#MWC15Health Giussepe Busia mHealth Enablers Panel#MWC15Health Giussepe Busia mHealth Enablers Panel
#MWC15Health Giussepe Busia mHealth Enablers Panel
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obama
 
The death of data protection
The death of data protection The death of data protection
The death of data protection
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address them
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
 

EU data protection issues in IoT

  • 1. EU data protection issues in the Internet-of-Things (IoT) (or Internet of Everything)
  • 2. IoT is subject to the general data protection law • Currently: Directive 95/46/EC (“Directive”), available at http://eur- lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML • Soon: General Data Protection Regulation (“GDPR”), expected entry into force Spring 2018, available at http://data.consilium.europa.eu/doc/document/ST-5455-2016- INIT/en/pdf
  • 3. EU Authorities on IoT WP29’s Opinion 8/2014 on the Recent Developments on the Internet of Things, available at http://ec.europa.eu/justice/data- protection/article-29/documentation/opinion- recommendation/files/2014/wp223_en.pdf
  • 4. Privacy challenges in the IoT (as identified by the WP29) • 1. Lack of control and information asymmetry – IoT, with its pervasive and “unobtrusive” presence, might cause data subjects to lose control under several perspectives and result basically in a “third-party monitoring.”
  • 5. Privacy challenges in the IoT (as identified by the WP29) • 2. Quality of the user’s consent – EU law requires consent for the legitimate processing of personal data (save exceptions). Consent is a major problem with the IoT because often (i) often users are not aware that a specific object is collecting data (ii) the possibility to decline certain services or features of an IoT device is more theoretical than real.
  • 6. Privacy challenges in the IoT (as identified by the WP29) • 3. Inferences derived from data and repurposing of original processing – The problem is that data collected by a specific device might be insignificant (e.g. accelerometers and gyroscope of smartphones), but this raw information might allow the controller to “infer” much more significant information (for example, driving habits)
  • 7. Privacy challenges in the IoT (as identified by the WP29) • 4. Intrusive bringing out of behavior patterns and profiling – Due to the “proliferation of sensors,” a vast amount of separate (maybe insignificant) pieces of information will be collected and continuously cross-matched with one another, which “reveal specific aspects of individual’s habits, behaviours and preferences.” IoT stakeholders will be able to create general profiles of users.
  • 8. Privacy challenges in the IoT (as identified by the WP29) • 5. Limitations on the possibility to remain anonymous when using services. – With the IoT everyone is traceable – Why? Think of wearable devices (e.g., smart watches), used in close proximity to data subjects so that they are able to collect “identifiers” (e.g., MAC addresses of other devices) that can track the location of users.
  • 9. Privacy challenges in the IoT (as identified by the WP29) • 6. Security risks
  • 10. Privacy challenges in the IoT (as identified by the WP29) • 6. Why cybersecurity risk is higher in IoT environment? – Manufacturers prefer battery efficiency over security; – the number of “security targets” will dramatically increase; – Need of multilevel cybersecurity multilevel, which involve securing devices, “communication links, storage infrastructure” and the entire IoT “ecosystem” – Since more IoT stakeholders involved to provide a service, need to provide cybersecurity coordination among them.
  • 11. Privacy challenges in the IoT (as identified by the WP29) – Above IoT challenges are not uniquely European.
  • 12. Relevant EU data protection principles – Data from things is often “personal data” (therefore subject to the general data protection) pursuant to Article 2(a) of Directive 95/46/EC because individuals are likely to be identified from that data. – Also in case of pseudonymisation or anonymisation because “the large amount of data processed automatically in the context of IoT entails risks of re-identification.” Opinion on IoT at 10.
  • 13. Relevant EU data protection principles – Data subjects are not only the subscribers of an IoT service or the users of a device but also individuals that are neither subscribers nor users, such as people whose data is collected by wearables (such as smart glasses), sometimes without being aware of.
  • 14. Relevant EU data protection principles • At least the following provisions of Directive 95/46/EC are relevant: • - Article 7 (legitimate data processing). Opinion on IoT at 14- 16. Note that “Lawfulness of processing” is in Article 6 of the new GDPR. – The main avenue for a legitimate data processing is data subject consent. Article 7(a). Consent must have the characteristics specified by WP29’s Opinion 15/2011. – Alternatives to consent possible.
  • 15. Relevant EU data protection principles • Article 6 (fair and lawful data collection and processing). – “minimization” principle • Article 8 (processing of sensitive data). - “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and … concerning health or sex life”. Consent required (very limited exceptions). - Under GDPR wider definition - now includes genetic and biometric data.
  • 16. Relevant EU data protection principles • Articles 10 and 11 (transparency requirements). – Data controllers must provide users with a privacy policy in a “clear and comprehensible manner.” • Challenging with the IoT and might require new methods of delivery. Opinion on IoT at 18. E.g., on the object itself using the wireless connectivity to broadcast the information. See Article 14 and 14(a) GDPR. The characteristics of the information are listed in Article 12 GDPR.
  • 17. Relevant EU data protection principles Article 17 (security requirements). - Any data controller remains fully responsible for security of the data processing even when more than one IoT stakeholder intervenes in the delivery of service. - New security principles from GDPR (Article 30) - (i) security breach: data controller responsible if breach results from poor design or maintenance of device; - (ii) security assessments: “of system as a whole, including at components’ level.” Opinion on IoT at 18. - Data breach notification duty to the supervisory authority within 72 hours (Article 31).
  • 18. Relevant EU data protection principles Cybersecurity recommendations from WP29: - Data controllers must supervise subcontractors that design and manufacture devices which are not processors (not bound by Article 17) and must seek “high security standards with regard to privacy.” - Use of principle of “data minimization”; - “Network restrictions, disabling by default noncritical functionalities, preventing use of un-trusted software update sources” ; - adherence to a “privacy by design” principle.
  • 19. Relevant EU data protection principles Cybersecurity recommendations from WP29 (cont’d) - automatic updates to patch vulnerabilities always available to users OR alternatives offered (e.g., open-source) AND and notification to users of vulnerability. - Security of IoT devices tracking health values must be particularly protected. - Data breach notification policies useful to contain the consequences of vulnerabilities in software and design.
  • 20. Relevant EU data protection principles • Rights of data subjects: the same they have in non-IoT environment (e.g., Articles 12 and 14), particularly the right of access, the right to withdraw consent, and the right to oppose the processing. – Access to raw data should be granted to users. Opinion on IoT at 20. Access to data is to switch to another provider (avoiding the lock-in). – GDPR provides a “right to portability”. Article 18 GDPR: • The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured and commonly used and machine readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided.
  • 21. Relevant EU data protection principles • IoT stakeholders must also comply with Article 5(3) of Directive 2002/58/EC (consent to storage in E-Privacy Directive). – Unless storage or access (by IoT stakeholder) is “strictly necessary in order to provide a service explicitly requested by the subscriber or user,” consent is necessary.
  • 22. Mauritius Declaration and other important authorities Mauritius Declaration on the Internet of Things. adopted on October 14, 2014 inside the 36th International Conference of Data Protection and Privacy Commissioners (“Mauritius Declaration”), http://www.privacyconference2014.org/media/16596/Ma uritius-Declaration.pdf.
  • 23. Mauritius Declaration and other important authorities Mauritius Declaration highlights: individuals’ right to self-determination; drawing of broader and more sensitive inferences form the huge quantity of data; Identifiability; ubiquitous connectivity which requires trust in a connected world. To maintain trust, transparency is key.
  • 24. Mauritius Declaration and other important authorities Concerns of Commissioners: Lack of clarity of information (which data is collected, for which purpose and retention policy); informed consent;  privacy by design and by default still not use Lack of encryption. End-to-end encryption necessary.
  • 25. Mauritius Declaration and other important authorities - ENISA, Privacy and Data Protection by Design – from policy to engineering December 2014, available at https://www.enisa.europa.eu/activities/identity-and- trust/library/deliverables/privacy-and-data-protection-by- design. - privacy needs to be considered from the very beginning of system development. For this reason, [Dr. Ann] Cavoukian [former Information and Privacy Commissioner of Ontario, Canada] coined the term “Privacy by Design”, that is, privacy should be taken into account throughout the entire engineering process from the earliest design stages to the operation of the productive system.
  • 26. Mauritius Declaration and other important authorities • Report discusses also – “privacy/data protection by default,” meaning that “in the default setting the user is already protected against privacy risks.” – “privacy design strategies” – several privacy techniques including authentication, attribute based credentials, secure private communications like encryption, and communications anonymity and pseudonymity.
  • 27. Mauritius Declaration and other important authorities DPAs’ positions on IoT:  Italian DPA (Garante per la Protezione dei Dati Personali), Avvio della Consultazione Pubblica su Internet delle Cose (Internet of Things) - Deliberazione del 26 marzo 2015, doc. web n. 3898704, available in Italian at http://www.garanteprivacy.it/web/guest/home/docweb/- /docweb-display/docweb/3898704  UK DPA (ICO), The Information Commissioner’s Office response to the Competition & Markets Authority’s call for information on the commercial use of consumer data, https://ico.org.uk/media/about- the-ico/consultation-responses/2015/1043461/ico-response-to-cma- call-for-evidence-on-consumer-data-20150306.pdf.
  • 28. Mauritius Declaration and other important authorities DPAs’ positions on IoT (cont’d):  Spanish DPA, Resolución de 20 de noviembre de 2015, de la Agencia Española de Protección de Datos, por la que se aprueba el Plan Estratégico 2015-2019, available in Spanish at http://www.agpd.es/portalwebAGPD/LaAgencia/common/Resolucion _Plan_Estrategico.pdf.  French DPA (Commission Nationale de L’informatique et des Libertés – CNIL), Rapport d’Activite’ 2014, in French at https://www.cnil.fr/sites/default/files/typo/document/CNIL- 35e_rapport_annuel_2014.pdf.pdf, discussing smart cars and smart cities.
  • 29. More information Francesca Giannoni-Crystal & Allyson Haynes Stuart, The Internet-of-Things (#IoT) (or Internet of Everything) – privacy and data protection issues in the EU and the US, Information Law Journal, Spring 2016, volume 7 issue 2, available at http://apps.americanbar.org/dch/committee.cfm?com= ST230002 www.technethics.com (TAG IoT: http://www.technethics.com/tag/iot/)
  • 30. Contacts Francesca Giannoni-Crystal (NY, DC, Italy, and SC foreign legal consultant- not a member of SC Bar) Crystal & Giannoni-Crystal, LLC (www.cgcfirm.com) fgiannoni-crystal@cgcfirm.com