The European data protection regulators, the Article 29 Working Party (WP29), recently issued two guidance papers which clarify the data protection legal framework applicable to the Internet of Things (IoT) and to the use of device fingerprinting. Both opinions underline WP29’s current focus on data-driven innovations. This article highlights the key takeaways from these two opinions.
WP29 Opinion 8/2014 on the Internet of Things1
The WP29 opinion specifically focuses on three IoT developments: (1) wearable computing; (2) the quantified self; and (3) home automation. According to WP29, the processing of data in theses contexts can trigger the application of both the Data Protection Directive 95/46/EC and the e-Privacy Directive 2002/58/EC.
- The Data Protection Directive applies to the extent that the smart devices connected in the IoT collect, use, and disclose data about identified or identifiable individuals (i.e., “personal data”). What constitutes personal data is interpreted very broadly under EU data protection law.2
- The e-Privacy Directive and in particular the so-called EU cookies rule,3 which requires prior consent for the storing of or gaining access to information in the terminal device of a user, applies when data is accessed or stored on a user’s smart device.
WP29 considers that, even if the data is collected by an organization located outside the European Union, EU data protection law will apply if the connected device is located in the EU, or even if only the smartphone or tablet on which software or apps were installed to transmit the data is located in the EU.
After a detailed discussion of the risks related to the IoT, WP29 clarifies what the EU data protection requirements mean in practice for the IoT using various cases studies. Below are some of the main takeaways:
- The roles of the different IoT stakeholders (e.g., manufacturers of smart devices, third-party application developers, social platforms, IoT platforms) should be clearly defined and their responsibilities clearly allocated. WP29 emphasizes the need to determine which party acts as the “data controller” and which as the “data processor.” WP29 gives specific recommendations to the various stakeholders involved in the IoT ecosystem.
- WP29 emphasizes the need for users of smart devices to remain in control. WP29 sees a risk that users are not made aware of the data collection in the IoT or lose control over the subsequent use of their data. According to the WP29, providing user control includes:
- Obtaining users’ freely given, specific, and informed consent to the processing of their personal data (unless another legal basis can be relied on)
- Enabling users to switch their data to another IoT service provider if they wish to do so (i.e., “right to data portability”)
-
- Allowing users to disable the “smart” feature of their device and thus to stop the collection of data while still being able to use the device as the original, unconnected version
- Offering users granular choices about the categories of data that is collected, the time, and frequency at which data is captured, etc.
- Protecting users against data security breaches and notifying them in case of a security breach
- WP29 recommends performing a Privacy Impact Assessment before launching a new application in the IoT.
- IoT stakeholders should delete the raw data collected from the smart device after having extracted all data necessary to provide users with the smart service.
- To prevent location tracking, WP29 considers that manufacturers of smart devices should limit device fingerprinting by disabling wireless interfaces when they are not used, or by using random identifiers to prevent a persistent identifier from being used to track location.
WP29 Opinion 9/2014 on Device Fingerprinting4
According to WP29, device fingerprinting is a technique which consists of combining various information elements to uniquely identify a device or application. This opinion uses the term in a broad sense, meaning that it comprises any set of information that can be used to single out, link, or infer a user, user agent, or device over time. This includes but is not limited to data derived from: (a) the configuration of a user agent/device; or (b) data exposed by the use of network communications protocols.5
In its opinion, WP29 confirms that device fingerprinting is subject to the consent requirement of Article 5(3) of the EU e-Privacy Directive. Although this provision is often referred to as the “cookie rule,” it generally applies to the storing of or gaining access to information in a user’s terminal device via any technique, and is not limited to cookies. Thus, if device fingerprinting relies on the storage of or access to information stored in the user’s terminal device, it is subject to the prior consent requirements of Article 5(3).
As an example, WP29 states that device fingerprinting to enhance user authentication (i.e., to link an account to a particular device) requires the user’s prior consent. Exceptions to the prior consent requirement will only apply in limited cases where device fingerprinting is necessary for technical reasons, for instance if it is necessary for the normal functioning of a network or to optimize content layout (by accessing the screen size).
WP29 does not clarify how consent to device fingerprinting should be obtained in practice (e.g., whether implied consent is necessary or if a more affirmative action such as an explicit opt-in is required). It remains to be seen how the market will react to this opinion and whether it will implement WP29 guidance. In any event, the practical issues that were raised in the cookie consent debate will most likely apply to device fingerprinting. More information on cookie consent practices can be found here.6
Conclusion
One of the underlying messages of WP29 in both opinions summarized above is that individuals should remain in control over the data that is collected, processed, and disseminated about them. Although the WP29 opinions are not legally binding, they are often followed by EU privacy regulators when applying data protection law. For EU privacy regulators, the level of user control is therefore likely to be an important criterion in the evaluation of new data technologies, such as smart devices, that are launched on the EU market.
1 See the WP29’s Opinion 8/2014 on the Recent Developments on the Internet of Things of September 16, 2014 (WP 223), available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf.
2 Even if anonymization techniques are applied to the data collected through smart devices, the data are likely to remain personal data. In its Opinion 5/2014 on anonymization, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf, the WP29 set a high threshold for considering data to be fully anonymized: according to the WP29, even a remote risk of re-identification is sufficient to consider data to be “personal data” under the EU Data Protection Directive. For more information, see the July 2014 issue of Eye on Privacy, available at https://www.wsgr.com/publications/PDFSearch/eye-on-privacy/Jul2014/index.html.
3 Article 5(3) of the EU e-Privacy Directive.
4 See Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting, adopted on November 25, 2014 (WP 224), available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp224_en.pdf.
5 According to WP29, this can include: (a) CSS information; (b) JavaScript objects (e.g., document, window, screen, navigator, date, and language); (c) HTTP header information (e.g., the number of bits of information in the User Agent string, HTTP header ordering, HTTP header variation by request type); (d) clock information (e.g., clock skew and clock error); (e) TCP stack variation; (f) installed fonts; (g) installed plugin information (e.g., configuration and version information); (h) the use of internal Application Programming Interfaces (API) exposed by the user agent/device; or (i) the use of external API’s of Web services the user agent/device is communicating with.
6 WSGR Alert, “European Data Protection Regulators Issue Further Guidance on How to Obtain Cookie Consent,” October 24, 2013, available at https://www.wsgr.com/publications/PDFSearch/wsgralert-cookie-consent.pdf.