After four long years of debate and preparation, the EU’s General Data Protection Regulation (GDPR) was finally adopted on 27 April 2016.
The GDPR is set to solidify protection of personal data, privacy and security for all EU citizens and will replace the outdated Data Protection Directive 95/46/EC. In many ways, it mirrors Regulation 45/2001 which already applied to EU institutions and agencies – this means that the EU organizations may (or should) be well prepared for the new landscape, but many of the private and public sector are still struggling to grasp what the new developments mean.
This task is particularly challenging in quite novel fields like IoT, which has not yet had the chance to be widely tested. So, what exactly will this new set of rules mean for the future of IoT devices?
In a milestone opinion issued by the Article 29 Data Protection Working Party in 2014, the Working Party (WP) expressed its concerns over the high potential for security breaches that is associated with smart objects. Most of the high-tech products that are currently being developed at the forefront of IoT move around largely uncharted territory, which translates in still relatively underdeveloped inbuilt security mechanisms and renders them susceptible to cyber-attacks.
One of the main features of the GDPR is that it will introduce mandatory default privacy-oriented prerequisites, dubbed “privacy by design”, which means that IoT devices too should comply with putting data protection first.
This is a radical demand, since studies show that almost 60% of IoT products fail to adequately inform consumers on how their personal data is being collected, used and disclosed, while more than 70% failed to adequately explain how this personal information could be deleted by the user.
Moreover, the GDPR will introduce a general obligatory notification regime in the event of personal data breaches, whereby companies that deal in smart products will have to report such security breaches to their supervisory authority within 72 hours of becoming aware of the fact.
It is a common misconception that the GDPR will only affect EU-based businesses. Article 3 of the new Regulation clearly states that the new set of rules applies, inter alia, to any business or organization not located in the EU but which offers goods or services (even unpaid) to persons in the EU and thus processes the personal data of EU citizens. Since many of the companies that are considered pioneers in the field of IoT are based in the US, this effectively means that they should pay close attention to the developments and prepare themselves – otherwise the GDPR provides for unprecedented fines as high as $11 million or 2% of their global annual turnover from the previous year (whichever is greater) for failure to adhere to technical and organizational requirements, or approximately $22 million or 4% of their global annual turnover from the previous year if they fail to comply with core principles of data processing, infringement of personal rights, or of the transfer of personal data to third parties.
Luckily, the GDPR provided for a transition period of two years before it is applied on 25 May 2018. Yet with almost half that time already past, IoT manufacturers both in the EU and elsewhere need to move fast to make sure they are up to speed with EU privacy legislation when the time comes.