Consumers and service providers are often at odds regarding the gathering and use of personal data. On the one hand, consumers expect to get personalized choices from a custom site search and other tools that rely on data gathering and processing. But when things go wrong, and when a data breach occurs, the attention quickly shifts from the usefulness of allowing data gathering to its potential perils.
The Internet of Things is an industry with a heavy focus on data collection. Most IoT use cases involve data gathering. Data monetization is set to be one of the hottest IoT trends in 2018. But IoT is also an industry that’s had plenty of security issues. Security is one of the reasons for the relatively slow adoption of IoT. While we’re waiting to see whether the governments will step in with tighter regulations on IoT, we’re about to witness Europe’s legislative response to the evolving digital landscape. In 2018, the GDPR enforcement will begin, and it’s bound to affect IoT.
What Is GDPR?
GDPR is short for General Data Protection Regulation. It’s an EU regulation that aims to protect and expand EU citizens’ rights to have their data processed safely and only when needed. Even though GDPR is an EU regulation, it doesn’t affect only EU companies. Every business that wants to offer services or products to EU citizens and that plans to process or order processing of EU citizens’ data is subject to the GDPR. GDPR entered into force in May 2016, with enforcement set to start on May 25, 2018. We are now in the last months of the two-year adjustment period.
GDPR is concerned with personal data, or data that can be used to identify a person. GDPR has a pretty broad take on a person’s identity, so personal data include data that describe the person’s economic, mental, or physical status. Sensitive personal data include data on ethnicity, political opinion, religious beliefs, health, and genetic and biometric data. Location data and online identifiers are also considered personal data.
The Issues with Consent
Some of the GDPR provisions are still under the question mark for us. We still need to see the implementation of the regulation in practice. But it’s obvious right now that several provisions can cause problems for the IoT industry. Consent is one of them.
Under the GDPR, manufacturers or service providers who want to process data need to have legal grounds for data processing. Consent is one of the possible legal grounds, but only if it meets strict criteria: it needs to be informed, given freely, specific, and given in an affirmative action.
Any entity that wants to process data needs to provide information about the nature of processing, the purposes of processing, and the name of the organization that requested processing. Consent needs to be a choice users can make without a threat of a penalty. Users give consent for specific processing — blanket consent doesn’t apply. They need to give consent freely in an affirmative action. Silence or failure to opt-out does not count as consent.
How to Navigate the New Consent Rules
IoT manufacturers and service providers don’t have a good track record with providing explanations. According to data from 2016:
- 59% of IoT devices failed to explain to users how they process user data
- 68% failed to explain how they store information
- 72% failed to explain how to delete data
- 38% failed to include contact information
Manufacturers or service providers who fail to meet the criteria of legal grounds for processing are facing penalties of up to 4% of global income or €20 million, whichever is higher.
There are several ways manufacturers and service providers can address the new definition of consent in the EU. For one, they can ensure that, if they are using consent as legal grounds for data processing, they provide all the information and choices necessary to be compliant with the GDPR. They should also take into account that consent is only one of the grounds for legal data processing. Compliance officers and legal advisors might also want to explore the other grounds and see if they apply better. For example, healthcare IoT service providers might be able to process data legally in the interest of saving someone’s life. Data processing can be done legally if it’s in the public interest, or if it’s necessary to execute a contract.
Another solution IoT manufacturers and service providers can pursue is data anonymization. If the data can be fully anonymized so that it cannot be used to identify any person, it falls out of the jurisdiction of GDPR. However, if making data more anonymous makes it less valuable, a cost-benefit analysis should precede any effort to anonymize data.
Even though GDPR is not a regulation developed specifically for IoT, it will be an important test to see how the industry adapts to stricter regulations. The redefined concept of consent is only one of the many new things GDPR introduces. The IoT industry and the legal and compliance advisors who work in it will need to find ways to fit within the new regulatory framework. And if they haven’t done it yet, they’ll have to do it fast — there’s only a couple of months left before GDPR starts being applied. Access to the whole EU market is at stake.