21.10.2022

The Internet of Things: New challenges in data protection

The Internet of Things (IoT) is expanding into all areas of life, driven by continuous data exchange between networked devices. This creates new legal challenges, particularly concerning data protection under GDPR and data security. Proper data security concepts must be implemented based on the specific application. This article explores how to achieve this, what to consider, and potential pitfalls.

Schedule initial consultation

What is behind the IoT?

In short, the IoT means the automated exchange of information between physical and virtual things. The basic principle here is data transmission between all sorts of different systems with the help of network technologies. Smart, networked devices can perform more and more tasks automatically for their users and make information available to other devices. The essential basis for this is the exchange of information between the devices, so-called machine-to-machine communication.

The result is a wide range of applications and many advantages: processes can be automated, optimised and designed to be more economical and energy-efficient. Companies can use IoT data to improve processes, reduce operational inefficiencies and automate many tasks. This increases employee and customer satisfaction and cuts costs. One of the biggest advantages of the IoT is the ability to collect very precise data in large quantities and analyse it in real time. In combination with artificial intelligence (AI) applications, the aforementioned advantages are already accessible to many companies – even without large IT budgets – via service providers like SAP, Salesforce or IBM.

This potential has led to many industries and sectors integrating IoT technologies – from production in Industry 4.0 and the digitalisation of the public sector, to new mobility and logistics solutions, assistance systems for care or the networking of urban infrastructures (energy, environment, transport).

Newsletter

Current updates and important information on topics such as data law, information security, technology, artificial intelligence, and much more. (only in German)

What is the sum of 1 and 8?

Mit Klick auf den Button stimmen Sie dem Versand unseres Newsletters und der aggregierten Nutzungsanalyse (Öffnungsrate und Linkklicks) zu. Sie können Ihre Einwilligung jederzeit widerrufen, z.B. über den Abmeldelink im Newsletter. Mehr Informationen: Datenschutzerklärung.

IoT and the GDPR

Insofar as personal data is processed in connection with IoT device applications, data protection laws at EU and, in some cases, national level are relevant. This is mainly the GDPR, but the rules resulting from Directive 2002/58/EC (the ePrivacy Directive) must also be observed. The ePrivacy Directive was implemented in Germany mainly through the data protection provisions of the Telecommunications Act (TKG) and the Telecommunications and Telemedia Data Protection Act (TTDSG). The applicability of these rules can be important for those IoT users who do not purchase the transmission line for their IoT application from a network operator but provide it themselves. In the future, the planned ePrivacy Regulation could also bring new rules – but it remains to be seen whether and when this Regulation will be passed.

With the application of the GDPR, the general rule applies that the collection, processing and storage of personal data is generally prohibited if there is no legal basis for it or the data subject has not consented. In this context, obtaining legally compliant consent can prove particularly challenging for IoT applications. Such consent can be withdrawn by the data subject at any time and is therefore not very practicable. In employment relationships in particular, consent is fundamentally difficult. In addition, data processing may be lawful if it is necessary for the performance of a contractual relationship or if the party processing the data has a legitimate interest in the use of the sensors. This should, of course, be checked in detail by specialists before use and the checks documented.

The GDPR also contains principles for processing that must be complied with. They can be found in Art. 5 GDPR. Specifically, these are the lawfulness, fairness and transparency of processing (Para. 1(a)); the principle of purpose limitation, with the exception of research purposes (Para. 1(b)); data minimisation (Para. 1(c)); accuracy (Para. 1(d)); storage limitation (Para. 1(e)); and the integrity and confidentiality of processing (Para. 1(f)).

According to the principles of data minimisation and purpose limitation, the use of anonymised data is only permissible if the data is genuinely anonymous in nature. All too often data is described as “anonymous”, even though from a GDPR perspective it is not, since even seemingly inconspicuous information can sometimes lead to identification. Data is only anonymous when the combination of different anonymised data sets no longer allows any conclusions to be drawn about individual persons. This is why researchers only speak of anonymisation when every possible combination of data leads to at least two hits (i.e. people to whom the data applies). The higher the number of hits, the more secure the data set.

Where any processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing and “in particular using new technologies”, the controller must carry out a data protection impact assessment (DPIA) under Art. 35 GDPR. Experience shows that this is not always the case with IoT applications, but still more often than average. A DPIA is an opportunity to identify security vulnerabilities early on and to implement adequate measures to increase data security. However, this is not a one-off procedure, but a continuous process: if details of a corresponding data processing operation change, then a new assessment may be required.

Due to the diversity of potential manifestations and areas of application, there is no one-size-fits-all recommended action. Instead, comprehensive advice is required in the individual case.

In principle, however, the (current and future) data protection and IT security requirements must always be identified as early as possible and taken into account on the basis of a proper security and data protection concept. Especially in the case of IoT projects, the legally enshrined data protection principles of Privacy by Design and, in the case of user-oriented applications, Privacy by Default must be observed.

Schedule your Initial Consultation

Describe your situation to us in a no-obligation phone call, and our lawyers will work with you to find the best solution.

Schedule consultation

Our Experts

More news

14.12.2023

News on the AI Act: Logbook on the planned EU Regulation

07.08.2023

Health data: What to consider for third-country transfers

26.07.2023

The Cyber Resilience Act: What do plans to strengthen cybersecurity mean for “products with digital elements”?