The Internet of Things (IoT) is steadily spreading and conquering all kinds of areas of our personal and working lives. The conceivable manifestations and potential applications are manifold. What they all have in common, however, is that IoT devices are networked and communicate with each other by continuously exchanging data and processing it. By definition, the IoT is driven by – and requires – data. This brings new legal challenges, and solving these depends on the specific application in each case. Be that as it may, if the data used is personal, then the provisions of the General Data Protection Regulation (GDPR) always apply. Irrespective of the question of whether data is personal in nature, it is also necessary to examine the data security requirements in the individual case, before drawing up and implementing a proper data security concept.
This article explains exactly how this can be achieved, what developers and users should bear in mind, and where typical stumbling blocks can lurk.
What is behind the IoT?
In short, the IoT means the automated exchange of information between physical and virtual things. The basic principle here is data transmission between all sorts of different systems with the help of network technologies. Smart, networked devices can perform more and more tasks automatically for their users and make information available to other devices. The essential basis for this is the exchange of information between the devices, so-called machine-to-machine communication.
The result is a wide range of applications and many advantages: processes can be automated, optimised and designed to be more economical and energy-efficient. Companies can use IoT data to improve processes, reduce operational inefficiencies and automate many tasks. This increases employee and customer satisfaction and cuts costs. One of the biggest advantages of the IoT is the ability to collect very precise data in large quantities and analyse it in real time. In combination with artificial intelligence (AI) applications, the aforementioned advantages are already accessible to many companies – even without large IT budgets – via service providers like SAP, Salesforce or IBM.
This potential has led to many industries and sectors integrating IoT technologies – from production in Industry 4.0 and the digitalisation of the public sector, to new mobility and logistics solutions, assistance systems for care or the networking of urban infrastructures (energy, environment, transport).
IoT and the GDPR
Insofar as personal data is processed in connection with IoT device applications, data protection laws at EU and, in some cases, national level are relevant. This is mainly the GDPR, but the rules resulting from Directive 2002/58/EC (the ePrivacy Directive) must also be observed. The ePrivacy Directive was implemented in Germany mainly through the data protection provisions of the Telecommunications Act (TKG) and the Telecommunications and Telemedia Data Protection Act (TTDSG). The applicability of these rules can be important for those IoT users who do not purchase the transmission line for their IoT application from a network operator but provide it themselves. In the future, the planned ePrivacy Regulation could also bring new rules – but it remains to be seen whether and when this Regulation will be passed.
With the application of the GDPR, the general rule applies that the collection, processing and storage of personal data is generally prohibited if there is no legal basis for it or the data subject has not consented. In this context, obtaining legally compliant consent can prove particularly challenging for IoT applications. Such consent can be withdrawn by the data subject at any time and is therefore not very practicable. In employment relationships in particular, consent is fundamentally difficult. In addition, data processing may be lawful if it is necessary for the performance of a contractual relationship or if the party processing the data has a legitimate interest in the use of the sensors. This should, of course, be checked in detail by specialists before use and the checks documented.
The GDPR also contains principles for processing that must be complied with. They can be found in Art. 5 GDPR. Specifically, these are the lawfulness, fairness and transparency of processing (Para. 1(a)); the principle of purpose limitation, with the exception of research purposes (Para. 1(b)); data minimisation (Para. 1(c)); accuracy (Para. 1(d)); storage limitation (Para. 1(e)); and the integrity and confidentiality of processing (Para. 1(f)).
According to the principles of data minimisation and purpose limitation, the use of anonymised data is only permissible if the data is genuinely anonymous in nature. All too often data is described as “anonymous”, even though from a GDPR perspective it is not, since even seemingly inconspicuous information can sometimes lead to identification. Data is only anonymous when the combination of different anonymised data sets no longer allows any conclusions to be drawn about individual persons. This is why researchers only speak of anonymisation when every possible combination of data leads to at least two hits (i.e. people to whom the data applies). The higher the number of hits, the more secure the data set.
Where any processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing and “in particular using new technologies”, the controller must carry out a data protection impact assessment (DPIA) under Art. 35 GDPR. Experience shows that this is not always the case with IoT applications, but still more often than average. A DPIA is an opportunity to identify security vulnerabilities early on and to implement adequate measures to increase data security. However, this is not a one-off procedure, but a continuous process: if details of a corresponding data processing operation change, then a new assessment may be required.
Due to the diversity of potential manifestations and areas of application, there is no one-size-fits-all recommended action. Instead, comprehensive advice is required in the individual case.
In principle, however, the (current and future) data protection and IT security requirements must always be identified as early as possible and taken into account on the basis of a proper security and data protection concept. Especially in the case of IoT projects, the legally enshrined data protection principles of Privacy by Design and, in the case of user-oriented applications, Privacy by Default must be observed. We will be happy to answer any questions you may have on the Internet of Things!