The Apple Watch. The Nest Thermostat. The Fitbit® family of fitness trackers. There is little doubt that these devices, part of the “Internet of Things” or “IoT,” are quickly becoming accepted by the public at large as a part of everyday life. The vast amount of personal information created by these devices, the security and privacy of that data, and transparency and accountability of device manufactures and data service organizations remain the top concern for many, especially in Europe.
Recently, the European Union’s Article 29 Data Protection Working Party adopted “Opinion 8/2014 on the Recent Developments on the Internet of Things” (Click here to read). The Opinion highlights the need for IoT companies to be fully aware of what data they and/or their devices collect from consumers, how it is stored, how it may be disclosed and how the consumer is informed about the data functionality of the product. For instance, IoT devices can run afoul of the law within the European Union because, the Article 29 Working Party wrote, a “user can lose all control on the dissemination of his/her data, depending on whether or not the collection and processing of this data will be made in a transparent manner or not.” The Working Party was also concerned about a consumer’s ability to provide valid, informed consent to the processing (i.e., uses and manipulation) of his or her data when users are unaware of the extent of data processing carried out by an IoT device, and where “the possibility to renounce certain services or features of an IoT device is more a theoretical concept than a real alternative.” Finally, the Opinion expressed concerns about the ability to retain sufficient privacy protection for a consumer when data collected from IoT devices can be combined with data from other sources and where multiple companies, in multiple locations may process the collected data. In this globalized economy, most IoT manufacturers will sell, or offer to sell, their products within the European Union, and thus the Opinion should be required reading for product developers and manufacturers.
While the Opinion focused on the privacy issues of data collected by IoT devices and held by manufacturers and others, under the European Union’s Data Protection Directive, the legal concerns and business lessons are wider in scope. Federal laws and regulations in the U.S include similar protections as those offered by the EU Data Protection Directive. For instance, the FTC can bring an action against an American company for deceptive trade practices if the company tells its users one thing and does another or an unfair trade practice action if the steps being taken by the company to secure information are not adequate. Similarly, the Department of Health and Human Services may proceed against a healthcare IoT device manufacturer if the device is used by a medical practice to collect information from its patients and the data is not stored or disclosed in a way that comports with HIPAA. Laws in many states, such as California and Massachusetts, strictly regulate uses of and protections for personal data and may require explicit opt-in for disclosures of data to third-parties.
As such, careful preparation of the Terms of Service and privacy and security policies associated with an IoT product are extremely important. Should you have questions about how privacy concerns or international laws affect your IoT product, please contact Kenneth N. Rashbaum.