This March, Wikileaks made public several documents that suggested the CIA uses televisions to gather information on people. It may seem far-fetched, but it is a fact that a growing number of physical devices are equipped with software and a network connectivity. These features enable devices to exchange data. The network of such physical devices is often referred to as the “
Internet of Things”. In light of (future) Dutch and European legislation pertaining to the protection of personal data and electronic communication, companies that manufacture or use such “Internet-of-things devices” (“ IoT-devices”) should assess whether these devices offer enough protection.
In this news item, we focus on certain applicable legislation and discuss several risks that come with the use of IoT-devices.
IoT-devices are vulnerable, due to both their build and the way they are used. For example, most IoT-devices tend to have limited energy resources and little computing power. This makes it difficult for such devices to – for example – generate encrypted links to protect data. Moreover, IoT-devices are often deployed outside of traditional IT-infrastructures that could provide additional security. As a result, IoT-devices are generally insufficiently protected against hacks. From a privacy law perspective, this poses an even greater risk if IoT-devices store personal and/or sensitive data, because this means such data can be accessed or transported without authorization. The use of IoT-devices also brings about other risks. In
There is currently no Dutch legislation pertaining specifically to the use or manufacturing of IoT-devices. However, the development and use thereof can be subject to both Dutch and European legislation. We address certain important regulations below that could apply in this regard.
IoT-devices that store and collect data that could be qualified as personal and/or sensitive data, must be compliant with the provisions of the General Data Protection Regulation (“GDPR”) once it comes into force in May 2018. As IoT-devices are targets for hacks, this could result in a security breach and, consequently, in a data breach. Manufacturers of IoT-devices that qualify as data controllers under the GDPR, may need to conclude (additional) agreements with the users of these devices. Read more about the GDPR in our update of 11 December 2016.
With regards to the challenges IoT-devices pose for data protection, the Article 29 Working Party (consisting of all representatives of all EU national data protection authorities) (“WP29”), published an opinion with several recommendations:
- inform users about the type of data to be collected, received and processed by the device;
- provide simple tools to make export of and access to the data by the user possible;
- follow a security-by-design process, meaning that the standard settings offer the highest level of security possible (and less security can only be done by choice);
- allow for settings that make it possible to distinguish between different individuals using the same device so that they are not aware of each other’s activities;
- limit the amount of data leaving the devices by transforming raw data into aggregated data directly on the device;
- apply a data minimisation process, meaning that the amount of data collected to provide the service at hand, is limited as much as possible.
Although these recommendations stem from 2014, they offer a good starting point for an assessment of the way IoT-devices ought to be manufactured or used.
In December 2016, the European Commission published a draft text of the European Regulation on Privacy and Electronic Communications (“E-privacy Regulation”), which aims to further protect the privacy and confidentiality of electronic communications. Part of the E-privacy Regulation is devoted to the confidentiality of so-called terminal equipment of users: computers, smartphones and tablets. To access personal information stored on these devices, the consent of the user is required. Depending on the exact workings of the IoT-devices, this issue may also have to be addressed. Read more about the E-Privacy Regulation in our update of 24 January last.
The Directive on Security of Network and Information Systems (“NIS Directive”) came into force in August 2016. EU Member States have a twenty-one-month period to implement the NIS Directive into their national legislation. The NIS Directive aims to ensure a high common level of network and information security across the EU. In particular, the NIS Directive requires operators of critical infrastructures and so-called digital service providers to adopt appropriate steps to manage security risks and to report serious incidents to the national competent authorities. Depending on the sector in which the IoT-devices are used, this NIS Directive may be relevant for their production or use.
Lastly, we briefly address a new legislative proposal for the Dutch Data Processing and Cybersecurity Notification Obligation Act (“Wet gegevensverwerking en meldplicht cybersecurity”), which is currently under review by the Dutch Senate (“Eerste Kamer”). The proposed law will introduce an obligation to report security breaches or the loss of the integrity of electronic information systems for organizations in vital sectors. Part of the proposed legislation will, therefore, overlap with the NIS-Directive as mentioned above. Which organizations, products and services will fall within the scope of the proposed legislation, will be laid down in lower regulations. The consultation period for the draft text thereof, has recently been concluded.
What does this mean for IoT-manufacturers and developers?
Manufacturers and developers of IoT-devices will have to take the aforementioned regulations and directive into account when having their devices used within the EU. Here at