European data protection authorities have approved the first joint opinion on the internet of things, that is, about the possibility that all objects of our daily lives are connected to the Internet. The document, whose development has been led by the Spanish Data Protection Agency with the French Authority (CNIL), welcomes the prospects of economic and social benefits that can make this technology, but also identifies and warning of the risks these emerging products and services may pose to the privacy of individuals, defining a framework of responsibilities.
The document is aimed at device manufacturers, application developers and managers of social networks on the one hand, and users who will use these connected devices on the other. It also contains useful recommendations on developing technology standards in the field of Internet of things. To identify risks that can arise from this technology if it does not develop from an ethical and respectful approach, the opinion raises three scenarios: the so-called technology for wear (wearable computing) devices capable of recording information related to physical activity people and home automation.
PROFILES OF BEHAVIOR PATTERNS
The technology includes wear watches or glasses to which sensors, cameras or microphones which record and transfer data to the device manufacturer, and can allow installation of third-party applications are added. As for the objects that record information about the habits and lifestyle of its users, the opinion focuses on those who collect data related to physical activity of the person, especially concerning health. In this sense, the study warns that in principle, although the devices in this category do not collect data specifically protected-a pedometer, for instance can end up providing third inferred information about the individual's health. Finally, the paper discusses the Internet of things applied to home automation, offices and homes with detectors, thermostats and connected sensors whose usage patterns can reveal details of the lifestyle and personal habits and family.
The opinion stresses that, despite the various objects that make up the internet of things collect isolated pieces of information, the data collected from different sources and analyzed differently or in conjunction with others may reveal specific aspects of habits, behaviors and preferences, setting authentic standards of life of people. The opinion warns that, in fact, if this were to occur surveillance potential, could condition the way people behave in real life.
Authorities warn that the user can lose control over the dissemination of data depending on whether the collection and treatment of them is transparent or not. By increasing the amount of data generated must be added the possibilities for combining and cross-analyze, obtain new data on the originally requested and used for secondary uses or uses not related to initial treatment. An example is the opinion destacadoen information collected by the accelerometer and gyroscope smartphone, which could be used to infer information with a very different meaning to the original, as individual driving habits.
As for safety, the document specifies that the Internet of things amplifies the risks associated with inadequate security in the design of systems, not only for the data collected and the inferences that can be made from them but by the technology They use, which should be based on secure systems and designed according to the potential risks.
RIGHTS OF CITIZENS
Authorities remind the opinion that the legal framework applicable to any system aimed at European users is the Directive on Data Protection 95/46 / EC, in conjunction with Directive 2002/58 / EC Privacy and Electronic Communications and the benefits of this protection does not depend on organizations are established in Europe.
Thus, the entities involved in the ecosystem of the internet of things must ensure that the person has consented effectively after having provided clear and complete information on, among other things, what data is collected, how it is collected and for what purpose they are going to, and how they can exercise the rights they treat. These personal data should be collected fairly and lawfully, so it should not be collected and processed without the person being aware of it. This requirement is particularly important in a sector in which the sensors are designed to be as invisible as possible.
Authorities insist that personal information may only be collected for a specified, explicit and legitimate purposes. This principle allows users conocercómo and for what purposes are using their data and decide accordingly.
In addition, the data collected should be limited to those strictly necessary for the purpose previously defined. The opinion states that "the data are unnecessary for this purpose should not be collected and stored in case or that might be useful later on."
Finally, collected and treated as part of the internet of things should not be kept for longer than necessary for the purposes for which personal data were collected. The GT29 document specifies that, for example, the data provided by a user when subscribing to a service should be removed as soon as the user terminates their subscription. Similarly, information deleted by the user in your account must not be maintained and, when a user does not use a service or application, the profile must be set to inactive until after a while these data are removed, providing clear information on all the cases.
Article 29 Working Party
The Group of European data protection authorities Working -Group Article 29- is the advisory group composed of representatives of national data protection authorities of the Member States, the European Data Protection Supervisor and the European Commission.
Their functions are described in Article 30 of Directive 95/46 / EC and Article 15 of Directive 2002/58 / EC. The Article 29 Working Party is entitled to examine any issue relating to the implementation of the directives on data protection to contribute to the uniform application thereof. It performs its functions by issuing recommendations, opinions and working papers on all the relevant issues affecting the protection of personal data.
Digital Newspaper Diariojurídico