The concept of the ‘internet of things’ (IoT) is a term given to the increasing automatic communication between devices and tags that are forming complex networks around citizens.
The Commission has said that the network “has the potential to considerably improve the life of EU citizens” and “will create tremendous opportunities for innovation-based growth and jobs creation in Europe”. However, it has said that there is inherent privacy and security risks related to the IoT, and has previously expressed concern about the implications of personally-identifying technologies such as radio frequency identification (RFID) chips.
Last year the Commission consulted on whether or not to regulate the IoT and, if so, to what extent. It has now revealed that there were more than 600 respondents to its consultation and that there was a broad split between business groups and civil society representatives on the appropriate data protection standards that should apply to the network.
In general, whilst business groups said that existing data protection laws were appropriate to govern activities covered by the IoT concept, civil society groups said those rules were “not sufficient” and that further privacy protections are required.
However, there was broad consensus among respondents on the need for guidelines and standards covering data confidentiality, integrity and availability within the IoT, the Commission said. Just over 92% of respondents agreed or strongly agreed that such guidance and standards are required, it said.
“The need for guidelines and standards was put forward by a vast majority of respondents, with several of them underlining the need for international cooperation in a ‘globally operating internet’,” the Commission said in a report summarising the responses to its ‘internet of things’ consultation. (26-page / 134KB PDF) “For example, 92% of the respondents agree that guidelines and standards should be created to ensure data confidentiality, integrity and availability in an IoT context.”
“Many respondents are of the view that such guidelines and standards should be developed ‘within a multi-stakeholder framework, with the participation of consumer organizations, civil society and regulatory authorities in addition to public authorities and private stakeholders’. For many respondents binding tools are required, whilst for others guidelines should spell out a general and technology agnostic approach to security problems,” it said.
“Cooperation was put forward by certain respondents, as a way to ensure security on an end-to-end basis in an IoT context,” the Commission added. “An industry association advocated in particular a ‘continued and sound breach notification policy’. For them, such a system should be ‘reasonable and avoid being over-burdensome on organizations (i.e. it should not entail a ‘real-time’ notification system or low reporting thresholds)’. It might encompass both security and privacy breaches.”
In a separate factsheet on privacy, data protection and information security, (9-page / 709KB PDF) the Commission identified several privacy implications inherent in the IoT concept. It said that there were concerns about personal data being used for purposes beyond what individuals agree to as a result of the “proliferation” of information, and that profiles could be created about individuals “more easily”, among other things.
“It can reasonably be forecast, that if IoT is not designed from the start to meet suitable detailed requirements that underpin the right of deletion; the right to be forgotten; data portability; privacy and data protection principles, then we will face the problem of misuse of IoT systems and consumer detriment,” the Commission said.
The Commission said that, in order to address the issues, a new regime on “privacy, data protection and information security risk management” could be created. The Commission appeared to favour the creation of new legislation to develop a “common binding European Data Protection Impact Assessment Framework for IoT” as the best option to address the risk management issue.
The Commission said that this option “seems to be appropriate” after revealing concerns about the “divergence” that could occur if member states were allowed to develop self-regulatory regimes.
In addition, the Commission said that “binding law in combination with increased level of data protection enforcement” appears to be “the most promising option” in order to ensure privacy considerations are built-in at the design stage for IoT technology and that consumers have trust in the network.
The Commission said that it will “develop future policy initiatives” based on the information it has published on the IoT consultation. In addition to its report on the consultation it held and the factsheet on privacy and security, the Commission also published factsheets on IoT architecture, ethics, governance, identification and standards.
The Commission said that CASAGRAS, the ‘Coordination and support action for global RFID-related activities and standardisation’, has defined what is meant by the ‘internet of things’.
The definition states that the IoT is “a global network infrastructure, linking physical and virtual objects through the exploitation of data capture and communication capabilities”. CASAGRAS said that “this infrastructure includes existing and involving Internet and network developments” and “will offer specific object-identification, sensor and connection capability as the basis for the development of independent cooperative services and applications”. It said that “these will be characterised by a high degrees of autonomous data capture, event transfer, network connectivity and interoperability”.