Devising a Plan for IoT Data Protection in a GDPR Era

In the 88-page General Data Protection Regulation (GDPR) document, there is no mention of Internet of Things devices. But make no mistake. GDPR will surely affect many Internet of Things deployments.

First, there’s the matter of consent. One of the central principles of the legislation, which went into effect in May, is that users must agree before a third-party collects their data. That may be intuitive if you’ve signed up for an email newsletter or when you are entering a website for the first time. It is, however, less clear to what extent that principle applies to IoT devices such as IP-based surveillance cameras in public spaces or technologies such as image and voice recognition that could be integrated into vehicles, office buildings and retail locations in the future.

In the home, IoT devices with screens will likely serve up the type of privacy-consent notifications you might see when visiting a website. European smart fridge owners have already seen such GDPR notifications. But the pop-up disclosure model doesn’t work with surveillance cameras. “You can ask a website owner to provide full transparency of all the actions you’ve taken on that site and delete your history,” said Yotam Gutman, vice president marketing at SecuriThings. It’s not so obvious what you would do when it comes to a security camera or in the case of facial recognition technology, although the European Union has specific rules governing how such footage is retained and who has access to it. In 2012, data protection officials in Germany concluded that Facebook was illegally storing a database of members’ headshots.

Smart speakers, one of the most popular IoT technologies, could also pose GDPR-based privacy questions as they grow more ubiquitous. If an unauthorized person obtains data from a smart speaker, that incident would fall under GDRP’s breach notification laws.

In the case of a breach — whether it involves a smart speaker, an IP camera, a website or something else — companies have 72 hours from the time they were made aware of the incident to notify all affected parties. “Think about if someone was able to hack into your residential CCTV monitoring systems,” Gutman said. “The service provider would have to inform you that this has happened, and offer remediation. In cases like this, I think we’ll see a large impact in terms of how GDPR applies to consumers and corporations.”

Gutman points to the case of an international vendor of a cloud-based video surveillance service, which invaded the privacy of its customers. The vendor has a support center located in another continent from where the majority of its users were. The focus of the support center is to connect to the companies’ devices, run diagnostics and ensure its products are working correctly. “When we ran their data through our algorithms, we found there was a specific group of cameras being accessed all the time by a specific group of technicians,” Gutman said. “They were checking on specific cameras and specific times of days.” European users of this services could file a GDPR complaint against the firm.

The stakes are high for offenders. Infringements can lead to fines of €20 million euros or 4 percent of the global turnover, whichever is higher.

Yet privacy invasions are bound to continue to rise as the number of IoT devices with the ability to surveil people grows. Users who feel compelled to seek privacy-based legal action are likely to base their claim on whichever legislation with the most stringent protections. Gutman said: “And now, that regulation is GDPR.”