IOT Devices Vs General Data Protection Law - EU.

What are IOT Devices?

Every day-to-day life we use many technological devices to help us on our activities and make easy and comfortable life. Internet-on-Things refers to devices that have capability of gathering user-input data from different sensors and process-it to provide accurate results to the user. These sensors can be voice-recorders, motion-detection sensors, or any bio-metric sensors which can get specific-inputs from specific user. These smart devices have capabilities of share data and get instructions through internet and these devices have intelligence of sharing data with other IOT-devices and systems to generate perfect output-result.

(Qawy & Tadisetty, 2015)

Google-home device controller, amazon-eco-plus & Alexa-control system, Bitdefender Security-solution are some of the world-famous products of IOT-devices. Most of the IOT-devices follows the similar life cycle as follows,?

Even through IOT devices are built to help people there are many legal-issues are accruing because most IOT devices are collecting the personal-data share it with multiple data-sources to process without users’ knowledge. Those legal-issues can be categorized under following categories.?

What is GDPR?

General-data-protection-regulations is the most famous European-regulation that been designed to protect their citizens-privacy. EU-commission has identified privacy as one of the key human-right for every person which they gained since their birth. People have right to protect their data which they think personal and sensitive for them. GDPR was the main regulation EU-union build to protect their citizens-privacy from all challenges.

GDPR has principles and laws which designed to protect the privacy from any data-gathering devices, and this includes IOT-devices too. But because of the way IOT-devices are build and how they work, there’re many privacies related law-issues are occurring and violating many GDPR-principles and regulations. ?

(GDPR, 2022)

Legal Issues in IOT devices

1. GDPR-principal violations

There are seven data-protection principles in the GDPR-Article 5, and these principles are recognized as laws under the GDPR Article-5. Because of the way IOT-devices are working to achieve its purposes, some of the principles are being violated by the IOT-device manufacturing companies.

First principle of the GDPR says data-processing need to perform under legal-manner and all the processing need to be transparent. But most of the IOT devices like amazon-Alexa, amazon-eco controller, smart-bands or activity-trackers are collecting the data legal way but does not process those data-transparently.

When we are using those devices, we normally don’t provide authorizations to transfer our personal data to other locations and share it with other devices or systems to process. Many users of IOT-devices even don’t know about this. These IOT’s are global-devices, and the user can be at another-country and data storage related to these devices will be at a separate-country. Most of the users care about the features these devices can bring but doesn’t think about how these devices process the data. Because of that most of the IOT-devices manufactures are breaking this primary GDPR-principle.

Data-minimization is another important principle in GDPR. According to Article-5 section-two, organizations who manufacturers these devices can only get limited-data from the users which can only be enough to provide specified-service. But most of the organizations are violating this law, devices like Amazon-Alexa & Eco, smart-bands are gathering data from the users, share those data with cross-platforms and categorize it based on user-behaviors, user-preferences etc. These data can be later process for marketing or other purposes. Amazon-company faced some legal issued because of this, but every time company claimed users are giving the data freely and willingly. But according to the EU-GDPR principles this is a violation of law. ??????????????????????

(GDPR, 2022)

2. Privacy & Security Violations.

IOT-devices are collecting personal-data from the users 24/7. For example, smart-bands will include hard-beat sensors and some other related sensors which allow users to track their medical-conditions and there are GPS-sensors to track the users’-locations. The inputs from these various advanced sensors can provide very useful services, but these are also collecting the user’s private-data. With the access of these data, any third party can know the users medical, personal-location and other private-details. Most critical part is, once we activate these functions, devices are collecting the user’s data continuously. And some of the IOT-device manufacturers such as Kuri, Belkin, Nest does not use secure methods like end-to-end encryptions to protect users’-data. And they share the information’s with the internal systems and their partners without users’ knowledge or approval.

?????????????????????????????????????????????????????????????????????????????????????????????????????????????(Bastos, et al., 2018)

The GDPR- Article-25 specifies when storing, and processing data, organizations must design users’ sensitive data-protection methods to act-default.

Under the Article-32, All the personal-data need to be encrypted and protection-methods need to be applied default-vice to protect the confidentiality and to minimize the security-risks.

But the organizations like Kuri, Nest, and some others provide IOT-devices for low cost, and they do not have advanced-security procedures by default. This can be identified as a legal-issue under the GDPR privacy-regulations.

And Article-40 in GDPR, include Code-of-Conducts that applied for data-processing applications. IOT-devices are gathering data from many input-methods and transfer those data to the cloud-based data-processing applications. Most of the users don’t know about this and this violates the legal code-of-conducts such as fair data processing and transparency while collecting the personal-data without consent under GDPR laws.????????????????????????

?(GDPR, 2022)

3. Consent Violations.

There’s always an agreement between product-users and product-manufacturing organization and it’s known as the consent. According to the GDPR Article-7 user must willingly and freely provide the data and organizations data-controller must protect and process these data in a way that are ethical and legal. But in IOT-devices users are agreeing to provide information’s to get specific results but organizations like Amazon and Google, they are using these data for many purposes other than the specified-purpose.

And most of the IOT device users are do not know about the IOT-devices working process. They don’t know these devices sharing the data with other devices and systems and get the instructions through internet. Most of the IOT-device manufactures dose not clearly stating how they process data. Most of the IOT-device agreements are stating these devices will get the instructions from the internet-based systems but never reveals any details further than that.?This is a clear violation of the article-7 GDPR-law’s because IOT-device manufacturing organizations are not transparent with the users.?????????????????????????????????????(Azer & Bakr, 2022)

And under the GDPR section-3 introduced Rights for the general-public like IOT-device users whose data been gathered using various-methods. Under this section Article-18 specified users have rights to manage the data-processing and decide when not to gather data, but IOT-devices are collecting and processing data 24/7 without break. And Article-17 says users have rights to remove or erase data when needed. We can stop using the IOT-device, but it does not remove our data permanently. Article-21 in this section specifies users have right-to-object, but when IOT-devices are using users’-data for marketing related purposes we cannot object it. Because there’re no-conditions in the IOT-device agreements specifying those rights. Because of this IOT-devices agreements are violating the users’ rights specified by GDPR-EU. ?

Conclusion

When it comes to the Internet-related devices IOT’s are one of the famous devices among the technological-environment. Every major tech-organizations are manufacturing these devices and because of the way these devices are operating there’re many legal issues and concerns among the public. This article introduced the IOT-devices working process and GDPR-laws and explain how IOT devices are making legal issues when collecting and processing user-sensitive personal-data. Through this article I have identified three main categories of violations of data-processing laws and identified the relevant sub-sections and articles, IOT-device manufacturers are violating without users’ knowledge.?

References

1.????Azer, M.A., Bakr, A.A. 2022. IOT ethics challenges and legal issues: Introduction [online]. Available at: <https://www.researchgate.net/publication/360974070_IoT_Ethics_Challenges_and_Legal_Issues > [Accessed: 02/09/2022].

2.????Bastos, D., El-mausa, F. and Giubilo, F. 2018. GDPR privacy implications of the internet of things: Privacy implications [Online]. Available at: <https://www.researchgate.net/publication/331991225_GDPR_Privacy_Implications_for_the_Internet_of_Things > [Accessed: 01/09/2022].

3.???General Data Protection Regulations – EU. 2022. Complete guide to GDPR compliance: GDPR Overview [Online]. Available at: < https://gdpr.eu/what-is-gdpr/ > [Accessed: 01/09/2022].

4.????General Data Protection Regulations – EU. 2022. General Data Protection Regulation: Article 5 [Online]. Available at: < https://gdpr.eu/article-5-how-to-process-personal-data/> [Accessed: 01/09/2022].

5.????General Data Protection Regulations – EU. 2022. General Data Protection Regulation: Article 40 - Code of conducts [Online]. Available at: < https://gdpr.eu/article-40-proper-application-of-the-regulation/ > [Accessed: 01/09/2022].

6.????General Data Protection Regulations – EU. 2022. General Data Protection Regulation: Chapter 3 – Rights of the data-subjects [Online]. Available at: <https://gdpr.eu/tag/chapter-3/ > [Accessed: 02/09/2022].

7.????Qawy, A.A. and Tadisetty, S. 2015. Internet of things overview: Introduction [Online]. Available at: <https://www.researchgate.net/publication/323834996_The_Internet_of_Things_IoT_An_Overview?> [Accessed: 01/09/2022].