It is now four months after the General Data Protection Regulation (EU) 2016/679 (“GDPR”) came into force. One of its objectives is to create uniform standards for data protection in Europe and to adapt data protection to technical progress. In addition, the “Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications” (“E-Privacy Regulation“) was originally also to come into force as the successor to the corresponding Directive, though it now appears likely to come into force only in 2019. The E-Privacy Regulation is also an EU legal act which is directly applicable in the Member States without having to be transposed into national law. It is intended to protect both electronic communications content and electronic communications metadata as well as end-users‘ terminal equipment information. It is important to note that protection is not limited to personal data like in the GDPR – and therefore includes even more protected information and data. This post looks at the implications of the E-Privacy Regulation for IoT manufacturers starting with a short summary of the GDPR and some of its effects.
The GDPR and its implications for the IoT market
Many companies, including IoT manufacturers (manufacturers of intelligent devices, such as connected cars) offering services that require the processing of the user’s personal data are still under pressure to implement the new requirements and to adjust their business processes. These requirements – for example Article 13, 14 GDPR which obligates IoT manufacturers to provide end-users with comprehensive information about their processed personal data – have resulted in significant workload as well as administrative challenges. Moreover, consent forms, especially where consent is declared via a web form, are still under review. It is a challenge for companies to provide all the information needed to enable an end-user declaring his/her consent for such data processing to be informed sufficiently and in a transparent way.
Apart from this continuous workload, general questions remain regarding the concept of the GDPR in general. This is especially true as regards the relationship between the GDPR and new technologies – such as blockchain, which is becoming more and more relevant for IoT manufacturers, e.g. connected car manufacturers recently discovered the benefits of blockchain for its smart services. However, key principles of blockchain , such as the decentralized network concept, the immutability and the permanent storage of data stored in the blockchain so far do not seem to comply with the key principles of the GDPR (see our article from 24 July 2018 “The GDPR and Blockchain“).
E-Privacy Regulation
Potentially just as important as the GDPR for IoT manufacturers is the upcoming E-Privacy Regulation. With regard to machine-to-machine communication (“M2M communication“), the draft text of the European Commission’s proposal for the E-Privacy Regulation, dated 10 January 2017, included language that could have been interpreted to require that all data transmitted from one machine to another would have been considered as providing an electronic communications service. As a result, IoT manufacturers would in fact be providing electronic communications services within the application of the E-Privacy Regulation. Therefore, in most cases, IoT manufacturers would have needed the end user’s consent in transmitting the data from one connected device to another connected device. The performance of the respective contract with the end-user would not have served as legal basis for such processing under the E-Privacy Regulation. This is an important deviation from the GDPR that determines processing of personal data to be lawful when it serves for such a performance of a contract. The E-Privacy Regulation however is very much focused on data subject’s consent which represents more administrative workload as well as legal uncertainty (e.g. how can a data subject declare his/her (revocable) consent so that is covers all future relevant data processing activities in an IoT context) for companies.
IoT manufacturers then welcomed the amendment of Recital 12 in the E-Privacy Regulation draft of the Council of the European Union. Recital 12 of the latest draft distinguishes between the application-layer of M2M communication and the underlying transmission-layer for the conveyance of signals via an electronic communications network. It therefore identifies that only the latter transmission-layer constitutes an electronic communications service, so thereby only that information and data falls within the scope of the E-Privacy Regulation and needs to be protected by the underlying carrier service (e.g. the internet network provider).
Despite the above welcome development – IoT manufacturers should continue to take an active interest in the latest developments of the E-Privacy legislation drafts. For instance, smart devices like connected cars could still ultimately constitute end-users‘ terminal equipment. According to Article 8 of the E-Privacy Regulation draft “making use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned” is prohibited unless one of the exemptions in Article 8 E-Privacy Regulation draft applies. In terms of the end-user using the service of a connected car, that exemption in most cases would be the end-user’s prior consent (compare Article 8 (1) (b) E-Privacy Regulation draft). However, it remains unclear how that consent could sufficiently be provided by end-users, especially where the end-user of e.g. a connected car changes.
In general, the requirements under the GDPR of valid consent also apply to the E-Privacy Regulation (compare Article 4 a (1) E-Privacy Regulation), and as such the particular circumstances of using connected devices are not taken into account. Although Article 4 a (2 a) of the E-Privacy Regulation draft stipulates that “as far as the controller is not able to identify a data subject, the technical protocol showing that consent was given from the terminal equipment shall be sufficient to demonstrate the consent of the end-user according Article 8 (1) (b)“, this appears to solve only part of the issue of a changing end-user of e.g. a connected car as the interpretation of “not able to identify a data subject” remains unclear.
Today, the Working Party on Telecommunications and Information Society (a preparatory body of the Council of the European Union) discussed the latest draft from 20 September 2018 of the E-Privacy Regulation.