In a recent study conducted by 25 data protection authorities from different countries around the world, where more than 300 Internet of Things devices were analysed, it was concluded that six in ten Internet of Things devices don’t give the customers proper information on how their personal data is being collected and used.
The work was coordinated by the Global Privacy Enforcement Network, an informal network comprised of over 60 privacy enforcement authorities in 39 different jurisdictions around the world. The network’s aim is to foster cross-border cooperation among privacy regulators on an increasingly global market which relies on a seamless flow of personal information across borders. When carrying out the study each participating authority could choose to examine general categories of Internet of Things devices such as health devices or more specific groups such as Smart TV’s. They could also choose what to examine; like for example the product information or what happened when the researchers interacted with the products. A number of the devices examined could collect a great deal of – often sensitive – personal data such as health data and financial information. Out of all of the devices examined:
- 59 per cent didn’t adequately explain how the customers’ personal information was collected, used and disclosed;
- 68 per cent failed to properly explain how information was stored;
- 72 per cent didn’t offer an explanation of how customers could delete their information off the device; and
- 38 per cent did not include easily identifiable contact details if customers had privacy concerns.
Currently in Sweden, the Personal Data Act regulates the collection and usage of personal data. However, starting from 25 May 2018, the new General Data Protection Regulation (GDPR) will enter into force, replacing local personal data acts throughout the EU. The GDPR strengthens the individuals’ rights, imposes heavier – and to some extent new – obligations on the companies and is secured by high fines in case of non-compliance. The study shows that there is still a great unawareness of the importance of information requirements and the necessary steps to be taken in order for an Internet of Things product to be compliant with privacy regulations. The fact that non-compliance may lead to fines of up to 4% of the global turnover under GDPR constitutes a strong incentive for everyone active within Internet of Things to step up their game regarding privacy compliance. It is important to keep in mind that taking privacy seriously and addressing the GDPR properly is not only a matter of compliance – it is as much a matter of gaining the consumers’ trust.