GLOBAL: Large number of Internet of Things devices are NOT privacy compliant

An investigation run by 26 privacy authorities showed that 60% of the reviewed Internet of Things technologies did not pass the test of compliance with data protection laws. 

The findings of the investigation

The data protection authorities of 26 countries combined as part of the Global Privacy Enforcement Network ran an investigation in to Internet of Things technologies and reached the conclusion that over 60% of them are not fully privacy compliant.

Out of 300 reviewed devices:

  • 59% did not provide adequate information on how personal data is collected, used and communicated to third parties;
  • 68% did not provide appropriate information on the modalities of data storage;
  • 72% did not explain to users how their data can be deleted from the device; and
  • 38% did not guarantee easy-to-use modalities of contact for those wanting to obtain clarifications on privacy compliance.

Also, some health related devices triggered security issues as they transmitted data to medical practitioners without encryption.

The impact on the Internet of Things industry

The comment from the Italian data protection authority on the results of the investigation is interesting. Indeed, he emphasised that the lack of compliance with privacy regulations of IoT devices is expected to impact the trust of consumers.

Internet of Things technologies are often considered as the new “big brother“. If the industry wants to succeed, it needs to be trusted by users. But, in order to do that, users need to be adequately informed on how their data is processed and have full control, such as being able to delete them at their discretion.

This investigation will result in an expensive bill soon

The data protection authorities did not openly declare that they will issue sanctions against the entities whose devices have been found non-compliant with privacy laws. However, this investigation should definitely sound an alarm for manufacturers of IoT devices and companies that either are planning to use them, or are currently using them, as part of their business.

The new EU General Data Protection Regulation will apply with effect from 25 May 2018 and the change which is most often focused on is the massive increase of the applicable sanctions of up to 4% of the global turnover of the breaching entity. But the Regulation does not just introduce sanctions, it also sets up a new set of rules aimed at granting a higher level of control to individuals on the usage of their personal data.

The adoption of a Privacy-by-Design approach is one way that can mitigate the potential risks of privacy sanctions. This approach should be combined with a complex review of Internet of Things technologies and a Privacy Impact Assessment.

The implementation of such changes may take years, if it is taken in to consideration that some companies already openly declare that they are unlikely to meet the deadline of 25 May 2018.

If you found this article interesting, please share it on your favourite social media!