IoT data deemed ‘personal’ by data watchdogs

Data protection authorities have agreed that data generated by Internet of Things (IoT) devices should be "regarded and treated as personal data".

At the 36th International Privacy Conference in Mauritius, the data watchdogs said as data from sensors is high "in quantity, quality and sensitivity", it is "more likely than not" that that such data can be attributed to individuals.

"Considering that the identifiability and protection of big data already is a major challenge, it is clear that big data derived from IoT devices makes this challenge many times larger. Therefore, such data should be regarded and treated as personal data," regulators said in a two-page declaration.

The conference, which included regulators from across Europe and Asia Pacific, made clear that IoT businesses ought to consider data from connected devices as subject to data protection laws.

Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "Assuming that all data generated by IoT devices is personal data is too simplistic and unhelpful insofar as it transfers the burden of proof onto data controllers to demonstrate otherwise.

"A better approach for all would be to undertake a considered analysis of the data generated by IoT devices, including analytics derived from their output, and use that as the basis for the organisation’s privacy strategy."

The declaration also called for transparency about the data collected, the purpose of the data and how long the data is retained.

"Data processing starts from the moment the data are collected. All protective measures should be in place from the outset," it said.

"We encourage the development of technologies that facilitate new ways to incorporate data protection and consumer privacy from the outset. Privacy by design and default should no longer be regarded as something peculiar. They should become a key selling point of innovative technologies."

The watchdogs also encouraged end-to-end encryption of data if local processing is not possible in efforts to minimise data security risks.

The news comes not too long after the EU data protection regulator warned manufacturers of the IoT that they may have to form new ways of gaining consumers’ consent to use their personal data.