How the EU's General Data Protection Regulation Will Protect Consumers Using Smart Devices.

• Author: Rustad, Michael L.

1. INTRODUCTION

   There is confusion over which data protection rules should apply to emergent technologies, such as artificial intelligence, 3D printing, virtual and augmented reality, robots, and smart devices. The privacy concerns that these emergent technologies raise are qualitatively different than those raised by earlier technologies, such as the telephone. For instance, companies are capable of collecting data about a consumer's everyday life on an unprecedented level because the connected devices in a smart home are interconnected in a single network. Thus, the entire system's cybersecurity may be compromised if a single product's weak security is breached.

   Smartphones, personal fitness trackers, smart televisions, and smart appliances produce substantial amounts of sensitive information, including browsing habits, purchasing patterns, real-time location, and personal health information. (1) Smart devices are autonomous, continuously harvesting, storing, and processing data without user control. (2) The Internet of Things (IoT) is rapidly evolving into the Internet of Everything, connecting consumer products ranging from alarm clocks to smart meters to driverless cars. (3) The ability of these devices to continuously collect and process data has raised a variety of privacy and security dilemmas because IoT devices are marketed and sold globally. (4)

   IoT makers create "devices or sensors--other than computers, smartphones, or tablets--that connect, communicate or transmit information with or between each other through the Internet." (5) These smart device makers determine how much data devices collect, the interface with users, and whether data is shared with third parties. (6) The European Union's (EU) General Data Protection Regulation (GDPR), (7) which went into effect on May 25, 2018, will affect many IoT makers offering their products to EU consumers, regardless of whether these IoT makers are not located in Europe directly, because this new data protection law has an expansive extraterritorial effect. (8) The GDPR not only applies to organizations that process data in the EU, but also to any number of organizations outside of the EU either offering goods or services to EU consumers or monitoring the behavior of any data subject located in any of the twenty-eight signatories to the EU treaties (Member States). (9) The GDPR updated EU Data Protection law displacing the Data Protection Directive of 1995 (DPD). (10)

   Part II of this Article defines "IoT" and identifies both unique privacy and security risks created by continuously connected IoT devices. (11) Part II further identifies the key privacy and security issues that the IoT poses, with a close examination of the DPD's Article 29 Working Party. (12) Part II concludes that the IoT industry has yet to agree upon privacy and security standards for devices, and weak or nonexistent security standards endanger consumer privacy. (13) Part III then explores the likely impact of the GDPR on IoT's Privacy by Design. (14) The GDPR's net effect will ratchet up data protection for smart devices worldwide. (15) All IoT makers targeting EU end-users must design privacy into their devices to protect the rights of the data subject. (16) IoT devices are cross-border by definition, and therefore, all smart device makers must be GDPR compliant. (17)

   Because the GDPR will extend to IoT devices and their networks, controllers and processors will need to achieve compliance. (18) It is unclear how IoT makers will invest data subjects with GDPR rights--such as documenting consent--because some IoT devices do not have graphical interfaces. (19) A study of how EU privacy and data protection law will impact IoT makers--especially those targeting consumers in the EU--is required as the EU is the largest trade partner for eighty countries. (20)

2. PRIVACY AND SECURITY RISKS UNIQUE TO THE IoT

   1. What is the IoT?

      The IoT "refers to the billions of physical devices around the world that are now connected to the internet, collecting and sharing data." (21) The digital intelligence of these devices enables them to communications without human intervention, and combine the digital and physical realms. (22) The IoT, the latest frontier, includes physical objects embedded with sensors or actuators that are connected to a network. (23) Smartphones and devices that can connect to the IoT have the ability to control and interact with other devices connected to the IoT. "Some IoT companies even claim that their devices can 'learn' user behavio[rs] and adapt to them." (24)

      The IoT is "integrated into the world-wide network that covers almost everything and could be available anywhere." (25) Scholars predicted that by the end of 2018, "it [would] be nearly possible to connect virtually every device on earth. Of course, most devices won't be connected with each other due to cost constraints." (26) Nevertheless, internet-enabled cameras, baby monitors, thermostats, health-monitoring bracelets, smart refrigerators, and (eventually) driverless cars are increasingly used to record, send, and receive data. (27) By 2020, the number of IoT devices on the market is expected to reach more than 30 billion. (28) Soon, virtually every electronic device will be part of a global infrastructure:

      [I]n which billions of sensors embedded in common, everyday devices--"things" as such, or things linked to other objects or individuals--are designed to record, process, store, and transfer data and, as they are associated with unique identifiers, interact with other devices or systems using networking capabilities. As the IoT relies on the principle of the extensive processing of data through these sensors that are designed to communicate unobtrusively and exchange data in a seamless way, it is closely linked to the notions of "pervasive" and "ubiquitous" computing. (29) "IoT devices connect through computer networks to exchange data with the operator, businesses, manufacturers, and other connected devices, mainly without human interaction." (30) IoT controls "everything from factory equipment to traffic lights and household appliances through the Web, creates vast opportunities for improved efficiency and convenience." (31)

      The paradox of the open Internet is that it systematically crosses national borders and disregards traditional consumer privacy everywhere. "Surveillance cameras, data brokers, sensor networks, and 'super cookies' record how fast we drive, what pills we take, what books we read, what websites we visit." (32) The development of the IoT means makers have a duty to collect and process personally identifiable data, "adopting privacy and data security best practices, only collecting consumer information with express consumer consent, and providing consumers with access to their data." (33)

   2. The Data Protection Working Party (WP29) Study of IoT Privacy and Security Risk Factors

      1. The EU

         The EU consists of twenty-eight Member States that pool their sovereignty to work together in a unified approach, allowing the EU to take the lead in harmonizing data protection law for the information age. (34) "The decision to pool the coal and steel industries of' Belgium, Germany, France, Italy, Luxembourg, and the Netherlands "brought into force by the Treaty of Paris in 1951, marked the first step towards European integration. The treaties of Rome of 1957 strengthened the foundations of this integration and the notion of a common future for the six European countries involved." (35) The Common Market was called the European Economic Community between 1957 and 1993. (36) "The term also refers to the 'European Communities,' which originally comprised the European Economic Community (EEC), the European Coal and Steel Community (ECSC; dissolved in 2002), and the European Atomic Energy Community (Euratom)." (37) "A further [twenty-two] countries have since joined the EU, including a historic expansion in 2004 marking the re-unification of Europe after decades of division." (38)

      2. Overview of the DPD

         The DPD gives data subjects control over the collection, transmission, or use of personal information. (39) "Directives require EU countries to achieve a certain result, but leave them free to choose how ... EU countries must adopt measures to incorporate [directives] into national law ... to achieve the [directive's] objectives." (40) The DPD requires each of the twenty-eight Member States to enact national legislation that protects "the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data." (41) Member States are free to enact national legislation that offers data subjects more privacy protection than the minimum dictates of the DPD. (42)

         The DPD defines the processing of personal data to mean all automatic or non- automatic operations on personal data including the "collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction" of data. (43) The DPD confers controllers with determining the "purposes and means of the processing of personal data" determined by community laws or regulations. (44) In contrast, processors do the actual processing of data under the direction of controllers. (45)

         The scope of the DPD encompasses the processing of personal data wholly or partly by automatic means where the data forms a file. (46) Some processing is outside the DPD's sphere of application, including public security, defense, state security, and criminal law investigations. (47) Many of the DPD provisions establishing data subject rights and limitations on the processing of data were adopted by the GDPR. (48) The DPD adopted a data minimization principle that data be "collected for specified, explicit and legitimate purposes and not further processed in a...