How the IoT is challenging data protection

Companies have to utilize the pioneering technologies of the Internet of Things to stay competitive. However, that can quickly become extremely tricky in terms of data protection!

Can data protection standards satisfy the requirements of the IoT?
Image: © your123 / Adobe Stock

The IoT: data-driven, data-hungry, data-needy

The Internet of Things (IoT) describes the concept of networking physical objects with the Internet for a specific purpose. The devices communicate with each other and with their users, work independently, and do not require regular monitoring and control from users. Precise data is collected in large quantities and analyzed in real time. Combined with AI applications, the technology offers a wide range of powerful application possibilities for companies of nearly all sizes and in all business fields.

The IoT has now made its way into almost all areas of our lives and we can no longer do without it, whether in the world of Industry 4.0 or our personal day-to-day activities at home. To realize the textbook examples typically used to demonstrate the IoT’s possibilities, such as autonomous driving, smart cities, or the personalization and optimization of healthcare, the IoT is reliant on enormous amounts of data.

Are security risks to be expected with the IoT?

Since this data is predominantly personal data, the IoT and its applications bring along completely new challenges for data protection and people’s right to determine what information is collected about them and how it is used. The wide, public debate about wearables, such as smart watches and fitness trackers, collecting health data comes to mind here. The need to comprehensively equip the public space with motion sensors in order to enable autonomous driving has also been intensively discussed.

Early last year, the data leak scandal surrounding Wi-Fi light bulbs, called “smart lights”, was all over the press. People were warned that criminals could easily exploit security vulnerabilities in IoT devices to steal sensitive data and make ransom demands. A horror scenario if sensitive business and customer data is lost! To prevent that from happening, binding security standards, best practices, and universally recognized certificates are needed. It is possible to use the IoT in a way that conforms to data protection regulations, but it requires clear rules and frameworks.

The IoT and the GDPR

Of course, the GDPR also applies to the Internet of Things. Since May 2018, the General Data Protection Regulation has stipulated the basic rules for processing personal data at a European level. However, the GDPR will obviously only be relevant to IoT applications if they actually process personal data, for example in the following cases:

  • Acoustic, optical, or biometric sensors that process personal data are used.
  • The place where a sensor is used allows conclusions to be drawn about a person’s habits (e.g. motion sensors).
  • A link to a person can be established whenever a user signs in with their name or other identifiers in order to use or control the IoT application.
  • If a user communicates with an IoT application, the processing of IP addresses or the analysis of MAC addresses for presence detection, for example, can make it possible to identify the person.

It is the responsibility of the providers of IoT applications to ensure that GDPR-compliant data protection and security concepts are implemented. To verify this, companies using the IoT applications must carry out a data protection impact assessment (DPIA) as set out in the GDPR and make sure that the sensors do not collect any more data than is absolutely necessary for fulfilling the relevant commercial purpose. The GDPR’s principles of data minimization and purpose limitation must be adhered to. The use of anonymized data is only permitted if it is properly anonymized, i.e. information can no longer be traced back to individual persons, even when different anonymized datasets are combined.

Legal frameworks such as the GDPR may provide orientation and legal certainty, but the IoT is characterized by the following aspects:

  • Enormous diversity and scope
  • A vast array of forms and application fields
  • Rapid evolution with constantly new technologies and areas of use

In short: the IoT is not static and therefore cannot be covered by a single version of formulated rules. Against the backdrop of the new 5G standard, the playing field for the next technological IoT revolution has already been laid out. Accordingly, data protection laws need to be flexible and quickly adaptable. Can legislation even manage to do that and measure up to the IoT’s requirements?

Is the IoT a threat to data protection? It’s more the other way around!

The Internet of Things is already a significant economic factor and will be even more so in the future. After all, the Internet-enabled products first have to be purchased and used. Private consumers, companies, and the public sector alike have to invest considerable amounts of money in order to benefit from the technological standards in the first place.

For companies, investing in IoT projects pays off because processes can be made more efficient and customer needs can be met in a more targeted way, which in turn saves costs. Not only do the tech producers and client companies have a vested interest in promoting the Internet of Things even further, but so do individual countries, since they also benefit from the economic potential of the use of IoT applications.

Binding security standards could allay the data protection concerns currently hampering the market, contribute to wider acceptance of IoT technologies, and give the IoT market a boost. Most companies, for instance, are not yet fully leveraging the possibilities that IoT already offers and merely focus on optimizing existing processes and products to reduce costs. Developing new business models or services has been much less of a focus so far. The uncertainty due to a lack of IoT applications that operate reliably in compliance with data protection regulations probably plays a big role in that. The “Internet of Things 2020” study conducted by the trade magazines Computerwoche and CIO even stated data protection and security concerns as the main reason for the reluctance of many companies.

In light of all this, data protection is currently more of a threat to the Internet of Things than the other way around. However, all stakeholders have the responsibility to define binding rules that can be adapted to keep pace with this rapid evolution. Without the appropriate efforts of the developers of IoT applications, a feasible and legally sound solution cannot be expected for companies. This is absolutely essential, though, for building a foundation of trust for the future. European developers should see this as a huge opportunity for seizing market shares from dominating non-European providers.