[ARTICLE] IoT and GDPR

This article was written by our legal partner, Maître Garance Mathias, of the law firm Mathias, specialising in business law and personal data.

Regulation No. 2016/579[1], the so-called General Data Protection Regulation or GDPR, which has been a topic of discussion just come into force on 25 May 2018. This date arouses many concerns, especially for companies that will not comply on time. Rest assured, the president of the Commission nationale de l’informatique et libertés (CNIL), Isabelle Falque-Pierrotin, ensures that the CNIL will show understanding towards entities that are not yet compliant[2].

Why is this GDPR raising that many misgivings including within the ecosystem of connected objects? For the simple reason that it overwhelms the approach to the protection of personal data. This change is nonetheless an opportunity for organizations to review their methods and gain in efficiency. This article outlines some of the key points of the GDPR.

A new relationship between the controller and the subcontractor

In order to be able to comply with the applicable regulation, entities implementing or participating in the processing of personal data must clearly define their status under the GDPR. In fact, the obligations of the controller, of the joint controller and the subcontractor are not the same.

The controller is the person having decision-making power over the purposes and means of the processing. He is defines such as “ the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (GDPR art.4, 7°). The Article 29 (G29) Working Group summarizes this definition by considering that being “responsible for the processing results essentially from the fact that an entity has chosen to process personal data for purposes specific to it[3].

GDPR nevertheless specifies that this power can be shared “alone or jointly”. When several controllers jointly define the purposes and means of the processing, they are qualified as joint controllers. The GDPR provides very little detail on this new concept. It however implies a sort of cooperation between joint controllers and it is not necessary for all of them to participate equally to the determination of means and purposes.

What about the processor? He is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” (GDPR, art.4, 8°). His actions are only based on controller’s documented instructions.

The fundamental distinction between a processor and a controller is thus the decisional power that the latter has on purposes and processing means.

In practice, an analysis of the factual elements of the processing implemented and of the role that hold your entity is required (ex : the level of education given or received by the claimant, the degree of actual control exercised, the degree of autonomy …).

The relationship between the controller and the processor is narrowly overseen. In fact, GDPR imposes that this relationship has to be controlled by “a contract or other legal act under Union or Member State law” (GDPR, art. 28, 3°). This legal act must contain certain minimum clauses such as respect for the rights of individuals, the implementation of technical and organizational security measures or the provision of useful information within the time limits enabling the controller to comply with his obligations.

Besides, the controller is not held accountable for his processor failures. This latter can see his responsibility committed for any contractual failure or breaches of provisions of GDPR.

Contracts with providers and suppliers have to be reviewed in order to determine your status and obligations. The CNIL has published a processor Guide to alert and to support processor in the real obligations implementing[4].

In other words, the designer, the distributor or any actors who has a role in the connected objects’ ecosystem has to receive a special qualification.  An actor mapping has to be set.

Empowerment of personal data protection actors

 One of the key word of the GDPR is “accountability”. Controllers have to implement “appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation”. (GDPR, art 24) such as internal and external audit, the drafting of a contractual data protection policy or the mapping of processing operations. To resume, entities must implement measures and procedures to reach this conformity, maintain and prove it.

In order to ensure its compliance, a documentation of each measure or procedure put in place to ensure data protection is necessary. For example, maintaining a record of processing activities, an obligation under the GDPR[5], is a means of demonstrating compliance. This register includes at least all information relating to the processing (e.g. name and contact details of the controller, purposes of the processing, a general description of the technical and organizational security measures, etc.). The CNIL has put online a model register of processing activities from which controllers or processors can learn[6].

The GDPR also introduces two new concepts that will be particularly important for the manager of information system security or the information system managers: privacy by design and privacy by default (GDPR, art. 25). Privacy by design implies that respect for privacy must be guaranteed from the conception of the processing operation (e.g. minimization of data, pseudonymisation, transparency, etc.) whereas privacy by default requires that, by default, only the personal data necessary for each specific purpose of the processing operation are processed and only persons who need to know them, have access to them.

It is therefore necessary to consider the impact that the processing of personal data could have on the privacy of users and to put in place documentation of all user data protection measures since the creation phase.  Thus, from the design phase of an object, the manufacturer must understand the issues related to security as well as privacy by design and privacy by default.

Revised Basics

Apart from the fact that the implemented processing respects the fundamental principles of the regulation (GDPR, art.5), it must also be based on a condition of lawfulness. The regulation introduces a change concerning the consent of the concerned person. The consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”(GDPR, art 4, 11°).

The G29 Working Group brings few more details on this notion[7]. It is important to note that pre-checked boxes are now prohibited under penalty of considering the consent as not free.

In case of the processing of personal data is based on consent, it should be ensured that consent is obtained before the processing is carried out and that it can be withdrawn at any time.

Thus, the connected object will have to integrate or return if necessary to another accessible support:

  • The conditions of use do not require the user to consent by default to the use of their personal data that are not necessary for the use of the object or application
  • The conditions of use are clear, easily accessible and are not written in too technical or legal jargon.

Beware of profiling and automated decisions. The latter, although distinct concepts, must imperatively meet the requirements of the GDPR and in particular Article 22, 1° stating that “ The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or he”. The G29 clarified the distinction between these two concepts. In addition, it stresses the importance of human intervention in the processing[8]. In case of collect and processing of this type of data, the object designer will need to conduct a privacy impact analysis.

Enhanced security obligations

The GDPR also reinforces the security obligation for both controller and processor. They have to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate”(GDPR, art 32). In doing so, they are required to take into account the state of knowledge, implementation costs and the nature, scope, context and purposes of the processing as well as the risks. The CNIL has published a guide on security highlighting the various security measures that can be taken (ex: pseudonymization, encryption…)[9].

This security obligation gives rise to a new impact assessment obligation related to the data protection (GDPR, art. 35). CNIL has developed software to guide data controllers[10]. Although the latter is mandatory when the processing is likely to create a high risk for the rights and freedoms of the data subjects, it should be made a good practice within the organization, in particular for reasons of accountability and management of violations of personal data. The latter must be notified to the competent supervisory authority and, in certain situations, communicated to the persons concerned (GDPR, arts. 33 and 34).

Consolidated user protection 

The persons involved have a new arsenal of rights and especially the right to portability, the right to limit processing, the right to information and the right to erasure. The bodies are required to ensure the effective exercise of all the rights of the persons concerned. As such, specific rights management procedures must be implemented and must be incorporated from the design of the processing.

The right to information is inseparable from the transparency principle and the notion of consent. A person will not give his enlightened and unambiguous consent without having access to necessary information and understand it. Cookies as well as any legal notice must be revised to respect these principles. Please note that the information to be provided is not the same depending on how the personal data are collected. It must be determined whether the organization is collecting directly from the person concerned or indirectly.

Each right contains obligations that are specific to it. For example, the right to data portability (GDPR, art.20) allows the data subject to recover the personal data communicated and/or to request that his data be transmitted to another controller. It implies many obligations for the controller and especially concerning its format[11]. Data must be provided in a structured, commonly used and machine-readable format. The controller must ensure that the formats used are interoperable. The G29 clarified this point especially[12]

One of the pragmatic stakes will thus be to allow and guarantee the effectiveness regarding the exercise of this right to portability, and, in a general way of all the rights of the users within the framework of a connected object.

A new ally in personal data protection

Data Protection Officer (DPO) is a new flagship actor introduced through the GDPR (art. 37 to 39). This latter is the compliance conductor of the entity that designated it[13]. He ensures compliance with data protection regulations, procedures and internal policies. He is also responsible for accompanying and advising his organization in all decisions relating to the protection of personal data. He is an essential asset in data protection.

The nomination of a DPO is compulsory for some organizations:

  • Public authorities or public organizations
  • Organizations whose core activities consist of treatments that require regular and systematic monitoring of people on a large scale
  • Organizations whose core activities consist of large-scale processing of sensitive data.

However, the appointment of a DPO can be optional and will allow the organization to rely on an ally for its compliance with the DGPR, particularly with regard to accountability. Note that the DPO may be an internal or external person.  

Compliance with the GDPR is an ongoing exercise. As such, audit procedures must be put in place and regularly exercised. The fundamental role responsible for information system security or information system management in ensuring compliance (e.g. defining the entity’s data security requirements, integrating data protection risks into risk analysis grids, etc.) should be highlighted.

The GDPR increases the penalties for non-compliance. Depending on the shortcomings found, financial penalties may amount to up to 20,000,000 € or 4% of the total worldwide annual turnover of the previous financial year or up to 10,000,000 € or 2% of the total worldwide annual turnover of the previous financial year.

To sum up, the world of the connected object does not escape the GDPR and it is necessary, independently of the economic aspects, to integrate this approach, a guarantee of transparency and trust, from the design step and to maintain it throughout the entire life cycle.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.  Avaible here : https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX:32016R0679

[2] From the Newspaper Le Monde, “Protection des données : le texte européen qui hante les nuits des patrons de PME français”, 8 May 2018. Available here : https://www.lemonde.fr/economie/article/2018/05/08/protection-des-donnees-un-casse-tete-pour-les-entreprises_5295916_3234.html

[3] Opinion from the G29 n° 1/2010 WP 169 of 16 February 2010.  Available here : https://docs.google.com/viewer?url=https://cnpd.public.lu/content/dam/cnpd/fr/publications/groupe-art29/wp169_fr.pdf

[4] CNIL, Processor guide, ed, sept 2017. Available here : https://www.cnil.fr/sites/default/files/atoms/files/rgpd-guide_sous-traitant-cnil.pdf

[5] Chapter 30 from GDPR “Each controller and, where applicable, the controller’s representative shall maintain a record of processing activities under its responsibility (…) Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller”.

[6] CNIL article « Le registre des activités de traitement ». Available here : https://www.cnil.fr/fr/RGDP-le-registre-des-activites-de-traitement

[7] G29 consent guidelines under Regulation 2016/679, revised and adopted April 10, 2018.  Available here : https://docs.google.com/viewer?url=https://www.cnil.fr/sites/default/files/atoms/files/wp259_enpdf_consent.pdf

[8] G29, Guidelines for Automated Decisions and Profiling, revised and adopted February 6, 2018. Available here : https://docs.google.com/viewer?url=https://www.cnil.fr/sites/default/files/atoms/files/20171025_wp251_enpdf_profilage.pdf

[9] CNIL Guide, “La sécurité des données personnelles”, ed.2018. Available here : https://docs.google.com/viewer?url=https://www.cnil.fr/sites/default/files/atoms/files/cnil_guide_securite_personnelle.pdf

[10] CNIL website : https://www.cnil.fr/fr/rgpd-un-logiciel-pour-realiser-son-analyse-dimpact-sur-la-protection-des-donnees-pia

[11] Article by Mathias Avocats ” Droit à la portabilité : conseils pratiques ” 24 March 2018. Available here : https://www.avocats-mathias.com/donnees-personnelles/droit-a-la-portabilite

[12] G29, Guidelines on the right to data portability, revised and adopted on 5 April 2017. Available here : https://docs.google.com/viewer?url=https://www.cnil.fr/sites/default/files/atoms/files/wp242rev01_fr.pdf

[13] Article by Mathias Avocats “DPO: quels reflexes?” October 3, 2017. Available here : https://www.avocats-mathias.com/donnees-personnelles/dpo-rgpd