Influence of the “Internet of Things” on Legislation
Regarding the Protection of Individual Privacy
Jean-François Henrotte
Partner in the elegis law firm and Director of the “Revue du Droit des Technologies de l’Information”
www.elegis.eu – www.rdti.be
jf.henrotte@elegis.be
today’s societal challenges”4, more and more authors are
also pointing out that it calls into question our concept of
private life and its protection.
Abstract
The “Internet of Things”, considering its characteristics,
calls for developing third-generation data protection with a
new field of application and greater use of the technology
itself for resolving the problems it poses.
The right to protect private life has evolved gradually over
the years, mirroring technological progress5. Firstgeneration laws on the protection of individual privacy
were founded on Article 8 of the European Convention for
the Protection of Human Rights6. This first-generation
basically grants a “right to be left alone” 7. Protection is
understood as a prohibition on processing certain sensitive
Introduction
Network technology as we know it, with the Internet
centre-stage, is on the dawn of another quantum leap.
Progress on miniaturization and wireless communications
presage the imminent interconnection of the things
surrounding us, to form a vast network: "the Internet of
Things"1.
In this scenario, seriously envisaged by several
governments worldwide2, things used in daily life will
communicate with each other or to other entities (people or
machines) information they have collected on their
environment, using their various sensors.
Although this permanent interconnection, this “ambient
intelligence” 3, is expected to “contribute to addressing
2006; Poullet, Y., "La protection des données: un nouveau
droit constitutionnel. Pour une troisième génération de
règlementations de protection des données"
297 and
Rouvroy, A., "Privacy, Data Protection, and the
Unprecedented Challenges of Ambient Intelligence",
Studies in Ethics, Law, and Technology, 2008, available at
the
address:
http://works.bepress.com/antoinette_rouvroy/2;
4
See the Communication from the Commission to the
European Parliament, the Council, the European Social and
Economic Committee and the Committee of the Regions
"The Internet of Things - an action plan for Europe"
COM(2009) 278 Final, 2.
5
Poullet, Y., " La protection des données: un nouveau droit
constitutionnel. Pour une troisième génération de
règlementations
de
protection
des
données",
www.crid.be/pdf/public/5188.pdf.
6
The European Convention for the Protection of Human
Rights
of
4
November
1950,
conventions.coe.int/Treaty/EN/Treaties/Html/005.htm
7
The famous "Right to be left alone" defended by Warren,
S., and Brandeis, L., in their article: "The right to
privacy", 4, Harvard Law Rev., 193 (1890), groups.csail.
mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_
warr2.html.
1
See the 2005 report of UIT www.itu.int/dms_pub/itus/opb/pol/S-POL-IR.IT-2005-SUM-PDF-E.pdf; or the
2001 report of ’ISTAG ftp://ftp.cordis.europa.eu/pub.ist/
docs/istagscenarios2010.pdf.
2
See the Communication from the Commission to the
European Parliament, the Council, the European Social and
Economic Committee and the Committee of the Regions
"The Internet of Things - an action plan for Europe"
COM(2009) 278 Final or the NIC report: "Global trends
2025: the national intelligence council's 2025 project",
www.dni.gov/nic/NIC_2025_project.html.
3
Greenfield, A., "Everyware: the dawning age of
ubiquitous computing", New York, New riders publishing,
86
data and protecting various spheres, both physical and
communications-related.
In recent years, technological progress led to secondgeneration laws on the protection of individual privacy
(Convention no. 108 of the Council of Europe8, Directive
95/469 or Article 8 of the European Charter of Human
Rights10) which while remaining concerned with data and
its nature, focus on data processing. The processing of
personal data gives rise to a disparity of information
between the party processing the data and the person to
whom that data relates. The disparity results in an
imbalance of power to the detriment of the person whose
data is being processed. The emphasis is now on rules
governing data processing and the need for transparency,
in order to restore the balance and guarantee an
informational right of self-determination for all11.
The data no longer directly concerns the actual person - but
an object belonging to them. 12. This allows monitoring
indirectly but with certainty, the behavior of the object’s
owner and even predicting future behavior through an
analysis of the latter’s habits. The example of the RFID
chip speaks volumes in this regard. The route taken by
anyone carrying a card fitted with this type of chip can be
tracked easily. All they need to do is walk in front of
terminals fitted with the same technology. The technology
records habits without any visible physical contact between
the reader and the tag; the card-holder may remain
blissfully unaware of this happening. Notably, this allows
creating made-to-measure advertising and knowing where
and when to display it. In fact, imagine the owner of an
RFID card bought a large number of books of the same
genre at a bookshop. On walking past an RFID terminal at
a bookshop in the same chain the card-holder is struck by
an advertising message recommending them to purchase a
particular book in the same genre! Better still, a discount
voucher could be displayed for an item not usually
purchased by the card holder, in order to optimize the
marketing budgets: why grant a reduction for an item the
card-holder will to all intents and purposes, purchase? The
technology can thus anticipate and create expectations in
the consumer….
Calling key concepts into question
Life-changing technology…
The “Internet of Things” is based on technology with
acronyms like RFID (for Radio Frequency Identification)
chips, geo-location via GPS (for Global Positioning
System) or NFC (Near Field Communication) etc.
This “ambient intelligence" technology creates a new
type of data or even a new generation of data. The data is
linked to possession of an object belonging to a person.
… revolutionizing the law!
The law must in turn adapt to the new technological
developments. At present, the second-generation of data
protection regulations appears powerless to regulate the
"Internet of Things". The protection of individual privacy
will henceforth be achieved through the “protection of
objects-related data”. Those responsible for processing
data are no longer concerned as to the identity of the
subject (if they were in fact, ever so concerned), for the
technology now allows achieving far more efficient results
without the unique identifier of personal identity. Without
"identifiability" at the centre of the definition of personal
data13, the second-generation of laws are not applicable.
8
The Convention of 28 January 1981 on protection from
the
automated
processing
of
personal
data
conventions.coe.int/Treaty/EN/Treaties/Html/108.htm.
9
Directive 95/46/EC of 24 October 1995 on the protection
of individuals with regard to the processing of personal
data and on the free movement of such data, OJEC L 281,
23 November 1995, 31–50 ; www.eur-lex.europa.eu.
10
Charter of Fundamental Rights of the European Union,
OJEC C 303, 14 December 2007; www.eur-lex.europa.eu.
11
Right enshrined by the Karlsruhe Federal Constitutional
Court 15 Dec.1983, EuGRZ, 1983, 588 and f. On this
decision, see Riedl, E.H., "New bearings in German Data
Protection", Human Rights Law Journal, 1984, Vol. 5,
no.1, 67 and s; Brouwer, E., Digital Borders and Real
Rights, Nijmegen, Wolf Legal Pub, 2007. On 27 February
the German Federal Constitutional Court recalled this
decision and on the basis of the same reasoning,
proclaimed a new constitutional right: "the right to
guaranteed confidentiality and integrity of information
systems" (Das Recht auf gewâhrleistung der
vertraulichkheit und integrität informationtechnischer
Systeme) MMR, 2008, 303 with a critical note from
Hoeren, T., (MMR, 2008, 366); RDTI, 2009/34,
http://www.rdti.be with a note from De Hert, P., de Vries,
K., and Gutwirth, S.
The issue of the subject’s consent is also central to the
"Internet of Things". In fact, with the arrival of personal
data protection consent to process personal data was
obtained from the subject, prior to collection of the data.
With the emergence of “ambient intelligence”, consent is
no longer sought systematically for each processing event on the pretext of increased convenience. In fact, compiling
data is performed more insidiously - without consulting the
subject. The data is gathered from an object owned by
them. Thanks to this technology, the data processer can
12
In fact, in the Internet of Things, the data collected are
not personal except by a consequential effect. The data
refers to an object, itself linked to the person possessing it.
13
Article 2, a) of Directive 95/46.
87
today dispense with the consent of the subject to the
collection of data and the latter thus forfeits control over
the information14 they wish to provide.
Again, the case of the RFID chip15 illustrates the
argument very well. The technology is already widely
installed, facilitating an analysis of its impact in the legal
context. Consider, for example RFID chips incorporated in
the satchels of children attending school nurseries in order
to monitor their attendance and then bill the parents
accordingly. Another example which comes to mind is the
“Mobib” travel card issued by the Brussels public transport
company, also fitted with a RFID chip to speed up and
facilitate the throughput of passengers and payments for
tickets. In both cases, what consent does the subject give?
Is it really “informed”? Even leaving out the issue of the
position of the children involved 16, the parents do not
really have many options other than to accept the chip,
unless they send their child to another nursery. The same
situation applies to the commuter. Consent, given once for
the “insertion” of the chip in casu, is not subsequently
repeated. As a result, the incorporation of new technology
in daily life becomes ever more commonplace, in the name
of increased convenience.17. Confronted by the changes,
the concept of “consent” - central to the right to privacy in
personal life - must be reviewed as part of the process.
The European Commission’s action plan as a
premise of additional protection for individual
privacy
The European Commission considers that RFID
technology and the “Internet of Things” are factors
promoting growth and employment, capable of improving
the quality of life and improving efficiency. Notably in the
fight against counterfeiting, the management of electronic
waste and hazardous substances.
Yet the Commission has not closed its eyes to the
collateral damage the arrival of this technology could
cause. Its ambition is thus to control the emergence of the
phenomenon so the ethical aspects are taken into
consideration, ensuring the Internet of Things is an
“Internet of Things for Individuals”.
In a communication dated 15 March 200719 the
Commission stated further details and information would
be provided on the issues of data protection and individual
privacy raised by RFID applications. This was
accomplished by the recommendation of 12 May 2009 on
implementing the principles of respect for individual
privacy and data protection in radiofrequency-based
identification applications.20.
On 18 June 2009 the Commission also adopted a
communication entitled “The Internet of Things – an action
plan for Europe”21, which seeks to address all the
consequences of the emergence of the Internet of Things.
In 2010 the Commission intends to publish a broader
Communication on privacy and trust in the ubiquitous
information society22.
What solutions should we commit to? Should we envisage
a technical solution to this technical problem18, a third
generation of legislation as advocated by Yves Poullet?
14
In this connection: Rouvroy, A., and Poullet, Y., "The
right to informational self-determination and the value of
self-development. Reassessing the importance of privacy
for democracy", Reinventing Data Protection, Netherlands,
Springer, 2009, 45 and f.
15
DUMORTIER, F., "L’utilisation de la biométrie et des
RFIDs dans le cadre de l’espace européen de liberté, de
sécurité et de justice : une affaire de balance ou une
question de dignité ?", ERA Forum 9.4 (2009).
16
On this topic see: Opinion of the Article 29 Group
2/2009 on the protection of personal data regarding
children General principles and the special case of
schools),
WP
160
of
11
February
2009,
ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/
wp160_fr.pdf.
17
Dumortier, F., Moiny, J.-Ph., Van Gyseghem, J.-M.,
Venet, O., Hertmans, O., and Laurent, M., "Un badge à
l'école, la puce à l'oreille !", Le Soir, 25/09/2008,
www.lesoir.be.
18
Poullet, Y., " La protection des données: un nouveau
droit constitutionnel. Pour une troisième génération de
règlementations de protection des données", 357. Yves
Poullet quotes Clarke, C., "The answer to the machine is in
the machine", in The future of Copyright in a digital
Recommendation 2009/387/EC is of interest insofar as it is
one of the first European documents 23 which, without
environment, Hugenholtz, B., (ed. Kluwer), 1996, 139 and
f.
19
"Identification by radiofrequency (RFID) in Europe:
towards a political framework", COM(2007) 96 final,
www.eur-lex.europa.eu.
20
Recommendation 2009/387/CE, OJEC L 122 of 16 May
2009, www.eur-lex.europa.eu.
21
COM/2009/0278 final, www.eur-lex.europa.eu.
22
COM/2009/0278 final, 6, www.eur-lex.europa.eu.
23
Yves Poullet see already in Directive 2002/58 of 12 July
2002 on the processing of personal data and the protection
of individual privacy in the electronics communications
sector, the forging of the third generation (Poullet, Y.,
collaboration Henrotte, J.-F., "La protection des données (à
caractère personnel) à l´heure de l´Internet" in Protection
du consommateur, pratiques commerciales et Technologies
de l´Information et des Communications, CUP, LouvainLa-Neuve, Anthemis, March 2009, vol. 109, 231 and f.
88
being mandatory, is clearly moving towards a third
generation of data protection for the retail trade.
Retailers must conduct an assessment of the implications
of the application implementation for the protection of
personal data and privacy, including whether the
application could be used to monitor an individual24.
Whether or not there is a likely threat to privacy or to
the protection of personal data, operators should inform
individuals of the presence of tags that are placed on or
embedded in products using a common European sign,
developed by European standardisation organisations, with
the support of concerned stakeholders25.
immediately or at a later stage, deactivate or remove these
tags29.
Deactivation or removal of tags should not entail any
reduction or termination of the legal obligations of the
retailer or manufacturer towards the consumer. This
represents substantial progress, since unlike Directive
2002/5830 and its Article 5.3, the recommendation provides
that consumers mindful of the need to protect their privacy,
should not be penalized.
Conclusions
The Commission then details implementing consumers’
right to the “silence of the chips”26 .
If the privacy and data protection impact assessment
concludes that tags that are used in a retail application and
would remain operational after the point of sale represent a
likely threat to privacy or the protection of personal data,
retailers are obliged to deactivate or remove the tags at the
point of sale, immediately and free of charge for the
consumer, unless consumers, after being informed of the
policy, give their consent to keep tags operational. The
deactivating of tags shall not require the active
involvement of the consumer27.
Even if the privacy and data protection impact
assessment concludes that tags that would remain
operational after the point of sale do not represent a likely
threat to privacy or the protection of personal data, retailers
28
should make available free of charge an easy means to,
Most players and authors concur in acknowledging that the
Internet of Things poses a threat to individual privacy and
the right to informational self-determination and that the
present protection measures cannot remedy the situation
given, inter alia, their restricted scope of application.
The technology itself may afford a partial solution to the
difficulties and threats it poses (for example, through the
option of deactivating the chips) but it must be controlled
(if the faculty exists, it must be clearly notified and not
seek refuge behind non-use of the faculty).
For the moment, no doubt in response to constant
complaints about over-regulation, the European
Commission is not legislating, but restricting itself to
issuing recommendations to Member States and
companies. Why not? The Commission will reassess the
recommendation’s impact in three years’ time. Whether
by self-regulation or legislation, the new practices created
by this increasingly omnipresent technology must be
controlled. The third generation of data protection (no
longer exclusively for personal data) will not replace
earlier ones but supplement them and adapt the law to
changing technological practices 31.
24
Para. 5 of the recommendation.
Para. 9 of the recommendation. Para. 7 of the
recommendation, more ambiguous, since it provides this
obligation "without prejudice to the obligations of data
controllers, in accordance with Directives 95/46/EC and
2002/58/EC", presages the policy of a concise, accurate
and easy to understand information policy to operators
indicating the data that may be processed using the
application, “in particular if personal data will be
processed” and whether the location of the tags will be
monitored, indicating that the information policy would
apply even if there is no processing of data of a personal
nature.
26
Expression borrowed from the communication "The
Internet of Things - an action plan for Europe",
COM/2009/0278 final, 6, www.eur-lex.europa.eu.
27
Para. 11 of the recommendation.
28
Only retailers processing data are covered by this
provisions pursuant to para. 14 of the recommendation.
Under the terms of para. 3.e) “‘operator’ means the natural
or legal person, public authority, agency, or any other
body, which, alone or jointly with others, determines the
purposes and means of operating an application, including
controllers of personal data using an RFID application”.
25
Acknowledgments
The author is especially grateful to Fanny Cotton, Jessica
Dallapicolla and Alexandre Cassart for their collaboration
for this paper.
29
Para. 12 of the recommendation.
Directive 2002/58 of 12 July 2002 concerning the
processing of personal data and the protection of privacy in
the electronic communications sector, OJEC L201, 31 July
2002, 37-47 ; eur-lex.europa.eu.
31
Poullet, Y., "La protection des données: un nouveau
droit constitutionnel. Pour une troisième génération de
règlementations de protection des données", 356.
30
89