Influence of the “Internet of Things” on Legislation Regarding the Protection of Individual Privacy Jean-François Henrotte Partner in the elegis law firm and Director of the “Revue du Droit des Technologies de l’Information” www.elegis.eu – www.rdti.be jf.henrotte@elegis.be today’s societal challenges”4, more and more authors are also pointing out that it calls into question our concept of private life and its protection. Abstract The “Internet of Things”, considering its characteristics, calls for developing third-generation data protection with a new field of application and greater use of the technology itself for resolving the problems it poses. The right to protect private life has evolved gradually over the years, mirroring technological progress5. Firstgeneration laws on the protection of individual privacy were founded on Article 8 of the European Convention for the Protection of Human Rights6. This first-generation basically grants a “right to be left alone” 7. Protection is understood as a prohibition on processing certain sensitive Introduction Network technology as we know it, with the Internet centre-stage, is on the dawn of another quantum leap. Progress on miniaturization and wireless communications presage the imminent interconnection of the things surrounding us, to form a vast network: "the Internet of Things"1. In this scenario, seriously envisaged by several governments worldwide2, things used in daily life will communicate with each other or to other entities (people or machines) information they have collected on their environment, using their various sensors. Although this permanent interconnection, this “ambient intelligence” 3, is expected to “contribute to addressing 2006; Poullet, Y., "La protection des données: un nouveau droit constitutionnel. Pour une troisième génération de règlementations de protection des données" 297 and Rouvroy, A., "Privacy, Data Protection, and the Unprecedented Challenges of Ambient Intelligence", Studies in Ethics, Law, and Technology, 2008, available at the address: http://works.bepress.com/antoinette_rouvroy/2; 4 See the Communication from the Commission to the European Parliament, the Council, the European Social and Economic Committee and the Committee of the Regions "The Internet of Things - an action plan for Europe" COM(2009) 278 Final, 2. 5 Poullet, Y., " La protection des données: un nouveau droit constitutionnel. Pour une troisième génération de règlementations de protection des données", www.crid.be/pdf/public/5188.pdf. 6 The European Convention for the Protection of Human Rights of 4 November 1950, conventions.coe.int/Treaty/EN/Treaties/Html/005.htm 7 The famous "Right to be left alone" defended by Warren, S., and Brandeis, L., in their article: "The right to privacy", 4, Harvard Law Rev., 193 (1890), groups.csail. mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_ warr2.html. 1 See the 2005 report of UIT www.itu.int/dms_pub/itus/opb/pol/S-POL-IR.IT-2005-SUM-PDF-E.pdf; or the 2001 report of ’ISTAG ftp://ftp.cordis.europa.eu/pub.ist/ docs/istagscenarios2010.pdf. 2 See the Communication from the Commission to the European Parliament, the Council, the European Social and Economic Committee and the Committee of the Regions "The Internet of Things - an action plan for Europe" COM(2009) 278 Final or the NIC report: "Global trends 2025: the national intelligence council's 2025 project", www.dni.gov/nic/NIC_2025_project.html. 3 Greenfield, A., "Everyware: the dawning age of ubiquitous computing", New York, New riders publishing, 86 data and protecting various spheres, both physical and communications-related. In recent years, technological progress led to secondgeneration laws on the protection of individual privacy (Convention no. 108 of the Council of Europe8, Directive 95/469 or Article 8 of the European Charter of Human Rights10) which while remaining concerned with data and its nature, focus on data processing. The processing of personal data gives rise to a disparity of information between the party processing the data and the person to whom that data relates. The disparity results in an imbalance of power to the detriment of the person whose data is being processed. The emphasis is now on rules governing data processing and the need for transparency, in order to restore the balance and guarantee an informational right of self-determination for all11. The data no longer directly concerns the actual person - but an object belonging to them. 12. This allows monitoring indirectly but with certainty, the behavior of the object’s owner and even predicting future behavior through an analysis of the latter’s habits. The example of the RFID chip speaks volumes in this regard. The route taken by anyone carrying a card fitted with this type of chip can be tracked easily. All they need to do is walk in front of terminals fitted with the same technology. The technology records habits without any visible physical contact between the reader and the tag; the card-holder may remain blissfully unaware of this happening. Notably, this allows creating made-to-measure advertising and knowing where and when to display it. In fact, imagine the owner of an RFID card bought a large number of books of the same genre at a bookshop. On walking past an RFID terminal at a bookshop in the same chain the card-holder is struck by an advertising message recommending them to purchase a particular book in the same genre! Better still, a discount voucher could be displayed for an item not usually purchased by the card holder, in order to optimize the marketing budgets: why grant a reduction for an item the card-holder will to all intents and purposes, purchase? The technology can thus anticipate and create expectations in the consumer…. Calling key concepts into question Life-changing technology… The “Internet of Things” is based on technology with acronyms like RFID (for Radio Frequency Identification) chips, geo-location via GPS (for Global Positioning System) or NFC (Near Field Communication) etc. This “ambient intelligence" technology creates a new type of data or even a new generation of data. The data is linked to possession of an object belonging to a person. … revolutionizing the law! The law must in turn adapt to the new technological developments. At present, the second-generation of data protection regulations appears powerless to regulate the "Internet of Things". The protection of individual privacy will henceforth be achieved through the “protection of objects-related data”. Those responsible for processing data are no longer concerned as to the identity of the subject (if they were in fact, ever so concerned), for the technology now allows achieving far more efficient results without the unique identifier of personal identity. Without "identifiability" at the centre of the definition of personal data13, the second-generation of laws are not applicable. 8 The Convention of 28 January 1981 on protection from the automated processing of personal data conventions.coe.int/Treaty/EN/Treaties/Html/108.htm. 9 Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJEC L 281, 23 November 1995, 31–50 ; www.eur-lex.europa.eu. 10 Charter of Fundamental Rights of the European Union, OJEC C 303, 14 December 2007; www.eur-lex.europa.eu. 11 Right enshrined by the Karlsruhe Federal Constitutional Court 15 Dec.1983, EuGRZ, 1983, 588 and f. On this decision, see Riedl, E.H., "New bearings in German Data Protection", Human Rights Law Journal, 1984, Vol. 5, no.1, 67 and s; Brouwer, E., Digital Borders and Real Rights, Nijmegen, Wolf Legal Pub, 2007. On 27 February the German Federal Constitutional Court recalled this decision and on the basis of the same reasoning, proclaimed a new constitutional right: "the right to guaranteed confidentiality and integrity of information systems" (Das Recht auf gewâhrleistung der vertraulichkheit und integrität informationtechnischer Systeme) MMR, 2008, 303 with a critical note from Hoeren, T., (MMR, 2008, 366); RDTI, 2009/34, http://www.rdti.be with a note from De Hert, P., de Vries, K., and Gutwirth, S. The issue of the subject’s consent is also central to the "Internet of Things". In fact, with the arrival of personal data protection consent to process personal data was obtained from the subject, prior to collection of the data. With the emergence of “ambient intelligence”, consent is no longer sought systematically for each processing event on the pretext of increased convenience. In fact, compiling data is performed more insidiously - without consulting the subject. The data is gathered from an object owned by them. Thanks to this technology, the data processer can 12 In fact, in the Internet of Things, the data collected are not personal except by a consequential effect. The data refers to an object, itself linked to the person possessing it. 13 Article 2, a) of Directive 95/46. 87 today dispense with the consent of the subject to the collection of data and the latter thus forfeits control over the information14 they wish to provide. Again, the case of the RFID chip15 illustrates the argument very well. The technology is already widely installed, facilitating an analysis of its impact in the legal context. Consider, for example RFID chips incorporated in the satchels of children attending school nurseries in order to monitor their attendance and then bill the parents accordingly. Another example which comes to mind is the “Mobib” travel card issued by the Brussels public transport company, also fitted with a RFID chip to speed up and facilitate the throughput of passengers and payments for tickets. In both cases, what consent does the subject give? Is it really “informed”? Even leaving out the issue of the position of the children involved 16, the parents do not really have many options other than to accept the chip, unless they send their child to another nursery. The same situation applies to the commuter. Consent, given once for the “insertion” of the chip in casu, is not subsequently repeated. As a result, the incorporation of new technology in daily life becomes ever more commonplace, in the name of increased convenience.17. Confronted by the changes, the concept of “consent” - central to the right to privacy in personal life - must be reviewed as part of the process. The European Commission’s action plan as a premise of additional protection for individual privacy The European Commission considers that RFID technology and the “Internet of Things” are factors promoting growth and employment, capable of improving the quality of life and improving efficiency. Notably in the fight against counterfeiting, the management of electronic waste and hazardous substances. Yet the Commission has not closed its eyes to the collateral damage the arrival of this technology could cause. Its ambition is thus to control the emergence of the phenomenon so the ethical aspects are taken into consideration, ensuring the Internet of Things is an “Internet of Things for Individuals”. In a communication dated 15 March 200719 the Commission stated further details and information would be provided on the issues of data protection and individual privacy raised by RFID applications. This was accomplished by the recommendation of 12 May 2009 on implementing the principles of respect for individual privacy and data protection in radiofrequency-based identification applications.20. On 18 June 2009 the Commission also adopted a communication entitled “The Internet of Things – an action plan for Europe”21, which seeks to address all the consequences of the emergence of the Internet of Things. In 2010 the Commission intends to publish a broader Communication on privacy and trust in the ubiquitous information society22. What solutions should we commit to? Should we envisage a technical solution to this technical problem18, a third generation of legislation as advocated by Yves Poullet? 14 In this connection: Rouvroy, A., and Poullet, Y., "The right to informational self-determination and the value of self-development. Reassessing the importance of privacy for democracy", Reinventing Data Protection, Netherlands, Springer, 2009, 45 and f. 15 DUMORTIER, F., "L’utilisation de la biométrie et des RFIDs dans le cadre de l’espace européen de liberté, de sécurité et de justice : une affaire de balance ou une question de dignité ?", ERA Forum 9.4 (2009). 16 On this topic see: Opinion of the Article 29 Group 2/2009 on the protection of personal data regarding children General principles and the special case of schools), WP 160 of 11 February 2009, ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/ wp160_fr.pdf. 17 Dumortier, F., Moiny, J.-Ph., Van Gyseghem, J.-M., Venet, O., Hertmans, O., and Laurent, M., "Un badge à l'école, la puce à l'oreille !", Le Soir, 25/09/2008, www.lesoir.be. 18 Poullet, Y., " La protection des données: un nouveau droit constitutionnel. Pour une troisième génération de règlementations de protection des données", 357. Yves Poullet quotes Clarke, C., "The answer to the machine is in the machine", in The future of Copyright in a digital Recommendation 2009/387/EC is of interest insofar as it is one of the first European documents 23 which, without environment, Hugenholtz, B., (ed. Kluwer), 1996, 139 and f. 19 "Identification by radiofrequency (RFID) in Europe: towards a political framework", COM(2007) 96 final, www.eur-lex.europa.eu. 20 Recommendation 2009/387/CE, OJEC L 122 of 16 May 2009, www.eur-lex.europa.eu. 21 COM/2009/0278 final, www.eur-lex.europa.eu. 22 COM/2009/0278 final, 6, www.eur-lex.europa.eu. 23 Yves Poullet see already in Directive 2002/58 of 12 July 2002 on the processing of personal data and the protection of individual privacy in the electronics communications sector, the forging of the third generation (Poullet, Y., collaboration Henrotte, J.-F., "La protection des données (à caractère personnel) à l´heure de l´Internet" in Protection du consommateur, pratiques commerciales et Technologies de l´Information et des Communications, CUP, LouvainLa-Neuve, Anthemis, March 2009, vol. 109, 231 and f. 88 being mandatory, is clearly moving towards a third generation of data protection for the retail trade. Retailers must conduct an assessment of the implications of the application implementation for the protection of personal data and privacy, including whether the application could be used to monitor an individual24. Whether or not there is a likely threat to privacy or to the protection of personal data, operators should inform individuals of the presence of tags that are placed on or embedded in products using a common European sign, developed by European standardisation organisations, with the support of concerned stakeholders25. immediately or at a later stage, deactivate or remove these tags29. Deactivation or removal of tags should not entail any reduction or termination of the legal obligations of the retailer or manufacturer towards the consumer. This represents substantial progress, since unlike Directive 2002/5830 and its Article 5.3, the recommendation provides that consumers mindful of the need to protect their privacy, should not be penalized. Conclusions The Commission then details implementing consumers’ right to the “silence of the chips”26 . If the privacy and data protection impact assessment concludes that tags that are used in a retail application and would remain operational after the point of sale represent a likely threat to privacy or the protection of personal data, retailers are obliged to deactivate or remove the tags at the point of sale, immediately and free of charge for the consumer, unless consumers, after being informed of the policy, give their consent to keep tags operational. The deactivating of tags shall not require the active involvement of the consumer27. Even if the privacy and data protection impact assessment concludes that tags that would remain operational after the point of sale do not represent a likely threat to privacy or the protection of personal data, retailers 28 should make available free of charge an easy means to, Most players and authors concur in acknowledging that the Internet of Things poses a threat to individual privacy and the right to informational self-determination and that the present protection measures cannot remedy the situation given, inter alia, their restricted scope of application. The technology itself may afford a partial solution to the difficulties and threats it poses (for example, through the option of deactivating the chips) but it must be controlled (if the faculty exists, it must be clearly notified and not seek refuge behind non-use of the faculty). For the moment, no doubt in response to constant complaints about over-regulation, the European Commission is not legislating, but restricting itself to issuing recommendations to Member States and companies. Why not? The Commission will reassess the recommendation’s impact in three years’ time. Whether by self-regulation or legislation, the new practices created by this increasingly omnipresent technology must be controlled. The third generation of data protection (no longer exclusively for personal data) will not replace earlier ones but supplement them and adapt the law to changing technological practices 31. 24 Para. 5 of the recommendation. Para. 9 of the recommendation. Para. 7 of the recommendation, more ambiguous, since it provides this obligation "without prejudice to the obligations of data controllers, in accordance with Directives 95/46/EC and 2002/58/EC", presages the policy of a concise, accurate and easy to understand information policy to operators indicating the data that may be processed using the application, “in particular if personal data will be processed” and whether the location of the tags will be monitored, indicating that the information policy would apply even if there is no processing of data of a personal nature. 26 Expression borrowed from the communication "The Internet of Things - an action plan for Europe", COM/2009/0278 final, 6, www.eur-lex.europa.eu. 27 Para. 11 of the recommendation. 28 Only retailers processing data are covered by this provisions pursuant to para. 14 of the recommendation. Under the terms of para. 3.e) “‘operator’ means the natural or legal person, public authority, agency, or any other body, which, alone or jointly with others, determines the purposes and means of operating an application, including controllers of personal data using an RFID application”. 25 Acknowledgments The author is especially grateful to Fanny Cotton, Jessica Dallapicolla and Alexandre Cassart for their collaboration for this paper. 29 Para. 12 of the recommendation. Directive 2002/58 of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJEC L201, 31 July 2002, 37-47 ; eur-lex.europa.eu. 31 Poullet, Y., "La protection des données: un nouveau droit constitutionnel. Pour une troisième génération de règlementations de protection des données", 356. 30 89