Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

Regulators Announce International Investigation into Practices of Internet Connected Devices

shutterstock_314652596A number of data protection authorities (DPAs) around the globe have issued press releases confirming their involvement in the 2016 global privacy “sweep”, which kicked off on April 11th.  This year’s initiative involves a coordinated investigation by 29 DPAs into the practices of internet-connected (Internet of Things or IoT) devices, such as fitness and health trackers, thermostats, smart meters and TVs and connected cars.  The work is being coordinated by the Global Privacy Enforcement Network under the leadership of the UK Information Commissioner’s Office.

According to a press release issued by the Office of the Privacy Commissioner of Canada, each of the DPAs will focus on accountability but will have the flexibility to choose a category of products and a preferred approach.  For example, some DPAs will purchase products and conduct a first-hand, out of the box, assessment of privacy communications in practice against what companies’ communications say is being collected.  Others will examine the privacy information that is available on manufacturers’ websites and may contact manufacturers, retailers and / or data controllers directly with specific privacy questions or concerns.

The DPAs identified below have announced the following areas of focus:

  • The French DPA will focus its investigations on home IoT devices (including connected cameras), health devices (e.g. scales, blood pressure monitors), and fitness trackers.  Their audit will look at the quality of transparency information provided to individuals, the security of devices, and the degree of user control.
  • The Belgian DPA will review privacy communications on the websites of smart metering systems.
  • The Italian DPA will focus on household objects, looking at companies’ transparency in the use of personal data and their compliance with data protection rules.
  • The Gibraltar Regulatory Authority will focus on the quality of information given to users in relation to the processing of their data in the context of smart electricity meters, internet-connected thermostats and watches that monitor health.
  • The Office of the Privacy Commissioner of Canada (OPC) will focus its efforts on health devices (e.g. fitness trackers, smart scales, and sleep monitors).

According to the OPC, the goal of the international sweep is to “increase public and business awareness of privacy rights and responsibilities, encourage compliance with privacy legislation, identify concerns that may be addressed through targeted education or enforcement and enhance cooperation among privacy enforcement authorities“.

The results of the sweep are due to be published in September but, at any point, participating DPAs may use findings made in connection with the sweep to undertake outreach or enforcement action against businesses that fall short of the required standards.