Warsaw IT & Privacy Seminar

Internet of Things and the legal

issues

Dariusz Czuchaj, Senior Associate

Karol Laskowski, Senior Associate

2

IoT and the expectations

2015

Source: Gartner Inc. : http://na2.www.gartner.com/imagesrv/newsroom/images/HC_ET_2014.jpg

3

What is „Internet of Things”

2015

uniquely identifiable embedded computing devices

• directly or indirectly process data

connected to telecommunication networks

 

4

Categories of data

2015

Related to a thing/state

Related to a person

Related to a

person’s health,

etc.

5

Applicable laws

2015

•Protection of personal data

•Telecommunication laws

•Cybersecurity

•Ownership

Personal data

7

What is personal ?

2015

„any information relating to an identified or identifiable natural

person”

Data revealing racial or ethnic origin, political opinions, religious or

philosophical beliefs, trade-union membership, concerning health or

sex life.

Personal data

Sensitive data

8

Is it personal ? Is it sensitive ?

2015

IP address

Device fingerprint

Location

Voice sample

Daily number of steps

Sleep pattern

House energy use pattern

9

When data is no longer „personal”?

2015

Can we get rid of „personal” ?

Pseudonymous data

Anonymous data

ISO 29100:2011

Are you sure the data is anonymous ?

10

Am I a data controller ? (1)

2015

Data controller vs data processor

Many actors processing the data

What your DPA thinks about it ?

11

Group Article 29 Opinion on recent developments of Internet of Things

2015

• Most of the actors classified as data controllers

• Consent of a data subject

• „legitimate interest” – likely to be insufficient

• Right to access to data includes „raw data”

12

Draft of the New Data Protection Regulation (1/2)

2015

• Application to non-EEA countries

• Penalties

• Data subject may claim for a monetary compensation

• Profiling framed

13

Draft of the New Data Protection Regulation (2/2)

2015

• Data breach notification

• Certification

• One – stop shop

• Coming into force – 2017 ?

Telecommunication

15

Telecommunication

2015

Providing the services by „permanent roaming”

Using the frequencies for M2M data transfers

Numbering issue –IP or reparate numbering for M2M?

Regulatory issues – data retention

Cybersecurity

17

NIS Directive Draft (1/2)

2015

Critical infrastructure providers

Cloud computing, social media providers ?

New obligations: • Notification of critical incidents • Obligatory external audits of cybersecurity • Obligatory documentation• Penalties for non compliance

18

NIS Directive Draft (2/2)

2015

Pros and cons of the new regulation

Legal obligation = clear basis for IT spending on cybersecurity solutions

Are the written policies really helpful ?

19

(re)Structuring your agreements

2015

• agreements should oblige software vendors to:• Update software permanently • Deliver updates immediately upon reported security

issues• Access to code:

• Plan B (1) –escrow of source code in case of failure to react • Plan B (2) – consider use of Open Source

* need of indemnification clauses in the supply chain

Ownership of data

21

Harvesting Data

2015

• American Farm Bureau Federation:

• „Companies that are collecting these data may be able to see how much grain is being harvested, minute by minute, from tens of thousands of fields. That's valuable information.”

22

Harvesting Data

2015

• No clear answers but …

• Existing EU Directive on database protection

• New type of vendor lock-in – business data

• Structuring of an effective agreement

Thank you

Dariusz Czuchaj, Senior Associate, IT & Data Protection lawyer

Karol Laskowski, Senior Associate, TMT lawyer