Brussels, 24 February 2017
Privacy legislation is struggling to keep up with technology. With IoT, where everything happens in real time, this will become even worse, warns Ivan Vandermeersch, a former communication adviser at the Cabinet of the Vice-Prime Minister of Belgium in charge of Telecommunication and Public Enterprises, and current secretary general of BDMA (Belgian Direct Marketing Association) in his paper The IOT privacy garden, available here for free.
Here a few excerpts:
Since 1992, Belgium has had legislation to guarantee the protection of individuals in respect of the use of their personal data. The obligation of transparency was introduced: the persons whose data are processed, must be informed, and the persons processing the data must communicate why they process the data. What can or must be done with the collected data was also established. That is why this legislation also specifically introduced the right to access the registered data, the right to rectify it, the right to object etc.
The new European Data Protection Regulation will be applicable in our country as of 25 May 2018.
Personal data relate to any information about an identified or identifiable natural person, such as a person’s name, a picture, telephone number, a code, a bank account number, an e-mail address, a fingerprint, … It is data regarding a person’s private life as well as data regarding a person’s professional or public life. This regulation explicitly only relates to data regarding a natural person, so not that of a legal person.
The new legislation applies as soon as the processing of personal data, even partially, takes places using automated processes. These automated processes relate to all information technologies: IT, telematics, telecommunication networks (the Internet). (…)
Smart objects are necessarily new channels for the surveillance of citizens, whether it is a smart phone a connected driverless car or a virtual reality headset. Other sensors also register where citizens are, what they are watching, how they are moving and even what they are saying or hearing. They lead to composed information relating to citizens’ privacy.
Both the current Belgian Privacy Act and the future European Privacy Regulation establish a number of conditions which must be met to arrive at this information.
Citizens must receive sufficient information about which data will be collected and who it will be shared with.
In our society, where technology suppliers are mainly non-European, it is to be expected that through IoT data will be sent to destinations outside Europe. In this context, additional care must be taken to ensure the legal protection of data and information relating to European citizens.
If data is sent to destinations outside Europe – which is more and more likely, because in this sector, too, the major suppliers are mainly non-European – there must therefore be additional safeguards to ensure legal protection of the data.
Out of 25 Internet giants, 15 have their headquarters in the United States, and only one of them is also established in Europe. Consequently, in the European Union there is an urgent need for a single legal framework with a single regulator instead of an ambivalent network of 28 countries which all have something to say. This is where the difference lies with the United States, where the same system is the basis for all states. [cfr: Verhofstadt, G.: De ziekte van Europa, De Bezige Bij, Amsterdam/Antwerpen, 2015, 117-126]
Enforcing this Belgian and European privacy legislation in an IoT environment is anything but simple, mainly because of the open nature of so-called smart objects: it is difficult to assess beforehand for which different purposes and where the information they generate will be used.
To read more: The IOT privacy garden