IoT and data protection

In addition to the above-mentioned concerns, the heterogeneous nature of the IoT and its critical use make cybersecurity an essential aspect, that is even more important when considering that every IoT developer deals with supply chain activities aiming at transforming raw materials and components into a finished IoT product. In this context, it is therefore essential to identify and implement privacy by design and by default measures.

Blockchain in IoT

In brief, a blockchain is a decentralised system (i.e., there is no master computer managing the entire chain), keeping a record of an ever-growing set of data. Given that the database can only be extended and previous records cannot be changed, blockchain technologies are deemed immutable and secure.

IoT presents security concerns that can be addressed by the blockchain. In particular, the use of a private permissioned blockchain system (i.e., a special-purpose blockchain implementation that only works within a given system) provides immutable auditability and traceability properties to the data under management.

However, while securing the processing of users’ personal data, the use of blockchain involves risks in relation to the GDPR requirements. In particular, the “immutability” of the data, implied in the very nature of the blockchain, constitutes a critical point of tension between such technology and the provisions of the GDPR such as, inter alia:

1. Purpose limitation and data minimisation principles pursuant to Article 5 of the GDPR, specification principle, according to which personal data must only be collected for specified, explicit and legitimate purposes and shall be adequate, relevant and limited to what is necessary in relation to these purposes. In the case of blockchain technology, the problem arises because once added to the database, the data will always continue to be processed;
2. The possibility of exercising rights that the GDPR grants to data subjects and which should always be exercisable by them, including the right to rectification (Article 16, GDPR) and the right to erasure (so-called “right to be forgotten” pursuant to Article 17, GDPR).

Using AI technologies in IoT devices

Artificial Intelligence (AI) is a set of technologies that combines data, algorithms and computing power. As pointed out by the EU Commission in its “White Paper on Artificial Intelligence”, the latter is rapidly developing and is going to transform the pattern of society and the way people act in it, improving, for example, health care and increasing the safety of citizens. In this regard, the European Parliament has pointed out that the increasing use of AI systems also entails risks, including threats to fundamental rights, including:

1. The risk that a bias (unconsciously set by the programmers) negatively influences machine learning and then affects the AI results (e.g., the AI could “make decisions” influenced by ethnicity, gender, age, etc.);
2. The opacity of the algorithms: the steps through which the data are interpreted are not always explainable (transparent);
3. Privacy and sharing of data, given that the AI feeds on data which is indispensable for the training of the machine;
4. Consent and autonomy: the data subject must be adequately informed of the technology and of the developments it may have. Moreover, the comprehensibility of what is being communicated must be guaranteed.

Back in 2018, the European Commission set out its vision of ethical, safe and state-of-the-art AI “made in Europe”. To support the implementation of this vision, the Commission has set up a High-Level Expert Group on Artificial Intelligence, which has developed the “Ethics Guidelines for Trustworthy Artificial Intelligence”, with the aim of promoting trustworthy AI. Starting from a fundamental rights-based approach, the Group identifies ethical principles and values that must be respected in the development, deployment and use of AI systems.

In particular, the Group provides key indications (such as paying special attention to situations involving vulnerable subjects, taking appropriate measures to mitigate risks, etc.), as well as indications on how to achieve reliable AI by listing seven requirements that AI systems should meet, namely:

1. human intervention and surveillance;
2. technical robustness and security;
3. confidentiality and data governance;
4. transparency;
5. diversity;
6. non-discrimination and fairness
7. social and environmental well-being;
8. accountability.

Finally, it should be noted that in the context of the European Strategy for AI, the European Commission published, last 21 April, a proposal for a Regulation on the European approach to AI, proposing a European legal framework on AI.

IoT medical devices and the processing of health data

The IoT nowadays covers all everyday tools that have become smart with the technological evolution, incorporating smart sensors collecting a wide variety of information and transmitting it to the network. In medicine, this trend – so-called “digital health” – refers to sensors that detect real-time information from the human body (heartbeat, temperature, movement, etc.).

On one hand, digital health makes healthcare better, safer and more efficient, enabling new ways of management of individuals’ health. On the other hand, however, the continuous monitoring of patients’ conditions underlies many risks to their rights and freedoms (e.g., in relation to the consequences of incorrect monitoring due to the collection of inaccurate, incomplete, ambiguous or contradictory data). The need to address such risks is even more important when considering that the use of medical IoT systems involves the processing of health-related data, which therefore falls into the special categories of personal data under Article 9 of the GDPR.

Drones and facial recognition mechanisms

From a perspective focussing strictly on data protection, drone operations can be classified into two main categories: the purpose of the operation involving personal data processing, on one hand, and, on the other hand, operations whose purpose does not include the processing of personal data.

With specific reference to the first type of operations, it must be noted that drones are combined with applications such as cameras or video cameras and might also record the images, through software to process the video images, which might have further applications (including high power zoom, facial recognition, behaviour profiling, movement detection, night vision, GPS systems processing the location of the persons filmed, etc). This implies the collection, recording, organisation, storing, use and combination of data allowing the identification of persons.

It must be noticed that regulations for the use of airspace apply in parallel with personal data protection regulations such as the EU Regulations 2019/947 and 2019/945, setting out the framework for the safe operation of civil drones in the European skies through a risk-based approach.

In particular, this balance should take into account national security strategies and the necessity not to step back in the protection of privacy and security of the individuals. This is a crucial issue as new technologies (and, among them, drones) may impact several individual aspects.

This precondition and the potential clash between the fundamental rights of the individuals and the necessity of the European Union and of the member States to monitor the emerging threats to security has guided the approach of ARCADIAN-IoT and its legal and ethical outcomes.

According to EU Regulations 2019/947 and 2019/945, there is no distinction between leisure or civil, commercial drone activities. What is relevant for the EU regulations is the weight and the specifications of the civil drone as well as the operation it is intended to conduct.

Regulation (EU) 2019/947, which is applicable since 31 December 2020 in all EU Member States, including Norway and Liechtenstein, caters for most types of civil drone operations and their levels of risk. It defines three categories of civil drone operations:

1. The “open” category (Article 4) addresses the lower-risk civil drone operations, where safety is ensured provided the civil drone operator complies with the relevant requirements for its intended operation. This category is subdivided into three subcategories, namely A1, A2 and A3. Operational risks in the open category are considered low, and, therefore, no operational authorisation is required before starting a flight;
2. The “specific” category (Article 5) covers riskier civil drone operations, where safety is ensured by the drone operator by obtaining an operational authorisation from the national competent authority before starting the operation. To obtain the operational authorisation, the drone operator is required to conduct a risk assessment, which will determine the requirements necessary for the safe operation of the civil drone(s);
3. The “certified” category (Article 6), in which the safety risk is considerably high; therefore, the certification of the drone operator and its drone, as well as the licensing of the remote pilot(s), is always required to ensure safety.

The regulation also emphasises that all drone operators and remote pilots must comply with European and national rules regarding privacy and data protection. The drone operations must be carried out with minor interference with the privacy and personal data of individuals on the ground, and any personal data collected must be handled in compliance with the principles, requirements and individual rights laid down in the GDPR.

Processing of special categories of personal data under GDPR

As stated in the previous paragraphs, components processing special categories of personal data pursuant to Article 9, GDPR will also be used in ARCADIAN-IoT activities. This applies specifically to biometrics components identifying persons through face recognition AI and to health data processed by the IoT medical devices.

Both biometric and health data fall within the special categories of personal data regulated by Article 9, GDPR which states that “processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited” unless one of the conditions laid down in Article 9(2) is met and, in particular, if the data subject has given explicit consent or if the processing.

While processing this type of data, it is important to keep in mind that the risk-based approach of the GDPR requires data controllers to use greater care because collecting and using it is more likely to interfere with these fundamental rights or open someone up to discrimination.

The involvement of minors

Particular protection is necessary when collecting and processing children’s personal data, because they may be less aware of the risks involved.

Protection of children’s data in the GDPR

GDPR provides guidance for specific circumstances and risks related to children when their personal data is collected and processed, emphasising the need for clear communication with children about the processing of their personal data and the related risks. Moreover, the GDPR recognises the possibility for children to exercise their data protection rights.

As mentioned, the GDPR requires data controllers and processors to implement higher standards of protection when processing children’s personal data. In particular, Recital 38 states that “children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply […] when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child”.

Given that children merit specific protection, Recital 58 provides that “any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand”.

Legal bases for processing children’s personal information

Under the GDPR, data controllers have an obligation to process personal data with a legal basis, irrespective of whether it belongs to a child or an adult. Article 6 of the GDPR sets out the six possible legal bases for processing personal data, i.e.:

1. Performance of a contract or taking steps to enter into a contract;
2. Compliance with a legal obligation;
3. Protecting vital interests of a data subject or another person;
4. Performance of a task carried out in the public interest or through official authority;
5. Legitimate interests of the data controller or another party; and
6. The consent of the data subject.

In particular, under Article 6(1)(a) of the GDPR, the processing is lawful if “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”, consent that must be freely given, specific, informed and unambiguous made by way of a clear statement or affirmative action by the data subject.

While processing children’s personal data, data controllers should ensure that the children are given a real choice over how their personal data is used and that they have the capacity to understand exactly what it is they are consenting to, relying on:

1. Age;
2. Any imbalance of power that might be inherent in their relationship with the child.

Finally, special restrictions apply where organisations provide online services: in fact, Article 8 in combination with member States law sets limitations as to the minimum age upon which online service providers can rely.