Without the use of personal data, not business viable for the Internet of things. It is still necessary to build the confidence of the consumers… The law allows-it to resolve this paradox? Answers with Olivia Luzi, lawyer specialist in law of new technologies.
Worried, but not naïve: the consumer has a complicated relationship with the exploitation of their personal data. A study commissioned by Intel Security shows that 81% of the French fear that the data collected by their connected objects are used for marketing purposes and 90% are concerned about piracy. At the same time, they are more than 6 in 10 would be prepared to sell or exchange such data…
Stroke of luck: the legislators are at least as concerned as consumers in the issue, and the legal framework for the protection of personal data is in place, ” explains Olivia Luzi, an associate lawyer with the law firms at the forefront on issues of the law of new technologies, Feral-Schuhl / Sainte-Marie.
With the rise of connected objects, the citizens are going to be faced with a collection and an exploitation of their personal data is unprecedented. Are they properly protected?
Your support is essential. Subscribe for $ 1 support Us
The freedom of information act, recently completed by the european regulation adopted in April and whose effective implementation has been postponed to 2018 form a legal framework, which considers the essential issues related to personal data: there is no “empty” legal. Among the main guarantees provided by this legal regime is the loyalty of the collection of data by connected objects: it must be proportionate and relevant to the intended use.
In other words, application designers, who collect personal data and process, can not have a reasoning of the type “I opened my service, I collect many types of information about users, and we’ll see then what we can do with it.”
This is all the more true that the proportionality and relevance of the data collected in relation to the intended use (the purpose of the processing of personal data) is reinforced by the european regulation on data protection, which introduced two fundamental concepts to be taken into account: those of the “privacy by design” and “privacy by default”.
What is meant by these two concepts?
The concept of “privacy by design” presupposes that the issues of privacy and data protection are built into the design of an object or a connected service. And the concept of “privacy by default” means that, by default, the service must be “set” on the level, the more protective to the consumer. In other words, that the latter is compelled to share the minimum information necessary.
What measures have the authorities to ensure that these obligations will be truly respected?
The processing of personal data must normally be the subject of reporting formalities or, for some treatments, more sensitive, request authorization from the controlling authority (such as the CNIL in France).
The european regulation is based on a logic of corporate accountability that will be provided now these statements to the control authorities when the regulations will be effective in 2018. To accompany this exemption to statements, the tasks and powers of supervisory authorities will be strengthened.
today, the supervisory authorities can already conduct regular audits and they do it regularly each year. The Cnil (Commission nationale informatique et liberté) is particularly attentive to the treatments implemented by the objects that are connected as in the framework of the Internet Sweep day, she planned to launch a large-scale control on the different sites, and connected objects.
The agency will in particular be able to verify the following three essential elements. First: the information provided to users is sufficiently clear and precise? Secondly, the level of security of data flow is it satisfactory? Finally, what degree of control the user does it on its data: it must explicitly grant his or her consent, be able to set up access to its data, and its terms must be “purged” at the end of a reasonable period of time.
What happens if a check finds a fault of the editor of one of these services?
so far, it should be recognized that the sanctions were not dissuasive. The criminal sanctions (up to 5 years imprisonment and 1.5 million euros fine for legal persons) are rarely applied, and administrative penalties of up to € 150 000 often remained low.
On this point, the european regulation brings a real change: the fines can reach up to 20 million euros, or 4% of the global turnover of the offending company, it being specified that the supervisory authority may retain the amount of the higher of the two. In addition, this is not only the designer of the application, the service, or the connected object which can be put into question: its sub-contractors are also being targeted.
What are the risks still weigh on consumer data today?
The main one, is that of the security and piracy of the data. In a study conducted in 2014, Fortify division of HP dedicated to cyber security, has found that about 10 objects connected to those being audited, 70% are cryptaient not the data exchanged with the network, 80 % did not require a password complex enough, and 60% did not offer a Web interface which is secure enough.
in the longer term, one of the main dangers that I identify relates to the use of connected objects and applications relating to the health and the use that might make the insurance companies of the data thus collected.
today, these apps are rather fun, and appreciated by consumers. If in the future the use of these devices becomes more widespread, people who refuse to use to justify their good health or their lifestyle wouldn’t be simply excluded by their insurance, or be applied to additional premiums?
Read our complete file
digital Transition
A numerical password to help the French who are not familiar with the internet digital Exclusion : a resident could not pay his taxes for lack of internet access, digital Exclusion : those French who suffer d'”‘illectronisme”
Has your sense, that’s missing for the arsenal of consumer protection is complete?
Probably the development of standards, on the model of those established by the ISO, which would allow them to identify services that are exemplary from the point of view of the protection of personal data and the respect of the legislation in force. Compliance with these standards would give confidence to the consumer, increasingly concerned by these issues. It is likely that these norms develop in the coming years.