IoT: legal issues in relation to privacy and security

Click to edit Master title stylePrivacy Open Forum

Thursday, 8th of December 2016

Brussels, 8 December 2016 2

Close

Brussels, 8 December 2016

IOT: PRIVACY AND

SECURITY ISSUES FROM A

LEGAL PERSPECTIVEJOHAN VANDENDRIESSCHE

3


Agenda

1. 18:30 Introduction

2. 18:45 IoT

3. 19:30 Break

4. 19:50 IoT

5. 20:45 Close


GENERAL OVERVIEW

5


Internet of Things (IoT)

• ITU IoT definition:

“global infrastructure for the information

society, enabling advanced services by

interconnecting (physical and virtual) things

based on existing interoperable information

and communication technologies”

• Inconsistent approach in various

definitions

• Infrastructure

• Devices

6


Internet of Things (IoT)

• Examples

• Smart cities

• Wearables

• Automobiles

• Smart devices

• Transport systems

• Manufacturing

• Smart metering

• eHealth

7


Overview of IoT legal issues

• Data protection and privacy

• Communications law

• Cybersecurity

• Cybercrime

• Intellectual property law

• Consumer and product liability law

• …

8


DATA PROTECTION

ISSUES

9


Data Protection?

• Limitations in relation to the

processing of personal data

• Very large legal interpretation to the

concept of personal data

• Not necessarily sensitive information

(although stricter rules apply to special

categories of personal data)

• Processing: “any operation or set of

operations which is performed upon

personal data […]”

10


IoT Privacy Issues

• M2M communication: processing of

personal data?

• Is a natural person identifiable on the

basis of information originating from

devices?

• Analogy with recent case law from ECJ (IP

addresses)

11


Data protection principles

• The data processing must comply with

specific principles

• Proportionality

• Purpose limitation

• Limited in time

• (Individual and collective) Transparency

• Data quality

• Data security

12


IoT and the GDPR

• Stricter consent requirement

• Implicit vs explicit consent

• Mere silence is no longer sufficient

• Separate consent per purpose

• If written consent

• Clear

• Separate from other consents

• General right to withdraw consent

• No motivation

• As easy as giving consent

13


IoT and the GDPR

• Privacy by design

• Data controller

• Appropriate technical and organisational

measures

• State of the art and cost of implementation

• Nature, scope, purposes and risk

• Integrate necessary safeguards to ensure

compliance

• Further guidance is expected

14


IoT and the GDPR

• Privacy by default

• Technical and organisational measures

• Ensure only necessary data are processed

• Amount

• Extent of processing

• Storage period

• Accessibility

• IoT consumer products issues

15


IoT and the GDPR

• Data Portability

• Processing based on consent or

contractual necessity

• Right to receive a copy of his personal

data

• Structured, commonly used and machine

readable format

• Right to transmit personal data to another

controller without hindrance

• If technically possible: direct transmission

between controllers

16


IOT AND BIG DATA

17


What is Big Data?

• Exponential growth of data

• Availability

• Processing tools (‘automated use’)

• Evolution

• (Manual) Small scale profiling

• Data mining

• Big Data

• Numerous applications

• Detect general correlations and trends

• Create specific, individual profiles

18


Data protection issues?

• Purpose Limitation

• Data collected for a specified, specific and

legitimate purpose

• Re-use for a different purpose?

• Compatible or not?

• Criteria

• Nature of the purposes and their connections

• Circumstances surrouding data collection

• Privacy expectations of the data subjects

• Personal data involved and impact on the data

subject

• Safeguards for fair processing

• Specific framework for statistical processing19


Proportionality

• Processing must be limited to the

personal data that is strictly necessary

for the purpose

• Do I need this personal data?

• Big database containing a lot of information?

• Combination of databases?

20


Other issues

• Notice obligation

• Specific information to be provided to data

subjects

• What is required in case of big data?

• Data quality

• Impact of profiling may be substantial:

impact on data quality requirements?

• Data Security

• Big data = big impact of data breaches?

21


Big data and GDPR

• Some issues

• Restrictions in terms of automated

decision making

• DPIA

• DPO

• Data breach notification

22


Data Protection Impact Assessment

• Impact assessment in relation to

protection of personal data

• High risk

• Systemic and extensive profiling

• Processing on a large scale of special

categories of data

• Systematic monitoring of publicly accessible

areas on a large scale

• …

• Guidance from supervisory authority

23


Data Protection Impact Assessment

• DPIA contents

• Description of processing

• Assessment of necessity and

proportionality of processing

• Assessment of risks

• Measures to address risk

• If appropriate: implicate data subjects

or their representatives

24


DPO

• Mandatory DPO?

• Public authority or body

• Core activity requiring regular and

systematic monitoring of data subjects

• Core activities consisting of processing

on a large scale of special categories of

personal data

• Required by member state law

• Groups may designate a single DPO

25


IOT AND END USER

EQUIPMENT ACCESS

26


Access to end user equipment

• Hacking: “the unauthorized intrusion in

or maintenance of access to an IT

system” (article 550bis Criminal Code)• Internal hacking

• Person with access rights that exceeds such rights

• With a fraudulent purpose or with the purpose to cause damage

• External hacking

• Person without access rights

• Knowingly

• There is no requirement of breach of

security measures

27


“Cookie” legislation

• End user device

• Storage of information

• Access to stored information

• Informed consent requirement

• Exceptions

• Communication service

• Necessary for the provision of a service at the

request of an end user

• Right to withdraw consent

28


SECURITY ISSUES

29


IoT security obligations

• Overview

• General principles of cybersecurity

• Critical Infrastructures legislation

• General

• NIS

• Communications network security

30


Legal Approach to Cyber Security

• Information Security: CIA

• Availability and integrity of information

systems and information

• Exclusivity, confidentiality and protection

of information systems and information

• Information security is a typical

example of lagging legislation

• High technical / organizational maturity

• Low legal maturity


Cybersecurity legislation

• No consolidated set of laws and

regulations

• Cybercrime

• Data Protection

• Secrecy of (electronic) communication

• Intellectual Property Rights (copyright,

patents, software …)

• Critical Infrastructures

• General regulations and sector-based

regulations

32


Cybersecurity legislation

• Generic cyber security and/or

information security law?

• General due diligence and care obligation

• (Indirect) Compliance obligation

• (Indirect) Obligation to ensure information

security?

• Large contractual scope: NDAs, SLAs,

IP contracts, IT policies, self-

regulation, …

• Contracts and policies often impose

security rules in relation to IT


Critical infrastructures

• EC Directive 2008/114/EC

• Critical infrastructure and European

critical infrastructure

• Asset, system or part thereof

• Essential

• Societal functions, health, safety,

security, economic or social well-being

• Significant impact in case of disruption or

destruction



• Sector limitation at the EU level

• Energy

• Transportation

• Broader scope in Belgium

• Financial sector (NBB)

• Telecommunications (BIPT)

• IoT may be covered depending on

sector of application

35



• Obligation to implement an operator security plan (OSP)• Identification of critical infrastructure assets

• Existing and planned security solutions

• Methodology• Identification of important assets

• Conduct of a risk analysis

• Identification, selection and prioritization of counter-measures and procedures• Permanent measures

• Graduated measures



• EC Directive 2016/1148/EU – Network

and Information Security

• Obligations for member states: adoption

of a national strategy for NIS &

identification of operators of essential

services

• Obligations for operators of essential

services and for digital service providers

• Implementation deadline: 9 May 2018



• Key concepts

• Network and information system (NIS)

• Operator of an essential service

• Service that is essential for the maintenance

of critical societal and/or economic activities

• Provision of the services depends on NIS

• Incident would have significant disruptive

effects

• Digital service provider

38



• Security obligations of operators of essential services in relation to network and information systems

• Risk management• Appropriate and proportionate technical and

organizational measures to manage risk

• Appropriate level of security in view of the risks, taking into account the state of the art

• Incident management• Appropriate measures to prevent and minimize impact of

incident affecting NIS used for essential services and to ensure continuity

• Breach notification obligation in case of significant impact• Provided information is confidential

• Public may be informed by the competent authority or CSIRT



• Security obligations of digital service providers in relation to network and information systems

• Risk management

• Focus on security, incident handling, business continuity management, monitoring, auditing and testing and compliance with international standards

• Incident management


Communications law

• Obligations

• Information obligations in relation to

security

• Security obligations

• Notification obligation

• Who?

• Operators of public communication

networks

• Providers of public electronic

communications services

• BIPT may issue binding instructions41


Communications law

• General security obligation

• Appropriate technical and organisational

security measures

• Commensurate to the risks (taking into

account the current state of technology)

• Protect the service and/or the network

• Mitigate impact on end users and

interconnected networks

• Anti-spam service

42


Communications law

• Personal data involved?

• Access restriction (‘need to know’)

• Stored data must be protected against

unlawful processing

• Security policy must be implemented

• Double use with data protection

legislation?

43


Communications law

• Network operators

• Ensure integrity of their network to ensure

continuity of services using these

networks

• Ensure to the greatest extent possible the

availability of public telephony services

over their network in case of network

disruption or force majeure

44


Contact details

Johan Vandendriessche

Partner – Crosslaw

Visiting Professor ICT Law – UGent

Visiting Professor ICT & Data Protection Law

– HoWest

Mobile Phone +32 486 36 62 34

E-mail [email protected]

Website www.crosslaw.be

mailto:[email protected]

http://www.crosslaw.be/


ISACA BELGIUM

Date post:	07-Jan-2017
Category:	Law
Upload:	johan-vandendriessche
View:	111 times
Download:	1 times