According to the GDPR, lawful processing requires for a legal basis. If processing includes the type of activities that are included in the ePrivacy Directive (and in the future ePrivacy Regulation), the provisions made by this new tool will apply as soon as it will be adopted. An IoT should be able to distinguish between different individuals using the same system so that they cannot learn about each other’s activities without a legal basis that justifies such processing (most probably consent). Trust between actors must be based on the authentication of each IoT tool prior to communication and data access. Prevention of unauthorized objects and users from accessing a system can enhance confidentiality, and thus increase user trust. Defining the legal basis that applies to such processing is, therefore, key, to ensure the lawfulness of the processing. At the present moment, there are several legal bases for data processing that might apply well to IoT. These are: consent, performance of a contract legitimate interest and, of course, public interest, when we are talking about scientific research and innovation.
The draft of the ePrivacy Regulation[1] considers consent as the main basis for lawful data processing in the context of electronic communications, a circumstance that applies, for instance, in the case of IoT devices connected to the web. However, where a controller seeks to process personal data that are in fact necessary for the performance of a contract, then consent is not the most recommendable lawful basis and processing should be based on Article 6(1) (b).
Legitimate interest, on the other hand, is the most flexible legal basis for processing, but one cannot assume it will always be the most appropriate. The ICO considered that it is likely to be most appropriate where controllers use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.[2] However, it might happen that the criteria used by EU Member States DPAs are quite different. Thus, you should better ask your DPO about this issue.
A preliminary issue: do not forget that processing data of special categories is banned! Before processing data, controllers should make sure that they are not data of special categories. If this is not the case, they shall remember that article 9.1 of the GDPR vetoes such processing, unless any of the circumstances described in article 9.2 applies. Furthermore, controllers should keep in mind that most of these circumstances (consent is an exception) require that such processing is performed on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject. These safeguards might be pseudonimization, professional secrecy, or even more complex mechanisms if transfer personal data to a third country or an international organization is foreseen (see article 46 of the GDPR). |
References
1https://data.consilium.europa.eu/doc/document/ST-6087-2021-INIT/en/pdf ↑
2ICO: Legitimate interests, at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/ ↑