Interplay between GDPR and IoT
February 8, 2022
What is the Internet of Things (IOT)
Probably The Internet of Things is an expression familiar only to a small, somewhat niche group of people. IoT is simply a connected object that can make our lives easier or safer. We have IoT in practically all areas of our daily life from the “connected home” or domotics, to the leisure sector up to the health sector where information technology has strongly entered the field in the last years improving the life expectancy of patients but also the everyday life of ordinary people.
How does it work?
IoT plays a critical role in the current digital economy, enabling billions of connected devices to exchange data and powering artificial intelligence systems in many fields…
Smartphones too play an important role in IoT as many IoT devices can be controlled by an application on a smartphone.
IoT devices contain sensors and mini-computer processors that act on data collected from sensors through machine learning.
In this article, we will focus on one particular category of IoT, namely IoMTs (Internet of Medical Things) or healthcare IoT, how it relates to the EU General Data Protection Regulation (GDPR) as well as other privacy regulations.
IoMTs are all those devices and applications connected to IT through WIFI that enable machine-to-machine communication. We can consider them as a branch of IoT.
Examples of IoMT is remote patient monitoring and virtual visits of people with chronic or long-term conditions, tracking of patients’ medication orders, location of hospitalized patients in hospitals, etc.
In the field of patient care, a connected medical device should only be embraced with extreme prudence due to potentially safety vulnerabilities and risks to patient safety.
In this context, it’s important to understand how EU legislation protects personal data collected by those IoT devices.
IoMTs raise concerns for compliance with the principles related to the processing of personal data (Art. 5 of the GDPR). These principles are: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation and integrity and confidentiality. They must be evaluated considering the responsibility of the Data protection by design and by default (Art. 25) and the Security of processing (Art. 32). The most tool to evaluate the concerns is certainly the Data Protection Impact Assessment (DPIA).
The DPIA it is clear that a risk management assessment is a crucial tool to assess the risks associated to the use of IoT devices, manage and mitigate (or even eliminate) these risks to one of the primary goals of the DPIA, ensure the protection of the fundamental rights and freedoms of individuals which for the regulation is more important than creating or protecting value.
In light of privacy concerns mentioned above, and in relation to the characteristics of IoMT elements that enable applications and services to aggregate and manage data at every level of data generation, it is strongly recommended to carefully assess the risks to data subjects and conduct a DPIA that covers all the stages of the personal data lifecycle with a focus on the purpose of processing and the risk of re-identification of data subjects.
Data encryption is an essential safeguard for medical devices, especially cardiac devices. As the transferred data flows containing patient information are encrypted, and transferred privately, the possibility of access by a hacker is rendered much more challenging.
82% of healthcare organizations have faced a cyberattack on their IoT devices .
The interaction between GDPR and IoT becomes more complicated when considering the role qualification of the parties involved in a specific processing activity, especially that of the Data Controller and the Data Processor.
For example, as per Working Party 29’s opinion on IoT (8/2014),
- A device manufacturer that develops the operating system or defines the main features of the software will be considered as a Data Controller.
- A third-party app developer will be considered as a Data Controller when creating interfaces that enable data subjects to have access to their data when it is held by the device manufacturer.
What about special categories of personal data?
IoT applications may, accidentally or not, directly or indirectly process special categories of data (e.g. smart wearables, capable of inferring the health or well-being of the data subject). For this use (process), explicit consent under Article 9(2) of the GDPR must be considered.
Medical Device Regulation (MDR) (EU) 2017/745
As a support to the European regulation on data protection concerns (GDPR), we have to consider the Medical Device Regulation (MDR) issued by the European Parliament concerning medical devices.
Under the MDR an IoT has to respect Art. 2 of MDR, must be submitted to the examination of the European Commission which after obtaining an advisory opinion of the Medical Device Coordination Group, will define whether the IoT is a medical device or an accessory for a medical device. Obviously from this definition will derive the type of personal data that will be collected and the measures that the manufacturer will have to put in place to be compliant with the GDPR after performing the DPIA.
Medical Device Regulation (MDR) by May 26, 2021
EU General Data Protection Regulation (“GDPR”), 2016/679
Opinion (8/2014), 16 September 2014 and Article 29 Working Party press release, 22 September 2014.