This document summarizes a seminar on legal issues related to the Internet of Things. It discusses definitions of IoT, categories of data collected, applicable laws around personal data protection, telecommunications, and cybersecurity. It also examines issues around determining data controllers, anonymizing personal data, critical infrastructure regulations, and ownership of IoT-collected business data.

1. Warsaw IT & Privacy Seminar
Internet of Things
and the legal issues
Dariusz Czuchaj, Senior Associate
Karol Laskowski, Senior Associate

2. IoT and the expectations
2015 2
Source: Gartner Inc. : http://na2.www.gartner.com/imagesrv/newsroom/images/HC_ET_2014.jpg

3. What is „Internet of Things”
2015 3
uniquely identifiable embedded computing
devices
• directly or indirectly process data
connected to telecommunication networks

4. Categories of data
2015 4
Related to a
thing/state
Related to a
person
Related
to a
person’s
health,
etc.

5. Applicable laws
2015 5
•Protection of personal data
•Telecommunication laws
•Cybersecurity
•Ownership

6. Personal data

7. What is personal ?
2015 7
„any information relating to an
identified or identifiable natural
person”
Data revealing racial or ethnic origin,
political opinions, religious or
philosophical beliefs, trade-union
membership, concerning health or
sex life.
Personal
data
Sensitive
data

8. Is it personal ? Is it sensitive ?
2015 8
IP address
Device fingerprint
Location
Voice sample
Daily number of steps
Sleep pattern
House energy use pattern

9. When data is no longer „personal”?
2015 9
Can we get rid of „personal” ?
Pseudonymous data
Anonymous data
ISO 29100:2011
Are you sure the data is anonymous ?

10. Am I a data controller ? (1)
2015 10
Data controller vs data processor
Many actors processing the data
What your DPA thinks about it ?

11. Group Article 29 Opinion on recent developments of
Internet of Things
2015 11
• Most of the actors classified as data controllers
• Consent of a data subject
• „legitimate interest” – likely to be insufficient
• Right to access to data includes „raw data”

12. Draft of the New Data Protection Regulation (1/2)
2015 12
• Application to non-EEA countries
• Penalties
• Data subject may claim for a monetary
compensation
• Profiling framed

13. Draft of the New Data Protection Regulation (2/2)
2015 13
• Data breach notification
• Certification
• One – stop shop
• Coming into force – 2017 ?

14. Telecommunication

15. Telecommunication
2015 15
Providing the services by „permanent roaming”
Using the frequencies for M2M data transfers
Numbering issue –IP or reparate numbering for
M2M?
Regulatory issues – data retention

16. Cybersecurity

17. NIS Directive Draft (1/2)
2015 17
Critical infrastructure providers
Cloud computing, social media providers ?
New obligations:
• Notification of critical incidents
• Obligatory external audits of cybersecurity
• Obligatory documentation
• Penalties for non compliance

18. NIS Directive Draft (2/2)
2015 18
Pros and cons of the new regulation
Legal obligation = clear basis for IT spending on
cybersecurity solutions
Are the written policies really helpful ?

19. (re)Structuring your agreements
2015 19
• agreements should oblige software vendors to:
• Update software permanently
• Deliver updates immediately upon reported security
issues
• Access to code:
• Plan B (1) –escrow of source code in case of failure to react
• Plan B (2) – consider use of Open Source
* need of indemnification clauses in the supply
chain

20. Ownership of data

21. Harvesting Data
2015 21
• American Farm Bureau Federation:
• „Companies that are collecting these
data may be able to see how much
grain is being harvested, minute by
minute, from tens of thousands of
fields. That's valuable information.”

22. Harvesting Data
2015 22
• No clear answers but …
• Existing EU Directive on database
protection
• New type of vendor lock-in – business
data
• Structuring of an effective agreement

23. Thank you
Dariusz Czuchaj, Senior Associate, IT & Data Protection
lawyer
Karol Laskowski, Senior Associate, TMT lawyer