‘IoT' Devices Under The Regulatory Microscope

Author:Mr Philip Nolan and Jevan Neilan
Profession:Mason Hayes & Curran

Earlier this year, the Global Privacy Enforcement Network ("GPEN") published the results of its global privacy review of 'Internet of Things' ("IoT") devices. This annual review, dubbed the 'Privacy Sweep', found that many companies failed to explain to users how their personal data is collected, stored and safeguarded via devices that boast internet connectivity. GPEN found that companies demonstrating good privacy communication practices were in the minority.

With IoT devices becoming increasingly prevalent in everyday life, we examine the results of this Privacy Sweep and what they mean for IoT stakeholders.

What is GPEN?

GPEN connects data protection authorities ("DPAs") from around the world and aims to promote cross-border cooperation and the strengthening of privacy practices. GPEN is comprised of over 60 DPAs based in 39 jurisdictions and was established in 2010 as the result of a recommendation by the OECD.

Each year GPEN undertakes a Privacy Sweep, which targets a specific trend or issue. These have included reviews of mobile privacy in 2014 and children's apps and websites in 2015.

The IoT Sweep

25 DPAs from around the world examined the privacy communications and practices of 314 IoT devices in April 2016. The aim was to increase awareness of best practices and to encourage compliance with privacy legislation.

Each DPA chose a category of IoT device to review. This involved interacting with and using the device, examining the privacy notices that came packaged with it, and analysing the information provided on the device's website. In certain instances, DPAs also contacted the relevant organisations directly with questions related to privacy. This approach was aimed at recreating the consumer experience by requiring the DPAs to spend time checking the privacy performance of the device against a set of common indicators.

Connected toys, cars, TVs, wristwatches that monitor health, and smart household appliances were among the devices studied. In Ireland, the Office of the Data Protection Commissioner ("DPC") investigated 9 devices from the IoT environment, including smart electricity meters and fitness trackers. The DPC's national findings were broadly in line with global trends.


The results of the Privacy Sweep included findings, in respect of devices and/or organisations, that:

59% didn't adequately explain to customers how their personal data was collected, used and disclosed 68% failed to properly explain how...

To continue reading