Abstract
The amount of data collected and processed by smart objects has increased exponentially over the last few years. The use of this technology, known as the Internet of Things or IoT, leads to new challenges and applications of existing data protection laws. Data resulting from the use of such technology has wide-ranging consequences for individual privacy as a large amount of the data in question is often personal in nature. However, the Internet of Things has a wider impact and also creates questions within such fields as contract law and intellectual property law, due in part to the lack of a clear property right to data. In addition, issues of data security are of importance when such technology is used, particularly when considering liability for data loss. This chapter will deal with the legal issues connected to the Internet of Things from a European perspective, taking into account existing laws and in light of the new European Data Protection Regulation. The underlying theme of the chapter focuses on the existence of legal rights to data created through the use of the Internet of Things and the various stakeholders that may have an interest in the data, from the service provider and the individual user, to intermediaries and those involved in allowing smart objects to fulfill their potential. The question of whether the legal challenges identified in the chapter can be overcome will also be addressed, along with the future role of law in the use and development of the Internet of Things.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
European Commission (2016), p. 22.
- 2.
Kuneva (2009).
- 3.
Massachusetts Institute of Technology’s Auto-ID (for Automatic Identification Center in Boston), at that time employee of Procter and Gamble.
- 4.
- 5.
The aim of the IERC is “to address the large potential for IoT-based capabilities in Europe and to coordinate the convergence of ongoing activities.” See www.internet-of-things-research.eu/index.html. Accessed 10 Jan 2017.
- 6.
See www.internet-of-things-research.eu/about_iot.htm. Accessed 10 Jan 2017.
- 7.
European Commission (2016), p. 6.
- 8.
DuBravac (2014), p. 4.
- 9.
Grützmacher (2016), p. 485.
- 10.
Rose (2014), p. 47.
- 11.
Verizon (2015), p. 4.
- 12.
IDC and TXT Solutions (2014).
- 13.
Gartner (2016b).
- 14.
ABI Research (2013).
- 15.
Cisco (2013), p. 2.
- 16.
Gartner (2016b).
- 17.
- 18.
Manyika et al. (2013), p. 12.
- 19.
Bradley et al. (2013), p. 1.
- 20.
Ernst and Young (2015), p. 11.
- 21.
Custers and Uršič (2016), p. 7.
- 22.
European Commission (2016), p. 26.
- 23.
See, e.g., European Commission (2016), pp. 31–32.
- 24.
See, e.g., European Commission (2016), p. 33.
- 25.
See, e.g., European Commission (2016), pp. 33–34.
- 26.
European Commission (2016), p. 35.
- 27.
See www.oascities.org. Accessed 10 Jan 2017.
- 28.
European Commission (2016), p. 22.
- 29.
For example, you can use a Belkin Wemo Switch to make your lights at home IoT compatible. The switch is added in between the power plug and the lamp and provides IoT connectivity, which means you can access your lights remotely and switch them on and off through an app on your smart phone. In addition, you can use a service such as IFTTT (If This Then That) to connect the lamp with the geolocation of your smart phone, so the lights are automatically switched on when you approach your house. See www.belkin.com/us/Products/home-automation/c/wemo-home-automation/, http://www.philips.co.uk/c-m-li/hue-personal-wireless-lighting and https://ifttt.com/. Accessed 10 Jan 2017.
- 30.
European Commission (2016), p. 22.
- 31.
Data processing is in practice a lot more complex, as the processes may be more intertwined and multifaceted. The legal analysis will, however, not necessarily differ as it still assumes the same types of processing.
- 32.
European Commission (2016), p. 4.
- 33.
European Commission (2016), p. 14.
- 34.
IDC and TXT Solutions (2014).
- 35.
European Commission (2016), p. 4.
- 36.
Alliance for the Internet of Things Innovation; see also European Commission, https://ec.europa.eu/digital-single-market/en/internet-things. Accessed 10 Jan 2017. AIOTI is now a European Association.
- 37.
See www.internet-of-things-research.eu/. Accessed 10 Jan 2017.
- 38.
See https://ec.europa.eu/digital-single-market/en/building-european-data-economy. Accessed 10 Jan 2017.
- 39.
European Commission (2017).
- 40.
European Commission (2017), p. 10.
- 41.
Mattei (2000), p. 4.
- 42.
- 43.
See, e.g., Lessig (1999), pp. 130–135.
- 44.
- 45.
Lehdonvirta and Virtanen (2010).
- 46.
Erlank (2013), p. 210.
- 47.
Clarke and Kohler (2005), p. 180.
- 48.
- 49.
- 50.
- 51.
Hoeren (2014), pp. 753–754.
- 52.
- 53.
- 54.
- 55.
See, e.g., Samuelson (1999).
- 56.
- 57.
- 58.
See also Grützmacher (2016), pp. 486–488.
- 59.
See, e.g., Article 2 Berne Convention (1886) for the Protection of Literary and Artistic Works, World Intellectual Property Organisation.
- 60.
Article 3 Directive 96/9/EC; see also Kemp (2014), p. 487.
- 61.
Article 7 Directive 96/9/EC. One of the goals of introducting this protection was to reward and protect certain investments that otherwise would not have been protected through copyright law.
- 62.
Grützmacher (2016), p. 488.
- 63.
Directive 96/9/EC Article 10; the term is set at fifteen years.
- 64.
Directive 2009/24/EC Article 1.
- 65.
See below Sect. 3.5.
- 66.
- 67.
- 68.
Kemp (2014), p. 488.
- 69.
Kemp (2014), p. 488.
- 70.
Bartolini et al. (2016), Chap. 4.2.
- 71.
Lohr (2011).
- 72.
Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.
- 73.
European Commission (2017), p. 10.
- 74.
Article 2 Directive (EU) 2016/943.
- 75.
See also Grützmacher (2016), p. 488.
- 76.
Article 2.1 (c) Directive (EU) 2016/943.
- 77.
See also European Commission (2017), p. 10.
- 78.
Malgieri (2016), pp. 102 et seq.
- 79.
See also Dorner (2014), pp. 622–623.
- 80.
See Dorner (2014), p. 625.
- 81.
- 82.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- 83.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. The GDPR will come into force in May 2018.
- 84.
Definition of personal data in Article 2 (a) Directive 95/46/EC.
- 85.
Recital 26 Directive 95/46/EC.
- 86.
See also Article 29 Working Party (2007).
- 87.
C-582/14 Patrick Breyer v Bundesrepublik Deutschland, Judgment of the Court (Second Chamber) of 19 Oct 2016.
- 88.
Recital 26 Regulation (EU) 2016/679, which matches Recital 26 Directive 95/46/EC.
- 89.
Article 29 Working Party (2014a), p. 9.
- 90.
Article 29 Working Party (2014b), p. 11.
- 91.
- 92.
Malgieri (2016a), p. 5.
- 93.
See Chapter “The Principle of Purpose Limitation and Big Data”. This is underligned by an EU proposal suggesting that personal data may be a counter-performance in online contracts, Article 3 European Commission Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content COM/2015/0634 final.
- 94.
Malgieri (2016a), p. 6.
- 95.
Victor (2013), p. 515.
- 96.
Article 15 Regulation (EU) 2016/679.
- 97.
Article 17 Regulation (EU) 2016/679. The DPD established such a right, see Article 12 (b) Directive 95/46/EC.
- 98.
See Article 17 Regulation (EU) 2016/679. See also Victor (2013), pp. 523–524.
- 99.
Article 17.3 Regulation (EU) 2016/679. See “Google Spain case”: C-131/12 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, Judgment of the Court (Grand Chamber) of 13 May 2014.
- 100.
Article 17.2 Regulation (EU) 2016/679.
- 101.
Victor (2013), p. 524.
- 102.
Article 20 Regulation (EU) 2016/679.
- 103.
Article 29 Working Party (2016), p. 4.
- 104.
See Recital 68 Regulation (EU) 2016/679.
- 105.
Article 17 Directive 95/46/EC.
- 106.
See above Sect. 3.5.
- 107.
See above Sect. 2.3.
- 108.
Gerling and Rossow (2016), p. 507.
- 109.
European Commission (2017), p. 4.
- 110.
- 111.
Article 29 Working Party (2012).
- 112.
OECD (2008); European Commission Recommendation 2009/387/EC of 12 May 2009 on the implementation of privacy and data protection principles in applications supported by radio- frequency identification.
- 113.
Security and Privacy in Your Car Act S-1806, introduced into the US Senate in July 2015; also referred to as the “SPY Car Act.”
- 114.
See above Sect. 4.
- 115.
Peppet (2014), pp. 165–176.
- 116.
US Department of Homeland Security (2016).
- 117.
Volkswagen (2016).
- 118.
Garcia et al. (2016).
- 119.
Article 4 (12) Regulation (EU) 2016/679.
- 120.
Article 33 (1) Regulation (EU) 2016/679.
- 121.
Article 83 Regulation (EU) 2016/679.
- 122.
Article 17 Directive 95/46/EC.
- 123.
Article 35 Regulation (EU) 2016/679; also known as privacy impact assessments or PIA.
- 124.
Article 25 (1) Regulation (EU) 2016/679; also known as privacy by design.
- 125.
Article 25 (2) Regulation (EU) 2016/679; also known as privacy by default.
- 126.
Articles 33–34 Regulation (EU) 2016/679; see above Sect. 5.2.
- 127.
European Commission (2014).
- 128.
European Commission (2011).
- 129.
Article 35 (11) Regulation (EU) 2016/679.
- 130.
The specific requirements in relation to breach notifications are found in Article 33 (3) (5) Regulation (EU) 2016/679.
- 131.
Article 32 Regulation (EU) 2016/679.
- 132.
Article 32 (1) (a), Article 32 (1) (d) Regulation (EU) 2016/679.
- 133.
See above Sect. 4.
- 134.
Article 83 (4) (a) Regulation (EU) 2016/679. The higher fines, of up to 20,000,000 €, or 4% of a business’ global annual turnover, are for more basic infringements, such as data processing principles, data subject rights and transfers of data to a third country, in accordance with Article 83 (5).
- 135.
See above Sect. 3.
- 136.
See above Sect. 3.5.
- 137.
See, e.g., Grützmacher (2016), p. 486.
- 138.
Article 20.4 Regulation (EU) 2016/679.
- 139.
Recital 63 Regulation (EU) 2016/679.
- 140.
Recital 35 Directive (EU) 2016/943.
- 141.
Drexl et al. (2016), p. 2.
- 142.
Drexl et al. (2016), p. 2.
- 143.
See above Sect. 5.
- 144.
See above Sect. 5.3.
- 145.
See Malgieri (2016a), p. 5.
- 146.
See, e.g., European Commission (2017), pp. 10–11.
- 147.
European Commission (2017), p. 11.
References
ABI Research (2013) More than 30 billion devices will wirelessly connect to the internet of everything in 2020. Press Release. 9 May 2013
Article 29 Working Party (2007) Opinion 4/2007 on the concept of personal data. Available via European Commission. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm. Accessed 16 Jul 2017
Article 29 Working Party (2012) Opinion 05/2012 on cloud computing. Available via European Commission. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm. Accessed 16 Jul 2017
Article 29 Working Party (2014a) Opinion 05/2014 on anonymization techniques. Available via European Commission. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm. Accessed 16 Jul 2017
Article 29 Working Party (2014b) Opinion 8/2014 on the recent developments on the internet of things. Available via European Commission. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm. Accessed 16 Jul 2017
Ashton K (2009) That ‘Internet of Things’ Thing. RFID Journal. 22 June 2009. http://www.rfidjournal.com/articles/pdf?4986. Accessed 10 Jan 2017
Bartolini C et al (2016) Cloud providers viability: how to address it from an IT and legal perspective? Economics of grids, clouds, systems, and services. In: Altmann J et al (eds) International Conference on Grid Economics and Business Models (GECON), Cluj-Napoca, September 2015. Lecture notes in computer science, vol 9512. Springer International Publishing, p 281
Bradley J et al (2013) Embracing the internet of everything to capture your share of $14.4 trillion. Cisco, http://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoE_Economy.pdf. Accessed 10 Jan 2017
Cisco (2013) The internet of everything and the connected athlete: this changes … everything. http://www.cisco.com/c/en/us/solutions/collateral/service-provider/mobile-internet/white_paper_c11-711705.html. Accessed 10 Jan 2017
Clarke A, Kohler P (2005) Property law: commentary and materials. Cambridge University Press, Cambridge
Custers B, Uršič H (2016) Big data and data reuse: a taxonomy of data reuse for balancing Big Data benefits and personal data protection. International Data Privacy Law 6(1):4–15
De Hert P, Gutwirth S (2009) Data protection in the case law of Strasbourg and Luxemburg: constitutionalisation in action. In: Gutwirth S et al (eds) Reinventing Data Protection?. Springer, Dordrecht
Dorner M (2014) Big Data und “Dateneigentum.” Computer Und Recht 9:617–628
Drexl J et al (2016) Data ownership and access to data—position statement of the Max Planck Institute for Innovation and Competition of 16 August 2016 on the current European debate. Max Planck Institute for Innovation and Competition Research Paper No. 16-10
DuBravac S (2014) A hundred billion nodes. Five technology trends to watch 2014. Consumer Electronics Association, pp 3–8
Erlank W (2013) Books, apps, movies and music–ownership of virtual property in the digital library. Eur Prop Law J 2(2):194–212
Ernst and Young (2015) Becoming an analytics-driven organisation to create value. http://www.ey.com. Accessed 10 Jan 2017
European Commission (2011) Privacy and data protection impact assessment framework for RFID applications. 12 Jan 2011
European Commission (2014) Data protection impact assessment template for smart grid and smart metering systems (‘DPIA template’). Expert group 2 smart grid task force. 18 Mar 2014
European Commission (2016) Commission staff working document, advancing the internet of things in Europe, SWD(2016) 110 final
European Commission (2017) Building a European data economy, communication from the commission to the European Parliament, the Council, The European Economic and Social Committee and the Committee of the Regions, COM(2017) 9 final
Garcia et al (2016) Lock it and still lose it—on the (In) security of automotive remote keyless entry systems. In: Proceedings of the 25th USENIX security symposium 2016, pp 929–944
Gartner (2016a) Forecast: wearable electronic devices, Worldwide. 19 Jan 2016
Gartner (2016b) Top strategic predictions for 2017 and beyond: surviving the storm winds of digital disruption. 14 Oct 2016
Gerling S, Rossow C (2016) Angreiferjagd Im “Internet Der Dinge.” Datenschutz Und Datensicherheit 8:507–510
Grützmacher M (2016) Dateneigentum – Ein Flickenteppich. Computer Und Recht 32(8):485–495
Hoeren T (2014) Big data and the ownership in data: recent developments in Europe. Eur Intellect Prop Rev 12:751–754
IDC and TXT Solutions (2014) SMART 2013/0037 Cloud and IoT combination, study for the European Commission
Kemp R (2014) Legal aspects of managing big data. Comput Law Secur Rev 30(5):482–491
Kuneva M (2009) Keynote speech of the former European consumer commissioner, roundtable on online data collection, targeting and profiling. SPEECH/09/156. Brussels. 31 Mar 2009
Lehdonvirta V, Virtanen P (2010) A new frontier in digital content policy: case studies in regulation of virtual goods and artificial scarcity. Policy Internet 2(3):7–29
Lessig L (1999) Code: and other laws of cyberspace. Basic Books, New York
Lohr S (2011) Google schools its algorithm. New York Times. 5 Mar 2011
Malgieri G (2016a) “Ownership” of customer (big) data in the European Union: quasi-property as comparative solution? J Internet Law 2016:3–18
Malgieri G (2016b) Trade secrets v personal data: a possible solution for balancing rights. Int Data Privacy Law 6(2):102–116
Manyika J et al (2013) Disruptive technologies: advances that will transform life, business, and the global economy. McKinsey Global Institute
Mattei U (2000) Basic principles of property law: a comparative legal and economic introduction. Greenwood Publishing Group, Westport
Organisation for Economic Cooperation and Development (OECD) (2008) Committee for Information, Computer and Communications Policy (ICCP). RFID radio frequency identification OECD policy guidance: a focus on information security and privacy applications, Impacts and Country Initiatives
Peppet SR (2014) Regulating the internet of things: first steps toward managing discrimination, privacy, security and consent. Texas Law Rev 93:85–176
Purtova N (2015) The illusion of personal data as no one’s property. Law Innov Technol 7(1):83–111
Rose D (2014) Enchanted objects: design, human desire, and the internet of things. Scribner, New York
Samuelson P (1999) Privacy as intellectual property? Stanford Law Rev 52:1125–1151
Schwartz Pa M (2003) Property, privacy and personal data. Harvard Law Rev 117:2056–2128
Shackelford et al. (2017) When toasters attack: a polycentric approach to enhancing the ‘security of things’. University of Illinois Law Review (forthcoming) https://ssrn.com/abstract=2715799. Accessed 10 Jan 2017
US Department of Homeland Security (2016) Strategic principles for securing the internet of things (IoT). 15 Nov 2016
Verizon (2015) State of the market: the internet of things 2015. http://www.verizonenterprise.com/resources/reports/rp_state-of-market-the-market-the-internet-of-things-2015_en_xg.pdf. Accessed 16 Jul 2017
Victor JM (2013) The EU general data protection regulation: toward a property regime for protecting data privacy. Yale Law J 123(2):513–528
Volkswagen (2016) Volkswagen enters into cooperation with top Israeli experts to establish an automotive cyber security company. Press Release. 14 Sep 2016
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Storr, C., Storr, P. (2017). Internet of Things: Right to Data from a European Perspective. In: Corrales, M., Fenwick, M., Forgó, N. (eds) New Technology, Big Data and the Law. Perspectives in Law, Business and Innovation. Springer, Singapore. https://doi.org/10.1007/978-981-10-5038-1_4
Download citation
DOI: https://doi.org/10.1007/978-981-10-5038-1_4
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-5037-4
Online ISBN: 978-981-10-5038-1
eBook Packages: Law and CriminologyLaw and Criminology (R0)