November 2020 / Reading Time: 5 minutes

It is obvious that the new, disruptive technologies like Cloud Computing or Internet of Things, provide many benefits to their users. Just by comparing the present time with the early 2000s, we can see the tremendous effect technology had on human evolution. But, as everything else that is good, it comes at a price. Part of this price consists in the number of privacy and data protection implications for the end-users of these technologies. To respond to these privacy threats, the ombudsman institutions all over the world established different legislative norms in an attempt to balance the control levers. 

In this post, I will try to summarize the European Union’s legal framework concerning the personal data processing by these sophisticated new technologies. Generally speaking, the relevant EU’s legal framework to assess privacy and data protection issues processed by these new technologies is composed by the GDPR, the e-Privacy Directive (which is soon to be replaced by the e-Privacy Regulation) and the Council of Europe’s Convention 108+, as well as respective national laws of the Member States. Specific opinions and documents were also issued by the Article 29 Working Party or, its current successor, the EDPB (European Data Protection Board).

The GDPR has a few key implications when it comes to processing personal data by these new technologies, introducing the concepts of privacy by design and privacy by default. Those concepts require for the data controllers to adopt significant new technical and organizational measures to demonstrate their compliance with the requirements of the GDPR. These may include conducting data protection impact assessments in certain circumstances which are likely to arise in connection with IoT systems, Big Data analytics and other forms of personal data processing via new technologies, such as health wearables for example. 

Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as e-Privacy Directive, is an EU directive on data protection and privacy meant for the digital age we live in. It applies to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks (telecom operators) if such services are provided by means of a cloud solution. Moreover, its purpose is to ease the advance of electronic communications services. The general obligations imposed by it is for the providers of electronic communications services to provide security of services and for the EU Member States to maintain the confidentiality of information.

The Convention 108+ is the modernized version of Convention 108, which has for the past four decades been the only international legally binding instrument on the protection of private life and personal data open to any country in the world. It applies to personal data processed by big data analytics and disruptive information and communications technologies. Following the EU Court of Justice’s “Schrems II” ruling, the Convention 108+ gained prominence after being overshadowed in the last couple of years by the GDPR.

Having established the main legal framework, now let’s briefly see how the new technologies fit within this legal setting. Cloud Computing is arguably the next big evolution for the internet, where everyone – from individuals to major corporations and governments – move their data storage and processing into remote data centers. Cloud computing is a term used to describe a wide range of technologies. Think about flexible, location-independent on-demand access to computing resources via a network. To make it simple, think about these trio tech giants: Google, Microsoft and Amazon. All these giants have IT infrastructures, platforms and software provided centrally and distributed to end users over a network. Google has Google Apps, Microsoft has Microsoft Azure while Amazon has EC2.  As all of these companies do business in the EU and offer their services to EU citizens, they must obey the rules of the GDPR, which applies in every case where personal data is being processed as a result of the use of cloud computing services. To help clarify any interpretation of the regulation, Article 29 Working Party published the Opinion 05/2012 on Cloud Computing in which it analyses all relevant issues for cloud computing service providers operating in the European Economic Area, and their clients.

As Wikipedia very well defines it, Internet of Things describes the network of physical objects (things) that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet. While indeed the first thing that comes into our minds when we think about IoT is the concept of “smart home”, the IoT use is not limited to household consumers, as there are a lot of industrial, infrastructure or even military applications. Nevertheless, the biggest portion of IoT devices is created for consumer use. Although it is great to have a “smart home” populated with many “smart things” that make our life better, there are a lot of voices that point to their serious concerns about dangers in the growth of IoT, especially in the areas of privacy and security. As a consequence, regulatory institutions all over the world moved to address these concerns.

In regard to EU data protection rules and considering that the IoT industry implies the intervention of multiple stakeholders (e.g., Device manufacturers, Social platforms, Third party application developers, IoT data platforms, etc), the EU regulation bodies established that it is absolutely important to identify each one’s roles. As such, Article 29 Working Party published Opinion 01/2010 on the concepts of “controller” and “processor”, offering guidance to the IoT stakeholders on how to apply EU data protection rules for the data controllers and data processors. Moving towards the GDPR and the e-Privacy Directive, IoT stakeholders qualifying as data controllers under EU law must comply with the provisions of Art 32 of the GDPR and Art. 5.3 of the e-Privacy Directive, applicable when an IoT stakeholder stores or gains access to information already stored on an IoT device.

Both Cloud Computing and IoT industries could not properly function without processing a vast amount of data, that can either be created by people or generated by machines, such as sensors gathering climate information, satellite imagery, digital pictures and videos, purchase transaction records, GPS signals, and so on. Since the benefits of these technologies come with data privacy and data protection risks associated with the use of Big Data (like the absence of anonymity, large scale data breaches, discrimination, etc), there’s no wonder that the EU bodies wanted to picture a clear frame trying to contain these risks. Hence, the existence of the GDPR, e-Privacy Directive or Convention 108+. As a general rule, personal data being processed via big data analytics fall under both the GDPR and Convention 108+. While GDPR is especially important in relation to Internet services and other complex automated data processing (such as the use of algorithms for decision-making), the Convention 108+ grants new rights to the data subject to enable a more effective control on his or her personal data.

As I wrote in a previous post, new technologies are here to stay. I, for one, cannot wait to see what will be the next new thing that will shine on the technology’s stage. In the meantime, I will enjoy these cool new technologies that make my professional and personal life better, while also keeping an eye on the legal framework that governs them. I advise you to do the same!

Thank you for your time!