Regulators Announce International Investigation into Practices of Internet Connected Devices
According to a press release issued by the Office of the Privacy Commissioner of Canada, each of the DPAs will focus on accountability but will have the flexibility to choose a category of products and a preferred approach. For example, some DPAs will purchase products and conduct a first-hand, out of the box, assessment of privacy communications in practice against what companies’ communications say is being collected. Others will examine the privacy information that is available on manufacturers’ websites and may contact manufacturers, retailers and / or data controllers directly with specific privacy questions or concerns.
The DPAs identified below have announced the following areas of focus:
- The French DPA will focus its investigations on home IoT devices (including connected cameras), health devices (e.g. scales, blood pressure monitors), and fitness trackers. Their audit will look at the quality of transparency information provided to individuals, the security of devices, and the degree of user control.
- The Belgian DPA will review privacy communications on the websites of smart metering systems.
- The Italian DPA will focus on household objects, looking at companies’ transparency in the use of personal data and their compliance with data protection rules.
- The Gibraltar Regulatory Authority will focus on the quality of information given to users in relation to the processing of their data in the context of smart electricity meters, internet-connected thermostats and watches that monitor health.
- The Office of the Privacy Commissioner of Canada (OPC) will focus its efforts on health devices (e.g. fitness trackers, smart scales, and sleep monitors).
According to the OPC, the goal of the international sweep is to “increase public and business awareness of privacy rights and responsibilities, encourage compliance with privacy legislation, identify concerns that may be addressed through targeted education or enforcement and enhance cooperation among privacy enforcement authorities“.
The results of the sweep are due to be published in September but, at any point, participating DPAs may use findings made in connection with the sweep to undertake outreach or enforcement action against businesses that fall short of the required standards.