Legal definition of personal data could hamper Internet of Things developments in Europe, warns lawyer

Think data generated by an IoT device can't be classed as personal data? Think again, says Pinsent Masons' Dr Kuan Hon

The European Union's forthcoming General Data Protection Regulation (GDPR), set to come into force across the EU in 2018, could tie up organisations in legal knots given the broad definition of ‘personal data' under the new law.

That is the warning of Dr Kuan Hon, a consultant lawyer at law firm Pinsent Masons, who is also a senior researcher involved in the Cloud Computing Project at the Centre for Commercial Law Studies at Queen Mary University of London.

Speaking at Forrester Research's Digital Transformation Europe 2016 Forum in London this week, she said that there are all kinds of ways in which even machine data could be construed as personal data.

"The definition of personal data, for legal purposes, is actually a lot broader than a lot of people would think... You might think that data from an aircraft engine can't be personal data. But if the aircraft crashes, it could be the personal data of the pilot, the engineer maintaining it. If it can be linked to them, it could be classed as personal data, so it's a lot broader than you might think," she said.

Indeed, according to Jan-Jan Lowijs, a privacy expert at consultants Deloitte, it has already been established in the EU that data taken from aircraft engines with the intention of analysing it - for safety, maintenance and other purposes - is classified as personal because it invariably pertains to the pilot and the way in which he or she is flying the aircraft.

Yet that is under the current regime, she says. "The GDPR will broaden the definition of personal data. Even more ‘things' are going to be personal data and you are going to have to comply with the GDPR rules about processing personal data.

"Another issue, maybe sensitive personal data, like health data, where you need explicit consent, there are issues about how you get explicit consent with a small device without a screen?

"Security will be a requirement under the GDPR, not only on the ‘controllers' who control the purpose and means of processing personal data, but also the processors - services providers. So others within the supply chain, which is a very complex supply chain for IoT, they are going to have security obligations.

"Furthermore, they are going to have liabilities. If there's a security breach, affected individuals can choose to sue the processor instead of the controller because the processor may have deeper pockets, not because they are more at fault.

"That means that the supply chain could be exposed to compensation claims if something goes wrong with personal data and therefore the contracts between the parties in the supply chain will be very important.

You will have to look at them and figure out how to allocate liabilities because you don't want to be the one who gets sued because you've got deeper pockets," said Dr Hon.