GPEN Coordinates Multi-National Privacy Sweep Directed At Internet-Connected Devices | Practical Law

GPEN Coordinates Multi-National Privacy Sweep Directed At Internet-Connected Devices | Practical Law

The Global Privacy Enforcement Network (GPEN) is spearheading an effort involving a number of data protection authorities (DPAs) to investigate internet-connected (Internet of Things or IoT) devices, including fitness and health trackers, thermostats, smart meters, smart TVs, and connected cars.

GPEN Coordinates Multi-National Privacy Sweep Directed At Internet-Connected Devices

Practical Law Legal Update w-001-9170 (Approx. 4 pages)

GPEN Coordinates Multi-National Privacy Sweep Directed At Internet-Connected Devices

by Practical Law Intellectual Property & Technology
Published on 20 Apr 2016USA (National/Federal)
The Global Privacy Enforcement Network (GPEN) is spearheading an effort involving a number of data protection authorities (DPAs) to investigate internet-connected (Internet of Things or IoT) devices, including fitness and health trackers, thermostats, smart meters, smart TVs, and connected cars.
Beginning on April 11, 2016, 29 data protection authorities (DPAs) belonging to the Global Privacy Enforcement Network (GPEN) launched data privacy "sweeps" of various internet-connected devices (commonly, collectively known as Internet of Things or IoT). During this year's initiative, each DPA will choose a category of products to investigate. Their methods may range from examining the privacy information available on manufacturers' websites to contacting the manufacturers, retailers, or data controllers with specific privacy questions, to purchasing IoT devices and conducting their own assessments of how actual privacy communications measure up to what companies say is being collected.

Commission for the Protection of Privacy (Belgium)

The Belgian DPA will examine privacy communications on the websites for smart metering systems and devices.

Office of the Data Protection Commissioner (Ireland)

The Irish DPA will take an in-depth look at IoT devices available to Irish consumers, including smart electricity meters, fitness trackers, and telematics, and consider how well companies communicate privacy matters to their customers.

Guarantor for the Protection of Personal Data (Italy)

The Italian DPA will focus on home automation, seeking to verify:
  • The degree of transparency in the use of consumers' personal information.
  • Compliance with data protection rules on the part of companies, including multinationals, operating in the sector.

National Commission for Computing and Liberties (CNiL) (France)

The French DPA will investigate:
  • Home automation objects like connected cameras that can detect movement within the home or measure the air quality.
  • Internet-connected health items including scales, blood pressure monitors, and glucose monitors that collect related health data.
  • Activity trackers like smartwatches and bracelets, which may collect location data but also calculate a person's number of daily steps taken, calories consumed, and analyze the quality of sleep.
CNiL will also assess the:
  • Quality of the delivered information.
  • Level of security of data flow.
  • Degree of user control over the operation of the data.

Gibraltar Regulatory Authority

The Gibraltar DPA will be reviewing the collection and use of personal data by IoT devices, with a particular focus on the information given to users in relation to the processing of personal data.

GPEN

GPEN's members are 59 data protection agencies from 43 countries, including the FTC, FCC, and the California Attorney General in the US. Its administrative committee consists of authorities from the US, Canada, Israel, Hong Kong, and the UK. More information on GPEN and its activities is available in its 2015 annual report. The results of the sweep are due to be published in September 2016.