CNIL issues Internet Sweep Outcomes on Connected Devices
On September 23, 2016, the French Data Protection Authority (CNIL) issued the outcomes of the Internet sweep on connected devices that was created last May to evaluate the quality of the information that operators provide to end users but also the level of user empowerment and the degree of security of the personal data.
This initiative, announced by the CNIL last April, organised by the Global Privacy Enforcement Network (GPEN), lies within a coordinated online audit to analyse the impact of ordinary IT- devices.
It was made up of data protection authorities throughout the world and more than 300 connected devices were examined and audited. Specifically in France, 12 connected devices were tested by the CNIL in the field of home automation, health and well-being and this administrative regulatory body concluded that:
1. Users of connected devices are not adequately informed of the processing of their personal data as the product did not provide users appropriate information about how their personal data will be processed.
2. Users have an acceptable degree of control over their personal data as the personal data was subject to the user’s consent.
Like the other DPAs, the CNIL announced that it reserves the right to conduct more inspections in order to assess the compliance of connected devices to the French Data Protection Act.
Launch by the GPEN of the 2016 Global Privacy Sweep in the “Internet of Things”
A Privacy Sweep or international evaluation dedicated to verify the respect of privacy in the Internet of Things was launched the 11 of April 2016. This initiative is coordinated by the Global Privacy Enforcement Network (GPEN), the international network pursuing to strengthen cooperation between the DPAs of different countries around the world, and will examine the data protection documentation and practices related to Internet connect devices.
DPAs are free to choose the categories of products that they will examine, (smart meters, smart watches, internet-connected thermostats…). The French CNIL has declared it wants to focus its investigation that will start in May 2016 in three different categories that could impact privacy in everyday life: Smart Home devices (connected cameras that are able to detect movement or measure the quality of air or smart-fridges that inform about expired products or smart meters), health items (blood pressure or glucose monitors that collect health related data) and wellness related objects (smart watches and bracelets that collect localization data or calculate the number of steps taken daily or the calories consumed). In practice, the CNIL will assess the quality of the delivered information, the security level of the data stream and the degree of user control over the operation of its personal data (consent, the exercise of its rights, deletion of data, etc.). By contrast, the Italian Garante will focus on only one issue: the Smart Home devices. The Irish Data Protection Commissioner, for its part, will review some devices such as smart electricity meters, fitness trackers and telematics. Other topics, like the examination of privacy communications on websites in which devices that relate to smart metering systems are found, will be studied by the Belgian Privacy Commission. Focussing on non-European DPAs, the Office of the Privacy Commissioner of Canada will examine the privacy practices in health devices.
GPEN Sweep – Internet of Things
“A Sweep of how Internet of Things (IoT) devices use personal data, and how users are kept informed, is being undertaken this week by 29 data protection authorities around the world.
In Ireland, the review will involve an in-depth look at IoT devices available to users in this jurisdiction such as smart electricity meters, fitness trackers and telematics, and consider how well companies communicate privacy matters to their customers.
The combined results of the Sweep will be published in September. Authorities will also consider action against any devices or services that are found to be breaking data protection laws.
The work is coordinated by the Global Privacy Enforcement Network (GPEN) and follows previous reports on online services for children, website privacy policies and mobile phone apps. GPEN is an informal network of data protection agencies from around the globe. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. For more about the Global Privacy Enforcement Network, please click on the following link: https://www.privacyenforcement.net/“
CBP Signs agreement GPEN alerting system
The Dutch Data Protection Authority (CBP) has a cooperation agreement (Memorandum of Understanding, or MoU) with seven other privacy regulators for exchange of information in GPEN Alert System. Through this system, data protection authorities worldwide, monitor and exchange information on cases if there are cross-border issues.
The system allows sharing on information investigations, but also of signals that may be relevant to other regulators. Each supervisor decides what to share based on the laws in force in their country.
The seven regulators are the CBP, the US Federal Trade Commission (who developed the system for GPEN), as well as the privacy authorities of Australia, Canada, Ireland, New Zealand, Norway and the United Kingdom.
International privacy scan apps for kids
The Dutch Data Protection Authority (CBP) has participated in an international scan focused on apps and websites for children. 29 different privacy regulators from around the world participated in the scan. All have held their own national scan. They have nearly 1500 of the most popular apps and websites in total under the microscope. 67% apps collected personal data on children. Also many of the apps and websites provide links to content which the fall outside the safe online environment of the app.
CBP concludes its from its state scan inter alia, that for most apps it is not possible to assess what the app actually does, what personal data are processed by it, and for what purpose. Parents should be able to find comprehensive information in the app store to download in an easy way.
The international scan is organized by the Global Privacy Enforcement Network (GPEN), an international alliance of privacy authorities. When the scan is looking at privacy issues such as the provision of information in the app store, the personal data to be entered when installing and or using ad networks.
First sectoral inspection in Europe on cloud services in the educational field
On 22 July 2015, the Spanish Data Protection Agency (AEPD) published the First Sectoral Inspection Plan as a result of the progress of new technologies that affects the data in schools, especially through Cloud Computing.
The AEPD identifies the main actors involved in the cloud service performance in the education sector. It verifies the guarantees adopted and, in particular, the security measures implemented by each of the operators in order to ensure the security and integrity of the data.
It concludes with a series of relevant facultative recommendations intended to change the digital environment, the further development of new models in a respectful frame with the Spanish Data Protection Act (LOPD) and alerting stakeholders on the necessary compliance with Spanish legislation on data protection.