MHC Tech Law: IoT devices under the regulatory microscope

5 Dec 2016

Image: Likoper/Shutterstock

A recent GPEN investigation put IoT devices under the microscope, but what does this mean for stakeholders in the industry? The Mason Hayes & Curran Technology team investigated the results.

Earlier this year, the Global Privacy Enforcement Network (GPEN) published the results of its global privacy review of internet of things (IoT) devices. This annual review, dubbed the ‘Privacy Sweep’, found that many companies failed to explain to users how their personal data is collected, stored and safeguarded, via devices that boast internet connectivity. GPEN found that companies demonstrating good privacy communication practices were in the minority.

With IoT devices becoming increasingly prevalent in everyday life, we examine the results of this Privacy Sweep and what they mean for IoT stakeholders.

What is GPEN?

GPEN connects data protection authorities (DPAs) from around the world and aims to promote cross-border cooperation and the strengthening of privacy practices. GPEN is comprised of over 60 DPAs based in 39 jurisdictions, and was established in 2010 as the result of a recommendation by the OECD.

Each year, the GPEN undertakes a Privacy Sweep, which targets a specific trend or issue. These have included reviews of mobile privacy in 2014 and children’s apps and websites in 2015.

The IoT sweep

25 DPAs from around the world examined the privacy communications and practices of 314 IoT devices in April 2016. The aim was to increase awareness of best practices and to encourage compliance with privacy legislation.

Each DPA chose a category of IoT device to review. This involved interacting with and using the device, examining the privacy notices that came packaged with it and analysing the information provided on the device’s website. In certain instances, DPAs also contacted the relevant organisations directly with questions related to privacy. This approach was aimed at recreating the consumer experience by requiring the DPAs to spend time checking the privacy performance of the device against a set of common indicators.

Connected toys, cars, TVs, wristwatches that monitor health, and smart household appliances were among the devices studied. In Ireland, the Office of the Data Protection Commissioner (DPC) investigated 9 devices from the IoT environment, including smart electricity meters and fitness trackers. The DPC’s national findings were broadly in line with global trends.


The results of the Privacy Sweep included findings, in respect of devices and/or organisations, that:

  • 59pc didn’t adequately explain to customers how their personal data was collected, used and disclosed
  • 68pc failed to properly explain how information was stored
  • 72pc failed to explain how customers could delete their information off the device
  • 38pc failed to include easily located contact details should customers have privacy concerns
  • 68pc collected location data
  • 64pc asked for date of birth details
  • 41pc collected photo, video or audio files

The Privacy Sweep found that the vast majority of producers of health and wellness devices provided a privacy policy on their websites. However, two-thirds of the policies were generic, and applied to multiple products and services being offered by the company. Over half of the policies mentioned the disclosure of personal information to third parties, but were not clear as to whom those disclosures could or would be made.

The majority of organisations did not indicate whether data gathered on the individual would be encrypted when stored or transferred.

Six in 10 device makers offered contact information if customers had follow-up questions about privacy. Although most responses received by the partaking DPAs were reported to be adequate, some were received late or failed to address the issues raised. Others simply redirected the relevant DPA back to the privacy policy.

What’s next?

The DPAs involved in the Privacy Sweep are now considering their next steps. This may include action against the developers and suppliers who have been found to be in breach of law. Concerns identified by the Privacy Sweep may result in enforcement action.

The DPC has stated that it plans to increase investigations audits of technology devices in 2017. Its aim is to gauge compliance with Irish data protection law and to work with developers and suppliers of IoT devices to ensure that their products are meeting the requisite standards.


There is an increasing regulatory focus on the principles of data protection by design and default and data minimisation, particularly in cases where large amounts of personal data are collected or used.  When developing a product or service built around the IoT, developers and producers should ensure to:

  1. Be transparent about how personal data is collected, used and disclosed
  2. Implement privacy policies and just-in-time notices to inform users and other individuals
  3. Design, optimise and adopt internal data protection policies and practices in line with these principles

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Contact a member of the MHC Technology team or visit for more information.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.