Findings of the Global Privacy Enforcement Network’s (GPEN) review of Internet of Things (IoT) devices indicate that manufacturers of these devices are not informing users of their data protection rights. This is according to the Office of the Data Protection Commissioner (ODPC), which participated in the review of IoT devices (as reported here) alongside 24 other data protection authorities. (The GPEN previously conducted a “Privacy Sweep” on websites and mobile apps in 2013 (as reported here)).

The IoT review involved an investigation of nine IoT devices available in Ireland including smart electricity meters and fitness trackers. The ODPC reported that national findings were broadly in line with global trends identified in the GPEN report, which found that in company communications with users about their data privacy rights:

• 72% did not adequately inform customers how to delete their information;
• 68% did not adequately inform customers how their information was stored;
• 60% did not adequately inform customers how their personal information would be collected and processed; and
• 38% did not include easily identifiable contact details if customers had privacy concerns.

The ODPC noted its concerns following the results of the sweep stating that “the introduction of this technology must be done in a clear and transparent manner” and that it is planning to follow up the review by increasing the amount of investigative and audit work into IoT devices in 2017.

The GPEN report and the ODPC’s comments about upcoming audits should alert manufacturers of IoT devices to the importance of meeting data protection standards.

Follow us on Twitter @WFIDEA

Contributed by Leo Moore