Striking a balance with privacy concerns in The Internet of Things can be difficult; Rafi Azim-Khan and Steven Farmer from Pillsbury Law look at your obligations on data.

Smart TVs raised privacy concerns earlier this year with reports that people could unknowingly have their private conversations recorded in their homes when the voice recognition functionality was enabled.

The idea of connected devices snooping on your conversation is like something out of George Orwell’s “1984”, but is becoming an increasingly widespread phenomenon – voice recognition is now used in everything from fridges to mobile phones.

The Internet of Things holds significant potential for growth within creative companies, however the potential for privacy intrusion where voice activated features are used, for example, is also very real.

As more devices in the home develop networked “ears and eyes”, what precisely are the obligations of companies with the ability to “snoop” from a privacy perspective?

The legal framework

The relevant legal framework with which to assess these privacy and data protection issues is composed primarily of Directive 95/46/EC (the “Data Protection Directive”).

The Data Protection Directive applies to all processing of personal data (including spoken voice data) carried out where a data controller is established in an EU country, or importantly in the context of the IoT, where a data controller makes use of equipment situated in the EU.

To re-cap, the “data controller” is the person (or entity) who determines the purposes for which and the manner in which any personal data is to be processed and so in the context of connected TVs, the data controller could be, say, a TV manufacturer established in the EU or a TV manufacturer who is established outside the EU but who collects voice data of users in the EU via voice recognition functionality on a connected TV.

In the context of a connected TV manufacturer, the data controller would need to ensure that any processing of voice data is “legitimate”, typically via the consent of its users.

The issue of what constitutes valid consent is a particularly complex area, with different views across the EU as to what it means and how it is obtained. However, it is questionable whether consent would be deemed valid if a notice that “voice data will be collected by a TV manufacturer when voice recognition functionality is enabled” was buried in a privacy policy, for example.

Further obligations on a TV manufacturer include the obligation to process the voice data only for the specified purposes for which it was collected and to not to keep it for any longer than was necessary to fulfil those purposes.

The identity of the controller, the purposes of the processing, the recipients of the data (if any), the existence of the rights of a user to access their data, and so on, should also all be set out in a clear and comprehensive manner in the data controller’s privacy policy and the controller should ensure it has the consents to process data it believes it has before any collection or processing takes place.


In terms of sanctions for data breaches, there has been a recent push for more aggressive fine levels and enforcement in the EU as a result of too many companies taking a half-hearted approach to data protection compliance, a view expressed by the enforcers across Europe.

Expected over the coming months is a new Data Protection Regulation for the EU which will replace the existing Data Protection Directive and usher in sweeping changes with proposals to beef up and alter the current regime.

A key part of the Regulation is larger fines – 2% to 5% of global turnover, or up to 100 million Euros, for data protection breaches have been proposed.  Fines for serious breaches have already increased significantly in the UK in recent years (companies in breach can be fined up to £500,000).

There is also an increasing trend in EU countries to permit privacy claims via the courts even where no financial loss has occurred, significantly broadening the circumstances in which data protection litigation can be brought and damages awarded.

Privacy by design

Companies manufacturing IoT devices and providing smart services need to be thinking about “privacy by design” which has been a key mantra coming out of Europe for some time now.

Essentially, companies must now demonstrate that they are taking data protection seriously at the design and implementation stage.

In practice, it is necessary to perform security assessments on systems and services as a whole, in addition to training staff and having policies in place dealing with key issues such as data handling, data access for users, breach notification and so on.

In drafting or reviewing policies and procedures, organisations should be mindful of the likely changes being introduced by the new Regulation (e.g. those relating to breach notification obligations) and the latest sanctions position for breaches.

Whilst well drafted and user-facing privacy policies can help, far greater levels of transparency about data processing are also necessary, along with clearly signposted opt-outs and user-controls.  When investigating a violation, enforcers are unlikely to have much sympathy for organisations that have taken a lackadaisical approach to compliance.


Rafi Azim-Khan is head, data privacy, Europe, and Steven Farmer is counsel, both at Pillsbury Law