Jerneja Horvat, postgraduate student, Faculty of Law, University of Maribor, Slovenia.

Research interest: EU law, Personal Data protection, Company law



The Internet of Things (IoT) is a fast growing phenomenon that is changing our lives on a daily basis. The term IoT describes several technologies that enable the Internet to reach out into the real world of physical objects. It refers to an infrastructure in which billions of sensors embedded in common, everyday objects or things linked to other objects or individuals, are designed to record, process, store and transfer data, and, as they are associated with unique identifiers, interact with other devices or systems using network capabilities. To put the definition in real life, the IoT technologies are currently available in health and fitness sensors, automobile black boxes, home monitors, devices designed for employee monitoring and software applications that make use of the sensors within smartphones.

How does it work?

The crucial elements of the IoT technology are Micro-Electro-Mechanical Systems sensors (MEMS) that translate physical phenomenon, such as movement, heat, pressure, or location, into digital information. These sensors enable the devices to collect data and then connect to the Internet and to each other. There are five types of Internet of Things technologies currently available to the customers: health and fitness sensors, automobile black boxes, home monitors and smart grid sensors, devices designed specifically for employee monitoring, and software applications that make use of the sensors within today’s smartphones. To specify a few, among health and fitness sensors, for example wearable computing is becoming more and more popular. Wearable devices refer to everyday objects and clothes, such as watches or glasses, in which sensors are included to extend their functionalities. They may embed cameras, microphones and sensors that can record and transfer data to the device manufacturer. It also supports the creation of applications by third parties who can thus get access to the data collected by such things.

Problems, related to the IoT

There are four major problems, related to the IoT. All the before mentioned data have a high potential for misuse. It is nearly impossible to ensure complete protection of privacy, the devices are prone to hacking and other security breaches, there are still issues regarding consent and last but not least, the IoT could potentially lead to discrimination.


Firstly, the trouble with collecting such an enormous amount of data is that there is only so much de-identification possible. Even if the name, address and other obvious identifying information is removed from the dataset, after the data is shared, it is still relatively easy to re-identify that dataset. This can happen because of the unique features. If someone would be familiar with some of these features, they could use this knowledge to identify us. Furthermore, based on the collected data one is also able to then predict much other information about an individual. Additionally, the processing of data also requires the intervention of a lot of stakeholders, such as device manufacturers, social platforms and others. Once this data is stored, it may be shared with other parties, sometimes even without the individual being aware of it. Or the individual can be aware of it, but cannot disagree without disabling most of the functions of the device. For example, our smartphones are constantly asking us for permission to use the data for this or other research purpose and if we don’t agree with the whole package, we often cannot even install an application to our phone. Because if the app is not able to collect and share our data, it cannot function properly, so most people always accept the terms of use without giving it a second thought. Resultantly, the IoT can put device manufacturers and their commercial partners in a position to build or have access to very detailed user profiles. Such data flows cannot be managed with the classical tools used to ensure the adequate protection of the data subjects’ interest and rights. Also, the communication between objects is frequently triggered automatically, without individual being aware of it. In the absence of the possibility to control how object interact, it is becoming very difficult to control the generated flow of data, not to mention to control its subsequent use.


Secondly, there is a problem regarding the security vulnerabilities of any device. The products are often manufactured by traditional industry rather than computer hardware or software firms. The engineers involved may therefore be unaware of the possible data-security issues, and the companies do not place sufficient concern to security. Hacking is just an extreme case, but short of that, there are many kinds of problems that could arise. Even though the information, gathered by the IoT devices might be mundane, it can nevertheless produce extremely detailed profiles of individuals’ behaviour.


Consent is crucial in data protection, but it is not always clear where consent is needed and what conditions have to be fulfilled for consent to be valid. The users may not always be aware of the data processing carried out by a specific object or they simply do not understand the complex technology of the IoT and therefore the true consequences of consent to the use of IoT devices. A lot of IoT manufacturers also prefer to only provide privacy and data related information on a website. Such lack of information constitutes a significant barrier to demonstrating valid consent. The legislative history shows relative consensus on the conditions of valid consent, namely that it is freely given, specific and informed, but there is some uncertainty over the ways in which it may be expressed. It should, however, be unambiguous, meaning that it leaves no doubt as to the individual’s intention to provide consent.


IoT allows the assortment of customers more precisely than ever before, but such sorting can easily turn from relatively benign differentiation into new and invidious types of unwanted discrimination. Huge amounts of sensor data from IoT devices can give rise to unexpected inferences about individual consumers. Employers, insurers or others can later make economically important decisions based on those inferences, which could lead to new forms of illegal discrimination based on race, age or gender, and could also create troublesome forms of economic discrimination based on IoT data.

Development of IoT in EU

The protection of personal data is currently being regulated by two Directives, the E-Privacy Directive, last amended in 2009 and the Data protection directive from 1995. However, there has been an important development regarding the regulation of Digital Single Market in the past year. After the proposal in 2012, there has been an agreement in December to reform the Digital Single Market. The reform will consist of the General Data protection Regulation and the Data Protection Directive. The most important change in this regard is that the Digital Single Market will be regulated by a regulation rather than a directive. This means a unified approach and a more clear legal frame that everyone will have to follow. It will also supposedly allow people to regain control of their personal data, by imposing new ways of control over the personal data, such as easier access to their own data, a right to data portability, the “right to be forgotten” and the right to know when their data has been hacked.


The IoT holds significant prospects of growth for a great number of innovating and creative EU companies, which operate on these markets. Nonetheless, there seems to be too much focus on economic advantages and not enough on what is actually at stake and the consequences it may have on society at large. Even if the data controllers will comply with the legal framework in the technical sense, there is still an impending issue of not letting a consumer choose a product that is not connected. While it does in a lot of aspects make life easier, a lot of people are not comfortable letting so much information about their activities be stored somewhere.

The point of IoT is to ease the businesses to provide products and services people need, to fasten their responses and to therefore eventually satisfy the consumers. But because of the very sensitive nature of the personal data, these questions cannot be left to self-regulation, but must be managed at a higher, internationally unified level. By adopting the new legislation, EU has made an important step forward in the right direction, but should still remain very cautious and strict regarding the potential misuses of IoT technologies.