Development of the Internet of Things, if it proves to be a provider of innovative and practical solutions for a vast majority of users, both individual and professional, raises an ethical question, which is the source of many debates; what is exactly the case with personal data? Who can collect this data? To what extent is it possible to share this data? What are the real risks involved?
Why a data security law?
Even if the discussion and debate seem endless, the law has decided. Of course, a text of law is made to be enriched as people evolve over time. And it is clear that the combination of safety and security or the opposition of transparency and intimacy will continue to fuel conversations. However, the legislator must set rules to standardize and facilitate exchanges, regulate the practice and implementation of the Internet of Things, to enable everyone to better understand the framework within which they operate. Some may find the rules reassuring when others may perceive them as restrictive. And we return inexorably to the eternal philosophical debate between freedom and security, even if these two notions are not always intended to be opposed.
What personal data should be protected?
To understand the scope of the law, it is necessary to start by recognizing a personal data. Under French law, personal data is information that makes it possible to identify a natural person precisely, whether the information is direct or not. Directly, we can see what it is: surname, first name, social security number, photo, social network profile, driving license, etc. In practice, the debate is more about the indirect nature of information. A telephone number is personal information that can be indirectly linked to its owner. So far so good. But what about daily habits such as those recorded in a connected watch, a home automation box, or an on-board computer in a car? Or even data entrusted to his employer or to a company via the Internet?
What does the Data Protection Act say?
The law applies to everyone in the European Union, and includes different aspects:
– Enhanced consent and the right to transparency. All requests for personal data must be explicitly justified. They can be rectified at any time and it is possible to simply object to their use. It must be possible to access it in a simple and clear way.
– The right to data portability. Everyone must be able to retrieve their data and transfer it to the right person.
– The right to forget. Everyone must be able to delete their data at any time.
– The right to notification. In the event of a data breach, the data owner must be notified as soon as possible.
– The right to compensation for material or moral damage.
– The group actions. In case of legal recourse.
Companies are subject to a general security and confidentiality obligation as well as an obligation to provide information. You should also know that the law has defined the numerical majority at 15 years of age. From this age, parental consent is no longer required.