Menu visibility control



Startup Surgery

Most Recent

Tech City Voices

When AI discriminates, are you legally prepared?

Need to Know

Therapist bots: AI and mental health


Startup Weekly: Desolenator wins Pitch@Palace 7.0, Startupbootcamp IoT calls for applications and more

Press Releases

Peer-to-peer lender Kuflink receives full FCA authorisation
Mention Me win best tech startup award at Drapers Digital Festival
GamCrowd officially launches the first ever Gambling Tech Week as part of London Tech Week

Big Brother is watching and listening


Striking a balance with privacy concerns in The Internet of Things can be difficult; Rafi Azim-Khan and Steven Farmer from Pillsbury Law look at your obligations on data.

Smart TVs raised privacy concerns earlier this year with reports that people could unknowingly have their private conversations recorded in their homes when the voice recognition functionality was enabled.

The idea of connected devices snooping on your conversation is like something out of George Orwell’s “1984”, but is becoming an increasingly widespread phenomenon – voice recognition is now used in everything from fridges to mobile phones.

The restaurant industry has a listening problem, tech can fix it

The Internet of Things holds significant potential for growth within creative companies, however the potential for privacy intrusion where voice activated features are used, for example, is also very real.

As more devices in the home develop networked “ears and eyes”, what precisely are the obligations of companies with the ability to “snoop” from a privacy perspective?

The legal framework

The relevant legal framework with which to assess these privacy and data protection issues is composed primarily of Directive 95/46/EC (the “Data Protection Directive”).

The Data Protection Directive applies to all processing of personal data (including spoken voice data) carried out where a data controller is established in an EU country, or importantly in the context of the IoT, where a data controller makes use of equipment situated in the EU.

To re-cap, the “data controller” is the person (or entity) who determines the purposes for which and the manner in which any personal data is to be processed and so in the context of connected TVs, the data controller could be, say, a TV manufacturer established in the EU or a TV manufacturer who is established outside the EU but who collects voice data of users in the EU via voice recognition functionality on a connected TV.

In the context of a connected TV manufacturer, the data controller would need to ensure that any processing of voice data is “legitimate”, typically via the consent of its users.

The issue of what constitutes valid consent is a particularly complex area, with different views across the EU as to what it means and how it is obtained. However, it is questionable whether consent would be deemed valid if a notice that “voice data will be collected by a TV manufacturer when voice recognition functionality is enabled” was buried in a privacy policy, for example.

Further obligations on a TV manufacturer include the obligation to process the voice data only for the specified purposes for which it was collected and to not to keep it for any longer than was necessary to fulfil those purposes.

The identity of the controller, the purposes of the processing, the recipients of the data (if any), the existence of the rights of a user to access their data, and so on, should also all be set out in a clear and comprehensive manner in the data controller’s privacy policy and the controller should ensure it has the consents to process data it believes it has before any collection or processing takes place.


In terms of sanctions for data breaches, there has been a recent push for more aggressive fine levels and enforcement in the EU as a result of too many companies taking a half-hearted approach to data protection compliance, a view expressed by the enforcers across Europe.

Expected over the coming months is a new Data Protection Regulation for the EU which will replace the existing Data Protection Directive and usher in sweeping changes with proposals to beef up and alter the current regime.

A key part of the Regulation is larger fines – 2% to 5% of global turnover, or up to 100 million Euros, for data protection breaches have been proposed.  Fines for serious breaches have already increased significantly in the UK in recent years (companies in breach can be fined up to £500,000).

There is also an increasing trend in EU countries to permit privacy claims via the courts even where no financial loss has occurred, significantly broadening the circumstances in which data protection litigation can be brought and damages awarded.

Privacy by design

Companies manufacturing IoT devices and providing smart services need to be thinking about “privacy by design” which has been a key mantra coming out of Europe for some time now.

Essentially, companies must now demonstrate that they are taking data protection seriously at the design and implementation stage.

In practice, it is necessary to perform security assessments on systems and services as a whole, in addition to training staff and having policies in place dealing with key issues such as data handling, data access for users, breach notification and so on.

In drafting or reviewing policies and procedures, organisations should be mindful of the likely changes being introduced by the new Regulation (e.g. those relating to breach notification obligations) and the latest sanctions position for breaches.

Whilst well drafted and user-facing privacy policies can help, far greater levels of transparency about data processing are also necessary, along with clearly signposted opt-outs and user-controls.  When investigating a violation, enforcers are unlikely to have much sympathy for organisations that have taken a lackadaisical approach to compliance.


Rafi Azim-Khan is head, data privacy, Europe, and Steven Farmer is counsel, both at Pillsbury Law

Enter your email address to receive updates straight to your inbox

* indicates required
Send me news on...

Editor's picks

AI robot

When AI discriminates, are you legally prepared?
posted 2 hours ago

AI chatbots mental health

Therapist bots: AI and mental health
posted 24 hours ago

Startup Weekly

Startup Weekly: Desolenator wins Pitch@Palace 7.0, Startupbootcamp IoT calls for applications and more
posted on April 28, 2017

Henry Bennett

PropTech startup YourWelcome raises £1m to help Airbnb hosts
posted on April 28, 2017

people with tech

£94m in UK tech investment, Uber’s sick pay u-turn, a chameleon car and more in The Week in Tech
posted on April 28, 2017

Richard Goold AI jobs

Tech chats: AI’s impact on jobs with EY’s Richard Goold
posted on April 27, 2017