The watchdogs said it is "more likely than not" that such data can be attributed to individuals.
"Internet of things’ sensor data is high in quantity, quality and sensitivity," a declaration (2-page / 87KB PDF) published at the 36th International Privacy Conference last week said. "This means the inferences that can be drawn are much bigger and more sensitive, and identifiability becomes more likely than not. Considering that the identifiability and protection of big data already is a major challenge, it is clear that big data derived from internet of things devices makes this challenge many times larger. Therefore, such data should be regarded and treated as personal data."
The document is not binding on the DPAs that attended the conference, which included regulators from across Europe and Asia Pacific. However, it made clear that businesses that embrace the IoT should consider the data generated by devices to be subject to data protection laws, and therefore collected, processed, stored and disposed of in line with those rules.
"Assuming that all data generated by IoT devices is personal data is too simplistic and unhelpful insofar as it transfers the burden of proof onto data controllers to demonstrate otherwise,” data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said. “A better approach for all would be to undertake a considered analysis of the data generated by IoT devices, including analytics derived from their output, and use that as the basis for the organisation’s privacy strategy."
The declaration said that businesses using connected devices must be "clear" with individuals "about what data they collect, for what purposes and how long this data is retained". Consumers should not experience any "out-of-context surprises" about the way in which their data is processed, it said.
"When purchasing an internet of things device or application, proper, sufficient and understandable information should be provided," the declaration said. "Current privacy policies do not always provide information in a clear, understandable manner. Consent on the basis of such policies can hardly be considered to be informed consent. Companies need a mind shift to ensure privacy policies are no longer primarily about protecting them from litigation."
The declaration outlined the DPA's backing for new technology that accounts for privacy by the way it has been designed. The concepts of 'privacy by design' and 'privacy by default' "should become a key selling point of innovative technologies", it said.
The watchdogs said "local processing" on devices should be encouraged in an effort to minimise data security risks, but that "end-to-end encryption" should be put in place if local processing is not possible to ensure the data passing over a network between devices is not subject to "unwarranted interference and/or tampering".
A separate resolution on 'big data' (3-page / 96KB PDF) was also adopted at the conference. The resolution outlined the watchdogs' support for principles such as data minimisation and called on businesses to give consumers access to "effective tools to control their information".
The DPAs also agreed on a new framework for "increased enforcement cooperation" at the conference.