The Unsecure Side of (Meta)Data in IoT Systems

The exponential spreading and deployment of emerging digital
technologies such as the Internet of Things (IoT) has been remarkable: the IoT
market is expected to triple, at least, from USD 170.57 billion in 2017 to USD
561.04 billion by 2022. IoT technologies collect, generate and communicate a huge
amount of different data and metadata, through an increasing number of
interconnected devices and sensors. Current EU legislation on data protection
classifies data into personal and non-personal. The paper aims at charting the
resulting entanglements from an interdisciplinary perspective. The legal analysis,
integrated with a technical perspective, will address firstly the content of IoT
communications, i.e. “data”, and the underlying distinction between personal and
non-personal. Secondly, the focus will shift on the metadata related to
communications. Through a technical analysis of the highly sensitive nature of
metadata, even when the content is encrypted, I will argue that metadata are likely
to undermine even more the ontological and sharp division between personal and
non-personal data upon which the European legal frameworks for privacy and data
protection have been built. The incoming ePrivacy Regulation shall provide
metadata, which should be considered always personal data, the same level of
protection of “content” data. This interpretation might broaden the scope of
application of GDPR and the connected obligations and responsibilities of data
controllers and data processors too much.