Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy Commissioners reveal the hidden risks of the Internet of Things

A global sweep of Internet of Things products has revealed that 71 per cent of devices and services used by Australians did not provide a privacy policy and notices to adequately explain how personal information is collected, used and dis closed.

The results have been released by the Australian Privacy Commissioner, and fellow international regulators, through the Global Privacy Enforcement Network (GPEN).

Internet of Things technology is built into all kinds of services like movie streaming, fitness trackers, home appliances and children’s toys. But the seamless nature of how these devices collect, store and share user information means that customers are not always fully aware of the privacy risks.

Accordingly, the 26 privacy enforcement authorities that make up GPEN examined the privacy policies of over 300 businesses around the world, including 45 used by Australian consumers every day.

The Australian report found that:

  • 71 per cent failed to properly explain how information was stored
  • 69 per cent did not adequately explain how customers could delete their information off the device
  • 38 per cent failed to include easily identifiable contact details if customers had privacy concerns
  • 91 per cent did not advise customers to customise their privacy settings.

Australian Privacy Commissioner, Timothy Pilgrim, found that the Australian businesses assessed as part of the sweep generally lacked clear information for customers about how their personal information was being managed — with more than half failing to adequately explain how personal information was collected, used and disclosed.

‘The Internet of Things allows for some great products and entertainment, but many of us have adopted this technology into our everyday lives without considering how much of our personal information is being captured or what happens to that information.

‘Remember, for an Internet of Things device to work for you it needs to know about you, so you should know what information is being collected and where it is going.

‘I encourage all Australians to look for privacy policies before you decide to use a device, and ensure you are comfortable with what information is being collected and how it is being managed.’

The Commissioner said that the majority of the businesses reviewed in the sweep could benefit from better explaining their information handling practices to customers.

The Commissioner’s office is working with businesses and start-ups to help them better understand their privacy obligations, and creating a range of educational materials on developing and implementing best privacy practices.

‘This year’s GPEN sweep has reinforced how important it is for businesses, particularly start-ups, to implement a ‘privacy-by-design’ approach, where strong privacy frameworks and communications are implemented from the beginning.

‘Strong privacy protections and clear explanations for how personal information is managed helps build consumer trust. It also avoids the costly exercise of building these privacy frameworks later on, most often after something has already gone wrong.’

For further information, please visit www.oaic.gov.au or follow @OAICgov.

– ENDS –

Media contact: Ms Alison Wares           0407 663 968           media@oaic.gov.au

Background information

Global and Australian sweep highlights

  • Participating data protection authorities: 25
  • Devices/businesses: 314
  • Devices/businesses examined by the Office of the Australian Information Commissioner (OAIC): 45

Australian sweep highlights

Collection, use and disclosure of data
  • Generally, privacy policies were not specific to devices. In its sweep, the OAIC found that 71 per cent of devices and services used by Australians did not provide a privacy policy and notice that adequately explains how personal information is collected, used and disclosed.
  • The OAIC found that 27 per cent of businesses did not indicate whether personal information would be shared with third parties.
  • The OAIC found that some organisations did not make it clear what information would be collected. It was unclear whether a user name, address, phone number, date of birth, phone or browsing history in over a third of the businesses whose privacy communications were looked into.
Storage of data
  • 44 per cent of the devices that the OAIC looked into did not inform users about how their personal information was being safeguarded and what measures were taken to prevent unauthorised access.
Contact details
  • The OAIC found that 38 per cent of organisations did not provide a clear means of contacting them to address privacy concerns.
Deletion of data
  • The OAIC found that 89 per cent of the organisations they looked at did not clearly indicate whether there were tools a user could access to delete personal information off the device so they can resell the device.
  • The OAIC found that about 93 per cent of devices did not clearly tell users if or how they could delete information remotely if their device is lost or stolen.

Global sweep highlights

Collection, use and disclosure of data
  • Sweepers indicated that 60 per cent of devices/companies failed to adequately explain to customers how their personal information was collected, used and disclosed
  • Over 50 per cent of devices in the sweep collected a user’s date of birth, location, address, phone number or a unique device identifier. Over 80 per cent collected a user’s names or email.
Storage of data
  • 68 per cent of devices were felt to not adequately explain to customers how information collected by their device is stored
  • 68 per cent of companies were also unclear on whether data was stored in an encrypted form
  • 49 per cent of devices were felt to not adequately inform users of data protection safeguards.
Contact details
  • The global sweep indicated that 38 per cent of devices failed to provide easily identifiable contact details which customers could use if they had privacy concerns
Deletion of data
  • The global sweep found that about 72 per cent of businesses did not clearly explain how a user could delete their personal data from the device or app.
Examples of good privacy communications for IoT devices:
  • It was encouraging to see that generally organisation provided some privacy information; however, a privacy policy specific to IoT devices can be more informative for users. A selection number of businesses did have specific privacy policy for their IoT device.
  • Many privacy policies were clear, concise and written in plain language.
  • Some businesses (less than 10 per cent of those looked at by the OAIC) told users to change their default privacy settings.
  • The majority of businesses (73 per cent) looked over by the OAIC clearly informed users about whether their information would be shared with third parties.
  • Most of the businesses reviewed by the OAIC (62 per cent) had contact details in place that customers could use to ask questions about privacy.
Examples of privacy communication practices that require improvement:

Sweep participants identified a number of practices which must be improved to ensure businesses are implementing best privacy practice. These practices include:

  • Generic privacy policies.
  • Providing vague information in privacy policies about the data which may be collected, rather than listing what will be collected.
  • Not recognising that ‘personal information’ may include health information such as the steps taken or the amount of calories burnt, where it is attributed to an identified individual.
  • Not advising users that they can customise the default settings of the device.
  • Collecting personal information which is not required by the organisation (for example, a health device which collects location information without explaining why this information is required).
  • Failing to clearly explain how personal information is stored and safeguarded.
  • Failing to clearly outline how users might delete personal information from the device.

Global Privacy Enforcement Network (GPEN) sweep

The GPEN was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market, where commerce and consumer activity relies on the flow of personal information across borders. Its members seek to work together to strengthen privacy protections globally. The network is comprised of 57 privacy enforcement authorities in 43 jurisdictions around the world.

Dates of the sweep: 11-15 April, 2016

Number of privacy enforcement authorities (PEAs) involved: 26

The GPEN sweep is not an in-depth analysis or an investigation into the privacy practices of each organisation that was included in the sweep. The sweep is an exercise that replicates the consumer experiences by spending time checking an organisation’s performance against set criteria that is shared by the PEAs involved.

The sweep was not intended to conclusively identify compliance issues or legislative breaches. The GPEN initiative encourages organisations to comply with privacy legislation by identifying areas where organisations may improve their privacy practice, and enhances co-operation between PEAs.

About the OAIC

The Office of the Australian Information Commissioner (OAIC) has a range of regulatory responsibilities and powers under the Privacy Act 1988, Freedom of Information Act 1982 and other legislation. The OAIC is headed by Timothy Pilgrim who is the Australian Privacy Commissioner and Acting Australian Information Commissioner. Commissioner Pilgrim is supported by the Assistant Commissioner, Regulation & Strategy and the Assistant Commissioner, Dispute Resolution, and OAIC staff.