According to the Bundeskartellamt’s sector inquiry Smart TVs (PDF) almost all Internet-capable TV sets available in Germany violate the Basic Data Protection Regulation (GDPR). The investigation, which was already launched in December 2017, also identified numerous deficiencies in the IT security of the televisions and documented further problems such as “the legality of advertising on TV portals”. In total, the antitrust authority examined devices of 20 brands.
The objected transparency deficiencies, which could damage the privacy of users, are mainly based on the recording of TV viewing behaviour, app use and surfing and clicking behaviour. However, some of the smart TVs also record biometric data such as voice and individual cursor movements in order to identify individuals.
Data protection options hardly findable
The collected data is used to create personalized profiles, which serve, among other things, to display advertising. In principle the data collection can be deactivated on most smart TVs, but the Bundeskartellamt criticises the fact that this option is active by default on almost all devices and that the deactivation is hidden in several menu levels. Moreover, it is almost impossible to obtain information about the data protection regulations before purchase.
Moreover, the authority criticises the often unclear wording of the data protection conditions, which state, for example, that they “apply to a large number of services and use processes. What exactly is meant by this is difficult for consumers to understand from the information provided. What data is collected, how it is processed and which companies have access to it is also hardly comprehensible for ordinary users.
rare updates and deficiencies in security
Many smart TV producers, including premium segment companies, are also negligent when it comes to IT security, according to the sector inquiry Smart TVs. All companies lack particularly binding information on the runtime of software updates. Consumers can therefore only guess at how long their device will receive updates and can be operated securely online.
The federal authority therefore demands that users be better informed about “the extensive data collection and processing” by devices on the Internet of Things. To this end, the policy is to issue mandatory information that customers can use to obtain information before they buy. According to the authority, data protection standards could, for example, be clarified by means of picture symbols. In addition, a “clear legal entitlement of the consumer to software updates, also vis-à-vis the manufacturer” is to be created to enable a minimum period of use for smart TVs and other devices on the Internet.