The Internet of Things has implications for regulation of data protection.
Over the past decade, the expansion and integration of digital networks has led to an increasingly connected ecosystem of people, devices, and sensors. We’re now familiar with stats like 4.9 billion connected devices in use in 2015 and predictions that this might reach 25 billion by 2020. And it is widely acknowledged that this growth in digital connections has dramatically increased the amount of ‘useful’ data available.
But, while a number of academics, legal experts, and policy practitioners have come together to respond to concerns on privacy, data protection, and transparency, little thought has been given to how business and society will be affected by emerging polices and regulatory frameworks in relation to ‘Internet of Things’ (IoT) markets.
In Europe, a series of Data Protection frameworks and treaties have been on the negotiation tables since 2011. Late last year the necessary agreement between European Parliament and Council was reached, and in just over 2 years reformed regulation will come into force across the Union.
This blog aims to briefly highlight the current debates on data protection policy, and situate them within the broader context of growing IoT markets. In doing this, we pose a couple of broad questions: can privacy regulation keep up with the rapid changes in the technological and software realm? Or are more nuanced and dynamic approaches to data collection, consent, control and use required to strike a balance between data protection and data-driven innovation?
The irresistible force of IoT meets the immovable object of regulation.
Many IoT firms use big data analytics to identify correlations and patterns of behavior that form valuable business insight. And companies are not just using personal data to add value; for example, UPS has been using sensor data from its delivery vehicles to monitor speed, miles per gallon, mileage, number of stops, and engine health, enabling them to improve efficiency of routes, and working practices of drivers.
Although new value is created when big data is brought together or analyzed in new (and sometimes unanticipated) ways, there is a problem when it comes to regulation of this growing and valuable data activity: it conflicts with a central principle of privacy protection whereby individuals consent to the use of their data for explicitly stated purposes.
When data analytics and the increasing connectivity between devices are put together, companies increasingly rely upon implicit consent, aggregation, and anonymization of data to circumvent privacy laws. In the World Economic Forum’s recent report on the Value of Personal Data, we see just how difficult it is to balance the needs of business and the rights of the consumer (or citizen): given the ‘sheer volume of data and the various ways that data is collected and used today, it is, as a practical matter, physically impossible for an individual to consent to all the different data uses.’ Consent at the point of collection proves to be less useful in light of the growing IoT market, pushing privacy and regulatory experts to define new ways of mediating the value of outputs generated by big data analytics. Relatedly, data minimization principles (which require companies to collect only the data they need and for specific uses) are much less relevant in the age of big data.
IoT firms (and the companies that use IoT data) increasingly rely upon big data processes to connect data generated from multiple devices and in so doing, are able to generate profiles of individual preferences and behaviours with a level of detail and precision that was not possible before. By analyzing metadata or combining datasets, IoT data approaches generate novel information that can be personally identifying but this processing falls outside the purview of current privacy legislation. Privacy laws could therefore be seen as outdated in their definition of Personally Identifiably Information (PII).
The core of EU legislation on personal data protection was formulated in 1995 and was principally concerned with 1) protecting the individuals’ fundamental right to data protection and 2) guaranteeing the free flow of personal data between EU Member States.
Recently agreed changes to European legislation reflect a commitment to these central principles. Equally, they highlight the difficulty in making provisions for protecting the rights of individuals whilst enabling businesses to freely use data and add value. For example, the legislation includes a broader legal definition of “personal information” from that which directly identifies an individual to information that can be traced to an individual. This change signals the need for a reworking of PII given the evolving tech landscape, but this could put up barriers to the types of data that IoT firms can use.
The legislation also places renewed emphasis on consent; individuals must consent to the processing of their personal data for one more purposes and retain the right to withdraw consent at any point. This means that companies bear the burden of proof with respect to consent and would more generally, be required to invest much more in data due diligence to comply with EU regulation. However, it also implies that individuals are sufficiently aware of the consequences of their consent, and, in particular, what this means for the way their data can be used.
Building trust in the data ecosystem is a necessary precondition for harnessing the value of data. Given the changes to Europe-wide Data Protection regulation, we recommend the following:
1) To remain competitive, retain customer interest, and build trust, IoT firms should to engage creatively in building trust and establishing a reputation of transparency. For example, taking the necessary precautions to ensure that usage of data is consistent with the purposes under which the data was initially collected. This high level suggestion is exemplified in a recommendation from the Government Office for Science: ‘The Centre for Protection of National Infrastructure (CPNI) and Communications and Electronics Security Group (CESG) should work with industry and international partners to agree best practice security and privacy principles based on “security by default”.’
2) By broadening the definition of what constitutes ‘personal’, the proposed regulation will be expected to put greater checks and balances on the types of data that IoT firms process. IoT businesses should be proactive in recognizing other types of data as personal, for example, IP addresses.
3) IoT firms should carefully reflect on the decisional criteria that form the basis of their analytics to guard against profiling that subsequently affects an individual’s access to jobs or services, for instance.
The explosion of data over the last decade has, in part, been driven by the proliferation of connected devices that are embedded in every aspect of our daily lives. But whilst we, as consumers, may see many benefits to using these devices, there is a secondary market in the data that they produce. Misuse of this highly sensitive data may have malign consequences, but if used responsibly the potential for public benefit is enormous.
This blog has outlined some of the key debates around IoT and data protection, namely the need to strike a balance between data protection and data driven innovation. We asked, can, or should, privacy regulation keep up with the rapid changes in the technological and software realm? To which there is no easy answer, but in the short term, businesses must make responsible use of IoT data a core business principle.
Policy makers must think not just about the role of legislation in the data revolution, but also how to equip individuals to self-regulate and thereby, place natural checks and balances on data collection and use.