“When your yogurt pots start talking to you“. Do you remember? This was the start of a call for action from the European Commission on Internet of Things back in 2009.
A lot changed since 2009: (i) there are little doubts about the relevance of IoT (estimated 25 billion connected devices by the end of this year – see here on encouraging trends); and (ii) the role that can be played by regulators in fostering growth of IoT related businesses (whilst some regulators already took action, more is expected in the near future).
Very recently, the national authorities in the United States, United Kingdom and Italy addressed concerns and proposed certain best practices.
FTC – In the US, the Federal Trade Commission (“FTC”) issued a report on “Internet of Things – Privacy and Security in a Connected World“, with best practices on:
- Data Security – FTC recommended a privacy by design approach, including a privacy risk assessment to be made at the outset, adequate training, oversight of reliable service providers, implementation of security and access control measures and product monitoring through the life cycle;
- Data Minimization – FTC endorsed the necessity to limit the collection and retention of users’ data;
- Notice and Choice - FTC recognized a “pivotal role” for the consumer choice, albeit providing choices for every instance of data collection would not be necessary.
OFCOM – In the UK, OFCOM issued a report on “Promoting Investment and Innovation on the Internet of Things“, addressing certain areas of concerns, namely:
- Spectrum Availability – Although there have already been initiatives for making available frequencies and liberalizing mobile licenses for existing mobile bands, OFCOM recognized that there may well be a need for additional spectrum in the longer term;
- Data Privacy (and Users Literacy) – OFCOM acknowledged that the existing legislation already regulates the collection and use of information identifying individuals, however “it will be critical to set up a common framework that allows consumers to easily and transparently grant consent to data processing“;
- Network Security and Resilience - OFCOM acknowledged growing demands in terms of the network resilience which will require working with regulators with other sectors;
- Telephone Numbering and Address Management – OFCOM concluded that telephone numbers are unlikely to be required. Most IoT services will instead use bespoke addressing systems or the IPv6 connectivity standard which will be monitored by OFCOM.
AGCOM – In Italy also the Autorità per le garanzie nelle comunicazioni (“AGCOM”) launched a consultation (see here) on Machine to Machine (with a final report yet to be published), with a view to:
- Spectrum, Interoperability and other issues – Analyse the factors that may influence the development of M2M services and the interaction between the various stakeholders in the market, also assessing the development projections and the various ways for exploiting M2M services;
- Regulatory Barriers and Co-ordination – Pinpoint the main regulatory barriers for any further M2M development (e.g. numbering and roaming regulations), also identifying the areas for which it would be appropriate to set up a coordination with the other (national and international) authorities.
EU Approach? – The national authorities may still not be able to grasp the “essence“ of IoT regulations, which are by definition multi-sectorial and multi-territorial. A joint co-operation between various authorities will certainly help – and in this sense it is very welcome OFCOM and AGCOM’s effort to identify areas of co-operation with other national authorities (data protection authorities – see here on the main data protection concerns for IoT – and the sector regulators for transport, energy etc.).
The most crucial point remains how to address the IoT multi-jurisdictional elements, in which respect there is still no homogenous approach on the basic principles. Whilst FTC held a similar approach to the EU on data security and minimization, there is still some distance on other fundamental elements. For instance, according to FTC, “if a company collects a consumer’s data and de-identifies that data immediately and effectively, it need not offer choices to consumers about his collection“. Certain more conservative European regulators may not share this view.
A common approach is even more fundamental within the European market. As mentioned above, OFCOM underlined the importance of a common framework for consent to data processing. However, also within the EU there is still no common approach as to how to concretely implement certain consent provisions. It should be avoided a reiteration of problems already experienced with the different ways implementing the same cookies’ consent provisions in various jurisdictions. As stated in a previous post on cookies (the same principle applies for IoT), excessively stringent regulations should be avoided. This because in an increasingly integrated world, a strict regulation is not equivalent to the highest level of protection: it may, on the contrary, encourage the transfer of certain businesses to other jurisdictions with a lower level of protection, ultimately resulting in a lower level of protection for the local users’ data which will continue to be processed by such “transferred” businesses.
One solution would be to promote self-regulatory efforts, which also for FTC would be helpful for certain industries with a higher level of integration. In any event, from an Italian and European perspective, the EU should play an active role. One of the actions set out by the EU Commission in 2009 was “the gathering of a representative set of European stakeholders to monitor the evolution of the Internet of Things“. This should be upgraded with a higher and more constant involvement of EU Member States representatives.
We are still not having conversations with our yogurt pots (and I may not be looking forward to that), but no doubt these are very exciting times for those interested on IoT regulations.