As we discussed in our previous posts, there are a number of positive trends that make the Internet of Things a long lasting evolution. Hardware is improving, there is an increasing understanding from the industry of the benefits that can be drawn from harmonization and interoperability, customers ever more expect to control appliances, whilst third and fourth generation communications are making connections between “things” a lot easier. All this is causing an exponential increase in data processing. After all, the Internet of Things is about big data, and how such data are processed remains a cause for concern. Here are the top 10 privacy and data protection concerns.
- Vulnerability – There is often a trade-off between security and efficiency. Despite recent improvements, many devices lack sufficient security. This is also due to the limited battery capacity of certain devices. For instance, most sensors do not establish encrypted links, as encryption would have an impact on low battery devices.
- Sensitive data inference – Most “things” do not have functions that aggregate raw data, as such functions are normally carried out by third party applications. Through increasingly connected devices, insignificant raw (or even anonymous) data can be used to infer information with a totally different meaning. It is easier to infer data about daily habits and lifestyle (including sensitive health data), also using devices which were designed for totally different purposes.
- Lack of control – IoT is about automated (and immediate) communications. IoT pushed data may not be adequately reviewed by the data subject prior to the data dissemination. Data subjects are often not aware of the data being shared with third parties, which for instance may occur not only with intrusive wearable devices but also with other unnoticed appliances.
- Quality of users’ consent – Any consent has to be informed. We thought it was difficult to devise proper consent and information forms for websites using cookies. This may be even more difficult for the Internet of Things, as most IoT devices are not designed to provide information to the users / data subjects. This is particularly the case for devices which do not have a visible screen. Besides the lack of information, it may also not be possible to fine-tune the consent in line with the preferences expressed by the user (it is often not possible to select only limited features or services).
- Intrusive profiling – Sensors will increase, and even when only anonymous data are gathered, this will allow a more sophisticated profiling of the data subjects’ habits. This may theoretically lead to an undue influence on people’s behavior (similarly to what happens when they are subject to CCTVs screening in public places). Not all devices include a quick and easy to use function to disable sensors.
- Repurposing and secondary uses – A significant number of stakeholders are involved in the production and value chain of the Internet of Things, from device manufacturers to data platforms, from application developers to data aggregators etc. This may further lead to the data being shared and used for different purposes without the data subject being aware of it.
- Uncertain legal responsibilities – The combined intervention of stakeholders, including multi data controllers and co-controllers, may also cause confusion as to who is responsible for what. Certain stakeholders may (wrongly) rely on other stakeholders to perform the duties required by the data protection and privacy laws.
- Continuous publicity – It may become increasingly difficult to remain anonymous or unnoticed. For instance, this may well be the case for wearable devices: when they are left open they could be used to create unique fingerprints and stable identifiers, which could then be used for many purposes.
- IoT culture – IoT developers are still mainly driven by the efficiency of the “things”, with a limited knowledge of the privacy and data protection risks. Whilst this may be acceptable in a start-up phase, it is less so in an increasingly mature market. Sometimes data are collected even if not strictly necessary, in case they are of use in the future. Effective privacy data protection is still not perceived as an effective market differentiator.
- Jurisdiction creep – Last but not least, devices placed in other countries may also attract the data protection and security regulations applicable in such other countries. Under Directive 2002/58/EC an operator which is not established in the EU may well be subject to EU law if it processes data collected through the “equipment” of users located in the EU (thus also including wearable and quantified-self technologies). The same principle is also set out under the Italian data protection code.
It will be interesting to see how the regulators and the various stakeholders involved will address such challenges. In an Internet of Things environment, a simple consent-based regulation will simply not work, so new solutions will have to be devised.