The ‘Internet of Things’ (or IoT, which we have written about before) is generating fresh interest among legislators and regulatory authorities on both sides of the border. Recent initiatives in both the United States and Canada are likely to bring renewed political attention to the transformative potential of this technology space, particularly for its use in private enterprise and the delivery of public services. At the same time, these developments also raise significant questions about the inherent privacy, security, and consumer protection issues underlying the IoT’s rapidly growing network of interconnected objects and data sources.
U.S. Developments on the Internet of Things
Last week, the U.S. Senate’s Commerce, Science, and Transportation Committee considered the bipartisan bill S. 2607, the Developing Innovation and Growing the Internet of Things Act (or, DIGIT). The bill is scant on specifics with respect to the regulation of the IoT, and instead puts in place a process to consult with industry, technology, consumer, and business stakeholders to develop frameworks for the emerging space. The bill effectively uses a commission-style approach to inform Congress of the best way lawmakers can help stimulate the IoT. Under the bill, a working group will be convened that will ultimately submit a report that includes an analysis of the IoT spectrum’s needs, budgetary challenges, consumer protections, privacy and security matters, and the current use of the technology by government agencies.
Proponents of DIGIT point to the need to develop proactive policies to support the growth of these technologies – such as those policies that facilitated the rapid expansion and adoption of the Internet by citizens and the public and private sectors. The bill is expected to pass out of the Committee with bipartisan support.
DIGIT resembles a recent call for public input from the U.S. Department of Commerce’s National Telecommunications & Information Administration (NTIA) – a process which may play out concurrently if the bill passes. On April 5, the NTIA posted a Request for Comment on potential policy issues with the IoT, and specifically, on what role the government ought to play in this area.
After analyzing the comments it receives, the NTIA intends to issue a ‘green paper’ that “identifies key issues impacting the deployment of these technologies, highlights potential benefits and challenges, and identifies possible roles for the federal government in fostering the advancement of IoT technologies in partnership with the private sector.”
Similar to DIGIT, the NTIA consultation appears to be aimed primarily at putting in place conditions that will help foster the growth, public, and commercial benefit of the IoT. That said, the detailed Request for Comment paper identifies that the IoT raises issues with respect to privacy, and points to recent examples involving the connection of cars and medical devices to the Internet. On this point, the NTIA references the Federal Trade Commission’s proposals on privacy and cybersecurity with respect to the IoT.
The deadline for filing comments with the NTIA is May 23, 2016.
Canada’s Privacy Commissioner Discusses IoT Privacy Issues
In contrast to these U.S. policymakers’ focus on developing an ecosystem for the commercialization, use, and expansion of the IoT, Canadian discussion of the IoT remains largely confined to the realm of the nation’s privacy regulators. The most recent report of observations and concerns related to the IoT was published by Canada’s Privacy Commissioner in February 2016.
The research paper, billed as An introduction to privacy issues with a focus on the retail and home environments, is intended to help Canadians understand “how their privacy will be affected by the online networking of uniquely identified, everyday objects”. The paper aptly focuses on the impact the IoT will have on individual consumers, canvassing privacy-related issues such as customer profiling; accountability and transparency; the ethics of data collection, access and correction rights; and the challenges of device and information security.
The Privacy Commissioner concludes that technological developments with respect to the IoT has not been matched by an equivalent improvement in the existing privacy governance models. The Commissioner’s report is not a call for public input, but similar to the American initiatives, it raises more questions about the future of IoT regulation than it answers. The report concludes that limited information or considerations have taken shape concerning the privacy implications of having a large amount of data points collected, aggregated across devices, and analyzed by device owners and third parties unknown to the individual user.
Underscoring its engagement with IoT issues, the Privacy Commissioner announced that it will participate in a coordinated online audit to analyze the impact of everyday connected devices on privacy. The audit will be coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”) from around the world, and will target three categories of connected devices:
- home IoT devices (e.g connected camera systems);
- health connected devices (e.g. connected scales, glucometers, etc. intended to collect health-related data); and
- connected devices for well-being (e.g. connected watches and bracelets that can collect geolocation data, count footsteps, or analyze sleep quality).
The aim will be to verify the quality of the information provided to users, the level of security of the data flows, and the degree of user empowerment (e.g., user’s consent, etc.).
Takeaways for Canadian Organizations
The extent of any new regulations and policies designed for the specific issues raised by the IoT remains to be seen. Consultation and study exercises on both sides of the border are seeking to reconcile the need to support the IoT’s development (and the benefits to consumers and service users), while reasonably harnessing the risk of its intrusions. The level of interconnectivity facilitated by the IoT is not only a disruptive force for business, public, and convenience services, but necessitates the risk of single-point vulnerability for users and systems.
As these initiatives evolve into new policies and regulations, organizations will need to adapt their existing privacy standards and protocols to align with IoT rules and requirements. Moreover, present industry-established frameworks may not align with either the existing general standards or new IoT requirements. Organizations should be mindful of lawmakers’ concerns to ensure that their use of data captured through the IoT technologies remains consistent with legal standards in the jurisdictions in which they operate.
As organizations enter the IoT space with their products and services, the importance of establishing a privacy management program to stay up to speed on legal developments can help to ensure that IoT participants integrate compliance requirements in a meaningful and systematic way.