I recently had the pleasure of participating in a panel session at the SCL Technology Law Futures Conference 2015. My panel was tasked with looking at how humans could control the machines that controlled their homes.
In the world of technology, these machines form part of the Internet of Things, or IoT, and are commonly referred to as IoT devices. Many people already have IoT devices controlling certain aspects of their home, such as smart-meters controlling/monitoring energy consumption. This is but just a drop in the ocean – the current scale of IoT is almost an unknown.
I chose to look at this question from the point of view of data, asking the question: by controlling the data that is generated by IoT devices can we control our homes? My view is that, for so long as we have a choice, we can. As and when (rather than ‘if’) that degree of choice changes, it will very much depend on how alive IoT developers and legislators are to the significant privacy and security concerns that are, and will be, raised by the IoT.
Data Quality and Quantity
The privacy and security of data generated by the IoT will always be fundamental to its success. Data is the lifeblood of the IoT and, with large amounts of data being generated from diverse locations, the potential for cyber-hacking and cyber-spying substantially increases.
The quality and quantity of data collected will be fundamental to the success of IoT devices. Being able to understand and predict user behaviour and/or anticipate user needs will be invaluable but it has to be done without being intrusive, generating data waste or diluting the advantages of an intelligent home.
Smart ecosystems connect and merge IoT devices into a single ecosystem. They not only rely on IoT devices cooperating with each other, but also consumers/users allowing IoT devices to access their information. But what data is collected and why? How will user data be used? Who will it be used/accessed by? Will it be safe? Will it be sold? Will users be able to control their data and who owns the data? These are just a few of the questions that arise.
Data Privacy
What is clear is that companies in the IoT domain can’t collect everything, keep it forever and then worry about privacy and security issues later! Companies, industries and legislators need to get it right. If they don’t, faith in the IoT will be lost and data sharing will not reach its potential.
And true to form, there is no one size fits all approach to the IoT. Informed user consent to data collection versus limited user time and technical knowledge must be considered. Furthermore, IoT devices could be collecting data about more than one person.
What is clear is that data privacy and security laws have not caught up with the speed at which the IoT, or indeed technology, is developing. This is a global problem not just domestic, and challenges are faced by all stakeholders – from manufacturers and apps developers through to consumers and legislators.
Also don’t assume you just have to consider UK data protection laws. Personal data could be transferred within and outside the EEA.
Personal Data
If data being generated by an IoT device contains information that directly or indirectly identifies, or is reasonably likely to identify, an individual then it will be regarded as personal data for the purposes of Data Protection Act 1998.
But not all IoT devices will generate personal data. For example, ‘personal’ electronic devices like smartphones collect and process information about users (eg location data). The company collecting and using the information is the data controller and subject to the Data Protection Act 1998. On the other hand, less ‘personal’ devices like washing machines collect and process information about all members of a household’s use without identifying these individually, raising questions about whether the data collected is personal data.
Any processing of personal data must be fair and lawful. So, users must be told about the purpose of any processing of personal data. This will pose a problem for IoT devices which have limited or no physical user interface with which users can interact. In such circumstances, greater reliance would have to be placed on hard-copy instruction manuals, sales and marketing materials etc.
But there is always likely to be a mismatch between what a user understands they are buying and how an IoT device behaves. This will make transparency much more of a challenge.
If privacy concerns/issues were taken into consideration at the earliest stages of design – privacy by design – issues such as data minimisation, data accuracy and data retention periods would be better addressed.
What is clear is that both the ICO and the Article 29 Working Party recommend that manufacturers perform an IoT privacy impact assessment before they launch any new IoT devices.
Security Measures
As mentioned above, security is fundamental to the success of IoT. It is for that reason, and also because it is required under the Data Protection Act 1998, that appropriate technical and organisational measures are put in place to protect against unlawful or unauthorised data processing and accidental loss or destruction of personal data.
Not only do IoT devices present new entry points for attackers, they also become less secure if adequate software update procedures are not put in place. If there is a flaw in an IoT devices’ software, it might not be clear who is responsible for fixing it or how to apply the fix.
The Future
Over time you will start getting IoT devices that are trusted and those that are not.
New data protection laws will go some way to addressing concerns posed by modern technology but it is highly likely that further legislation will be needed for IoT-specific technology, such as mobile health apps.
Ofcom is taking steps to ensure that the UK plays a leading role in developing IoT. It launched a consultation in 2014 on ‘Promoting investment and innovation in the IoT‘ – and will work with the ICO, UK Government, regulators and industry to explore solutions to data privacy. Ofcom will also investigate how its existing activities on security and resilience of the UK’s communications networks can include the IoT.
The Answer
I do believe that if consumers can control, or have a degree of control over, their IoT data they will be able to control their home – rather than having the IoT device control their home. IoT devices are already being included as standard in new housing developments and this will undoubtedly erode consumer control. But, for the time being, we have a choice as to whether or not we invite these IoT devices into our home. Consumers should be careful about who they put the welcome mat out to – treat IoT devices like strangers and don’t invite them into your home without knowing something about them, checking their credentials and asking questions!
Lisa Downs is a Partner at Rawlison Butler LLP
