The Internet of Things will generate 9 billion devices by 2018 according to estimates, but the recent hacker attack that caused a fridge to send over 750,000 spam and phishing messages over the Christmas break create concerns as to the potential data protection issues deriving from the usage of such technologies.
At the Salone del Mobile, the Milan Furniture Fair, I have been surprised by a satellite event dedicated to the “Technology For the Kitchen” which shows that our house, our car and our garments might quickly change because of sensors that will be able to collect information about the enviroment where we live as well as our tastes and preferences and often take decisions for us.
Devices such as smart fridges that through barcodes or RFID can recognise products and send notifications on missing products or even send an order to our grocery store for home delivery, Google Latitude Doorbell which sends alarm messages when our partner is 10 minutes away from home so that we can arrange dinner and wearable technologies that can for instance monitor our body conditions and notify the drugs to be taken show the size of the massive change that is occuring around us. And such change is not so far as such technologies are about to become very common.
What immediately appears very clear though is that such technologies are able to collect a very large number of personal data relating to their users, their habits and preferences, where they are located and what they are doing, increasing the number of questions as to the so called BIG DATA and the way such data have to be used and stored not only in order to comply with data protection regulations, but also to avoid that users are monitored 24×7 for the purposes of sending marketing communications and to avoid hacker attacks.
After the decision of the European Court of Justice that deemed invalid the Data Retention Directive since it has been considered to entail
a serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary
what will be be the position of Data protection regulators on the Internet of Things? Also, will users be interested to be “protected” from these devices or mainly attracted by the advantages deriving from their usage? Will we find ourselves in the unusual situation where we shall provide the consent to the processing of personal data when we purchase our household appliances?
Also what is often underestimated is that the mere data protection consent does not allow the data controller to process the collected data for any type of purpose also communicating them to any third party. But on the contrary data protection laws place on entities processing personal data very stringent obligations as to the processing, storage and communication of data to third parties, also prescribing relevant sanctions for the breach of such obligations. The frequent scenario when for instance a US company entering the European market merely translates their foreign data protection notice is likely to become less frequent and entities will understand the need to comply with local data protection laws, also in the light of the € 1 million fine issued against Google in Italy because their data protection notice has been deemed not to be “adequate”.
Likewise the need to protect users from cyber attacks will become more and more a priority. If an hacker can control our house and maybe our entire life accessing to our devices the issue is going to be deemed to be very relevant. And the criminal sanctions already prescribed for the illegal access to information systems might need to be updated in the light of new types of attacks and the new types of devices that can be attacked.
It will be interesting monitoring the development of such products, but privacy and security will certainly be sectors that also companies manufacturing appliances and furnitures shall learn. This is a very interesing topic.