In its February 2015 Report on the Internet of Things (IoT), the FTC estimated that there are now 25 billion connected devices worldwide. Another more conservative report by Gartner estimates there will be 2.9 billion connected devices in the consumer sector this year and 5 billion total, and that total will climb to 25 billion by 2020.
Regardless of the accuracy of the numbers, clearly the growth of IoT presents unique challenges because of the sheer variety of “connected devices” – from sprinklers, to fitness trackers, to connected cars – and the data they may collect. It is therefore not surprising that regulators have released privacy and security guidance and frameworks for IoT.
In September 2014, the European Commission’s Article 29 Working Party on Data Protection (WP 29 Report) released an Opinion,1 setting forth its interpretation of how EU data protection laws apply to IoT. Six months later, the FTC released a report2 setting forth privacy and security best practices for IoT. This article looks at some of the key issues addressed in each report and highlights key differences.
WP 29 REPT OVERVIEW
The WP 29 Report looks at IoT via EU data protection principles, highlighting these concerns for IoT manufacturers, developers and data collectors:
Lack of control – Interconnectivity means a greater potential for automatic flow of data among devices (and vendors) without notice to users.
Additional purposes – Interconnectivity also may lead to use of gathered data by third parties for other than the original intent.
Consent – Because users lack full disclosure of data flow, their consent to initial data collection may be inadequate.
Profiling – Fine-grained user monitoring and profiling could result from the type of information collectable from connected devices.
Limiting anonymity – More use of connected devices suggests lower likelihood for maintaining anonymity.
Security – Large volumes of data transferring over connected devices may lead to considerable security risks.
WP 29 REPORT RECOMMENDATIONS
To address some of these concerns, the WP 29 Report recommends that IoT manufacturers, developers and data collectors:
Conduct a privacy impact assessment before releasing a device.
Delete raw data from the device as soon as it has been extracted.
Follow privacy-by-design and privacy-by-default principles.
In a user-friendly way, provide a privacy notice, and obtain consent or offer the right to refuse.
Design devices to inform both users and people interacting with them (e.g., people being recorded by a camera in a wearable technology) of the data processing by the entity providing the device.
Inform users of data that has been collected and enable them to access, review and edit that data before it is transferred.
Give users granular choices on the type of processing as well as time and frequency of data gathering.
These principles apply whenever a connected device is used in the EU, even if the device did not originate in the EU. While the WP 29 Report is not binding law, it is persuasive to EU regulators, when deciding how to apply data protection law to the IoT. Once the new EU Data Protection Regulation takes effect, fines for violations of EU data protection law could be up to 5 percent of global turnover for a company. Thus, flouting the WP 29 Report principles, which are considered persuasive authority on the interpretation of EU data protection law, could result in very significant fines.
FTC REPORT OVERVIEW
The FTC Report focuses on “security” and “privacy” risks raised by participants in its IoT workshop:
Security: Harm to consumers from unauthorized access and misuse of personal information, attacks on other systems and safety risks:
Remote access to smart meters could enable thieves to determine when a house is empty, leaving it susceptible to robbery.
A connected device could be used to gain control of a consumer’s internal network and in turn, attack a third-party system.
Remote access to stored financial data could enable fraud.
Privacy: The FTC Report also highlighted privacy-related concerns over the collection of sensitive information (geolocation, financial and health data), the sheer volume of data collected and the potential for misuse.
FTC BEST PRACTICES
Like the WP 29 Report, the FTC Report recommends best practices to IoT manufacturers, developers and data collectors, focusing on:
Data security – The FTC recommends that device manufacturers adopt a privacy-by-design approach, including a privacy and security risk assessment made prior to release, use of “smart defaults” (e.g., forcing changes to default device passwords) and security and access control measures, and monitoring throughout the device’s life cycle.
Data minimization – While endorsing the necessity to limit collection and retention of users’ data, the FTC calls for a “flexible approach,” urging companies to “develop policies and practices that impose reasonable limits on the collection and retention of consumer data.”
Notice and choice – The FTC recognizes notice and choice play a “pivotal role,” but – in contrast to the WP 29 view – acknowledges that notice and choice are not always necessary. Instead, the FTC calls for notice and choice where sensitive data is collected or where there is unexpected collection or sharing.
THE COMING DEBATE
While there are some similarities in these recommendations, overall the WP 29 takes a more conservative approach and the FTC Report uses a more flexible approach. As the IoT environment evolves, the main debate will focus on how to adapt privacy and security laws to protect individuals without hindering IoT’s growth, while fostering the huge potential of this market.
1 Opinion 8/2014 on the on Recent Developments on the Internet of Things, available here.
2 See this page.