I’ve written before about the “Internet of Things,” which is a computerized network of physical objects. In IoT, sensors and data storage devices embedded in objects interact with Web services. (For more on privacy and the IoT, see a Center for Democracy and Technology report that I consulted on and contributed to, “Building the Digital Out-Of-Home Privacy Infrastructure.”) In an opinion piece for the Telegraph, Stephen Ollerenshaw, director at Technology Law Alliance, discusses privacy and security questions that can arise with such a networked system:
Even the most relaxed internet user is becoming concerned about what a completely interconnected world, where everyday machines communicate with each other, will mean for their personal security. As if to confirm that this is part of the zeitgeist, a new stage play called ‘Privacy’ by James Graham has recently opened in London, during which the audience is invited to share information using their smartphones, leading to some startling revelations about their personal lives and the digital footprint they have unwittingly left. […]
The stakes are high, with the risk of reputational damage and fines from the regulator increasing. In 2011, Sony found itself in breach of data protection laws when its PlayStation Network was hacked making public a host of customer information. The company was fined £250,000 for failing to do enough to protect personal data and its reputation was knocked as a result. […]
The first challenge manufacturers need to think about is whether their product processes ‘personal data’, i.e. information that can identify an individual. This is not as easy as it appears because this includes data that when combined with other information can identify someone. For example, a product using a static IP address sending data to a remote server is probably not processing personal data. Once this product starts connecting to other products and services that in combination can identify an individual, the data becomes subject to the legislation.
In the UK the main impact of this is a requirement to comply with the Data Protection Act and its eight key principles. These include requiring that the data is processed fairly and lawfully and is only used for the original purpose it was obtained. The data should also be kept secure and should not be transferred outside the European Economic Area unless there is adequate protection given to any personal data. If the connected device is collecting sensitive personal data, such as medical information, then the rules are even more stringent.
In addition to the Data Protection Act, companies need to be aware of the Privacy and Electronic Communications Regulations which establish additional provisions in relation to marketing and advertising by electronic means. The key issue here is the need to obtain clear and specific consent for marketing communications, for example through the use of a ‘tick box’.