The Internet of Things: key issues addressed in EU vs US guidance: Interesting read

-

The Internet of Things: EU vs US guidance

In its February 2015 Report on the Internet of Things (IoT), the FTC estimated that there are now 25 billion connected devices worldwide. Another more conservative report by Gartner estimates there will be 2.9 billion connected devices in the consumer sector this year and 5 billion total, and that total will climb to 25 billion by 2020.
Regardless of the accuracy of the numbers, clearly the growth of IoT presents unique challenges because of the sheer variety of “connected devices” – from sprinklers, to fitness trackers, to connected cars – and the data they may collect. It is therefore not surprising that regulators have released privacy and security guidance and frameworks for IoT.
 
In September 2014, the European Commission’s Article 29 Working Party on Data Protection (WP 29 Report) released an Opinion,1 setting forth its interpretation of how EU data protection laws apply to IoT. Six months later, the FTC released a report2 setting forth privacy and security best practices for IoT. This article looks at some of the key issues addressed in each report and highlights key differences.

WP 29 REPT OVERVIEW
 
The WP 29 Report looks at IoT via EU data protection principles, highlighting these concerns for IoT manufacturers, developers and data collectors:
 
Lack of control – Interconnectivity means a greater potential for automatic flow of data among devices (and vendors) without notice to users.
Additional purposes – Interconnectivity also may lead to use of gathered data by third parties for other than the original intent.
Consent – Because users lack full disclosure of data flow, their consent to initial data collection may be inadequate.
Profiling – Fine-grained user monitoring and profiling could result from the type of information collectable from connected devices.
Limiting anonymity – More use of connected devices suggests lower likelihood for maintaining anonymity.
Security – Large volumes of data transferring over connected devices may lead to considerable security risks.
 
WP 29 REPORT RECOMMENDATIONS
 
To address some of these concerns, the WP 29 Report recommends that IoT manufacturers, developers and data collectors:
  • Conduct a privacy impact assessment before releasing a device.
  • Delete raw data from the device as soon as it has been extracted.
  • Follow privacy-by-design and privacy-by-default principles.
  • In a user-friendly way, provide a privacy notice, and obtain consent or offer the right to refuse.
  • Design devices to inform both users and people interacting with them (e.g., people being recorded by a camera in a wearable technology) of the data processing by the entity providing the device.
  • Inform users of data that has been collected and enable them to access, review and edit that data before it is transferred.
  • Give users granular choices on the type of processing as well as time and frequency of data gathering. 
These principles apply whenever a connected device is used in the EU, even if the device did not originate in the EU. While the WP 29 Report is not binding law, it is persuasive to EU regulators, when deciding how to apply data protection law to the IoT. Once the new EU Data Protection Regulation takes effect, fines for violations of EU data protection law could be up to 5 percent of global turnover for a company. Thus, flouting the WP 29 Report principles, which are considered persuasive authority on the interpretation of EU data protection law, could result in very significant fines. 
FTC REPORT OVERVIEW
The FTC Report focuses on “security” and “privacy” risks raised by participants in its IoT workshop: 
Security: Harm to consumers from unauthorized access and misuse of personal information, attacks on other systems and safety risks:
  • Remote access to smart meters could enable thieves to determine when a house is empty, leaving it susceptible to robbery.
  • A connected device could be used to gain control of a consumer’s internal network and in turn, attack a third-party system.
  • Remote access to stored financial data could enable fraud.
Privacy: The FTC Report also highlighted privacy-related concerns over the collection of sensitive information (geolocation, financial and health data), the sheer volume of data collected and the potential for misuse.
FTC BEST PRACTICES
 
Like the WP 29 Report, the FTC Report recommends best practices to IoT manufacturers, developers and data collectors, focusing on: 
Data security – The FTC recommends that device manufacturers adopt a privacy-by-design approach, including a privacy and security risk assessment made prior to release, use of “smart defaults” (e.g., forcing changes to default device passwords) and security and access control measures, and monitoring throughout the device’s life cycle. 
Data minimization – While endorsing the necessity to limit collection and retention of users’ data, the FTC calls for a “flexible approach,” urging companies to “develop policies and practices that impose reasonable limits on the collection and retention of consumer data.” 
Notice and choice – The FTC recognizes notice and choice play a “pivotal role,” but – in contrast to the WP 29 view – acknowledges that notice and choice are not always necessary. Instead, the FTC calls for notice and choice where sensitive data is collected or where there is unexpected collection or sharing.
THE COMING DEBATE
 
While there are some similarities in these recommendations, overall the WP 29 takes a more conservative approach and the FTC Report uses a more flexible approach. As the IoT environment evolves, the main debate will focus on how to adapt privacy and security laws to protect individuals without hindering IoT’s growth, while fostering the huge potential of this market.
1 Opinion 8/2014 on the on Recent Developments on the Internet of Things, available here.
2 See this page.
[View source.]

Reference:http://www.jdsupra.com/legalnews/the-internet-of-things-eu-vs-us-guidance-77569?utm_content=bufferebda2&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

Comments

Post a Comment

Please share your valuable comments and thoughts on this article. Thanks!

Popular posts from this blog

Responding to Software Review Audits- Good tips on how to handle audit requests and settlements

-
Image
Managing Audits to Prevent Unauthorized Disclosures by Technology Teams by Keli Johnson Swan in Blogs , Software Audits Disputes involving software usage are on the rise for businesses of all sizes. In some cases, technical teams respond to a software publisher’s or a third party’s audit request and provide significant amounts of data without notifying anyone on the corporate governance or the legal teams.  It is critical for those teams to evaluate the publisher’s legal ability to audit, and to identify the data the publisher is entitled to request. It is not uncommon for the legal team to discover the existence of a software audit or license verification after the company has received a demand for damages arising from alleged over-usage of software. Often, employees responding to an audit request do not understand the request and provide inaccurate or incomplete information. Once this information is disclosed, it can expose the business to a damages cla
Read more

"What is the right thing to do?" What's The Difference Between Compliance And Ethics?

-
Image
  What's The Difference Between Compliance And Ethics? Bruce Weinstein, Ph.D. Contributor Customized ethics keynotes, training, and online courses for CE credit May 9, 2019, 01:19pm EDT  TWEET THIS High-character leaders ask, "What is required of me?" but they don't leave it at that. Ethical leaders also ask, "What is the right thing to do? How would an honorable person behave in this situation?" I've noticed some confusion about the roles that ethics and compliance play in organizations. This confusion arises, in part, from the way these two fields are identified. Some companies have only a compliance department. Others have a compliance  and  ethics (or ethics and compliance) department. Some companies have a Chief Ethics Officer separate from compliance. To get some clarity on these crucial roles, I asked seven leaders who are involved in both ethics and compliance to explain the similarities and differences as they saw them. I'll present their vi
Read more

Influencers in the workplace: Can promotional work on social media be regarded as moonlighting?

-
Image
  Lawtons Africa Jun 9, 2023 4 min read Influencers in the workplace: Can promotional work on social media be regarded as moonlighting? Author: Andile Mphale– Candidate Attorney Supervised by: Lavery Modise– Consultant https://www.lawtonsafrica.com/post/influencers-in-the-workplace-can-promotional-work-on-social-media-be-regarded-as-moonlighting The use of social media has many benefits; one of them being the creation of work and income opportunities, such as doing promotional work on social media. Promotional work on social media has also given rise to the term “influencer”. An influencer is someone with a substantial following or a notable online presence, who can influence potential consumers into purchasing a product or service through social media endorsements or recommendations and receive a reward for that. There are influencers who do promotional work on social media on a full-time basis and make a living from it. There are also influencers who do promotional work on social med
Read more