How do we regulate privacy in the Internet of Things?

Add to my custom PDF

Next Generation Privacy: The Internet of Things, Data Exhaust, and Reforming

In the current age of connectivity, more information is collected by technologies than most people are aware. Devices capture everyday movements and actions, often without the knowledge of those being observed, and these seemingly discrete data can be combined in a way that make anonymity a myth. The location capabilities of smartphones and other GPS devices are well known, but we seldom consider what library books, smart meters, and traffic cameras reveal about personal life. This data flows internationally and information has become a high value in industry.

Cunningham posits that privacy legislation has not kept pace with the circumstances created by new technologies; as a result, people and their privacy are left unprotected. In the current paradigm, legislation presumes to control how information is collected; what sort of information and by whom. The example used to illustrate this point is Directive 95/46/EC of the European Parliament (the Directive) and 2014 Regulatory Amendment. The EU Directive relies on a broad definition of personal information and requires consent from an individual before it is permissible to collect their personal information; the Directive doesn’t even broach the phenomenon of data collected without individual’s knowledge. With the threat of exclusion from EU markets for noncompliance, the Directive restricts transfer of personal information to entities that comply. The international reach of the legislation is a strength. However the Directive includes some innocuous information and harmless purposes while leaving notable gaps; for example, exceptions can be made for national security, permitting national governments to collect and use personal information seemingly without limits. Further, a safe harbour provision sets a lower standard for compliance by US firms, one that is voluntary and largely unenforced. As privacy legislation for the current context, the EU Directive is “at once fatally over-inclusive and under-inclusive.”

The experience of the EU Directive suggests an alternative approach to regulation. Given the extent of passive information collection, the requirement for individuals to consent is impractical; so too are limits on the myriad forms of data collection. Legislation should be based instead on limiting the potential risk of harm from the use of data. In this paradigm, use of data would be considered in context for the likelihood and severity of impact on the individual. Implementation would be incremental, starting with the greatest risk or known violators.

It is important to recognize that, when combined, even the most trivial data can be personal. Widespread collection of that personal information – without consent – is probably here to stay. Instead of scrambling to control collection, the rules that protect personal privacy should focus on reducing harms from the use of that information. This risk management approach could be used both in legislation and in corporate policies on information

Focusing on the harm of a privacy breach is a better guide for regulation of data flows in the Internet of Things.