Page 108 - Trends in Telecommunication Reform 2016
P. 108
from the outset of the development process, when developers that access IoT data, and an e-Privacy
it is much more likely to be effective . That said, Directive (2002/58/EC) also relevant to IoT device
110
there is so far little evidence of market demand manufacturers . The European Commission has
115
for privacy-friendly services – partly because of already sponsored a process to create an RFID
the difficulties individuals have in assessing and privacy code of practice, developed collectively by
weighing up complex privacy risks. And while industry and civil society and approved by the EU’s
regulators have been discussing privacy by design data protection authorities .
116
for over a decade, the specifics of implementation
have been limited so far . These authorities have issued a detailed opinion
111
on the IoT’s implications for privacy protection.
Companies can undertake “privacy impact They note that the IoT produces high-volume flows
assessments” when designing IoT systems, to of personal data that could present challenges
consider how different design options might to traditional data protection regulation. For
affect privacy. This can also reduce the risk of example, individuals will not necessarily be aware
expensive delays and system redesigns – as was when data is shared or able to review this data
extensively debated during the development of before it is sent to other parties, creating a risk of
the Netherlands’ smart meter programme . self-exposure and lack of control .
117
112
A significant amount of work already has been A further privacy issue is the amount of personal
done on security and privacy issues by policy- information that can be derived from seemingly
makers and regulators in the EU and United States. innocuous sensor data, especially when it is
Under the General Data Protection Regulation combined with user profiles and data from other
being debated in the European Parliament and sources. As European privacy regulators noted,
Council of Ministers, there will be stronger “Full development of IoT capabilities may put a
regulatory incentives for companies developing strain on the current possibilities of anonymous
systems that process personal data to protect use of services and generally limit the possibility
security and privacy by design. The U.S. FTC of remaining unnoticed. ” Smart meter data,
118
also suggests that companies follow a “defence for example, can be surprisingly revealing about
in depth” approach. This involves considering individuals’ day-to-day activities, down to the
security measures at several different points detail of which programmes are being watched
in their systems, such as using access-control on a television . Researchers have found that
119
measures and encrypting data even when users smart phone sensor data can be used to infer
are making use of encrypted links to home Wi-Fi information about users’ personality types,
routers. Of course, this will not protect the data demographics, and health factors such moods,
between the router and the company’s servers, or stress levels, smoking habits, exercise levels and
if the router is badly configured . physical activity – even the onset of illnesses such
113
as Parkinson’s disease and bipolar disorder .
120
Privacy is a particularly strong regulatory issue
in European countries. A comprehensive legal This kind of information has obvious positive
framework includes the Council of Europe’s applications, such as in pricing health insurance.
European Convention on Human Rights and But it can also be used for other decisions
Convention for the Protection of Individuals with related to employment, credit and housing. This
regard to Automatic Processing of Personal could lead to economic discrimination against
Data, as well as the EU Charter of Fundamental individuals classified as poor credit or health risks,
Rights. This framework has been influential in the or potentially to “new forms of racial, gender, or
development of comprehensive privacy laws now other discrimination against those in protected
in force in more than 100 countries around the classes, if Internet of Things data can be used as
world . hidden proxies for such characteristics .”
121
114
The EU already has a very detailed legal framework To protect individuals’ privacy, the FTC has
regulating the public and private sector’s use of suggested that notice and consent be required
personal data, with a general Data Protection when personal data is collected by IoT applications
Directive (95/46/EC) relevant to IoT device outside the consumer’s reasonable expectation.
manufacturers, social media platforms and app That expectation should be based on the
90 Trends in Telecommunication Reform 2016
