Privacy and data security in the IoT ecosystem

Here’s an insight into the impact that IoT may have on laws relating to privacy and data security and the possible solutions in law and industry which will help enable the development of IoT.

IoT devices provide significant benefits to individual consumers across different aspects of their lives. Data and especially personal data (capable of identifying the individual), underpins and delivers most of these benefits. Consequently, the interaction of IoT devices with individuals and their almost unacknowledged but pervasive presence in the daily life and privacy of an individual, would pose ongoing and real-time privacy challenges as well as risks.

Before proceeding to explore the implications of the convergent points of the law on privacy and IoT, an understanding of the stakeholders in a personal information transaction would be helpful. One set of stakeholders in an IoT transaction comprise device manufacturers, data platforms, data aggregators or brokers, application developers, social platforms, etc. Their intervention involves extensive access, use and processing of data, resulting in the device operating in an unobtrusive and seamless manner for the user. Another category of stakeholders are the users. In data protection legal frameworks, such stakeholders possess different designations, based on their attributes. There is the ‘data subject’ (user of the IOT device) who provides the data for availing services and the ‘data controller’ (IOT device manufacturers/service providers) who controls the data and uses it for providing services/functions rendered through the IOT device. Further, the data may travel through multiple entities present between the data subject and the data controller, who process the data on behalf of the data controller (data processors).

The law on privacy and data security in India in today’s electronic age is still at a developmental stage. The Supreme Court has recently recognised the right to privacy in India as a fundamental right under the Constitution. This right also includes the right to informational privacy, which is the individual’s right to control the dissemination of his/her data including electronic data and data over the Internet. The Supreme Court has also set up a committee (the B.N. Srikrishna Committee) to frame a legislation on data protection. As a result, any new law on privacy that gets enacted should recognise and accommodate the unique nature of IoT. However, till an omnibus privacy and data protection legislation is put in place, the existing regulatory framework on data privacy and security in India under the Information Technology Act, 2000, merits discussion.

The Information Technology Act, through its Reasonable Security Practices and Procedure Rules in 2011 (Data Privacy Rules) specifies certain requirements for data controllers to follow, while collecting, storing, processing and transmitting personal or sensitive data over the Internet. Under the Data Privacy Rules, the data controller is required to give notice of the information collected and get the written (or electronically communicated) consent of the user or the data subject, before the data is collected. The data controller must give the user an option to withdraw consent, change the information in case of a mistake, etc. Further, the collection of information must be limited to the identified purpose for which it is collected, and must be used and disclosed only for the identified purpose (data minimisation). The flow chart below provides a better idea of the flow of information and the regulatory steps involved.

Essentially, the Data Privacy Rules incorporate traditional principles found in any other legal framework on data privacy such as notice, choice, consent, and limitations on purpose and collection. The advent of IoT has challenged these traditional principles.

Providing notice to the data subject within the IoT ecosystem may not be feasible, as traditional forms of notice on information practices are difficult to implement in an environment where many sensors/devices at multiple levels are measuring and tracking various data simultaneously. It is difficult to give notice in all instances of collection and processing, as it will be burdensome on both the consumers and the IoT stakeholders. The same challenge exists for following traditional methods of providing choice, and written or electronically communicated consent. Further, most IoT devices do not have a screen or interface where they can communicate notice and obtain consent from the data subject, or the existing interface in the device is not sufficient for such communication.

Data minimisation as a concept, (where companies should limit the data they collect and retain, and dispose it once they no longer need it) may not be realistic for IoT, as it is overtly rigid and may hinder the potential for innovation, in terms of developing and creating more streamlined and refined services within the IoT ecosystem. However, it continues to remain an essential element for the protection of privacy within the IoT ecosystem and cannot be ignored.

The above are just legal touchpoints that demonstrate the gulf between existing law around data privacy and the inherent delivery systems and user interfaces in IoT. The White Paper recently released by the B.N. Srikrishna Committee on data protection laws, has taken the growth of IoT into consideration in contemplating the type of regulation for data protection. However, the onus is not just on the law makers but the IoT industry who need to adopt/reinvent compliant devices, practices and processes that meet current and future data privacy and data protection/security norms.

For instance, IoT industry stakeholders could start with capturing and maintaining user data in an anonymised or de-identified form for services or devices that are not dependent on the identity of an individual. They can adopt a protocol at the device level and user interaction level, to de-identify such data and also ensure that it is not capable of re-identification. Device manufacturers can adopt privacy by design, where privacy and data security measures are incorporated into the design architecture of the device/software. This can ensure that the requirements of data privacy law are incorporated into the device itself and pre-emptively enable data privacy compliance, if not help prevent data security breaches. Of course, a system of frequent security threat and weakness checks and follow-up patches would make this approach more robust.

Notice and consent requirements under the Data Privacy Rules require some form of interface to capture consent and provide policy information on the user’s personal information. While high-end IoT device manufactures would most likely have device, application or portal interfaces to meet this requirement, a number of low-end device manufacturers may not (cost being a key deterrent). The requirement could possibly be met through a common portal/network partner (command centre) that allows the user to control the collection and processing of his/her data across various devices and transactions, apart from configuring and controlling device functionality itself.

While there are a number of possible solutions, meeting the challenges that the law poses to IoT and vice versa, requires an effective dialogue between industry and policymakers. Only then would law, technology and society converge in synergistic ways that address industry needs and privacy concerns and thereby fully harness the immense benefits of IoT.

[This is Part-II of a four-part series on The Law and the Internet of Things. This part provides an insight into the impact that IoT may have on laws relating to privacy and data security, and explores the possible solutions in law and industry, which will help enable the development of IoT.]

Disclaimer: The views expressed in this article are the personal views of the authors and are purely informative in nature. The information provided does not constitute legal advice.