Align by Design: Global Privacy Authorities Weigh in on the Internet of Things
The rapid growth of the internet of things has sharpened public focus on consumer data protection practices. On October 14th, the 36th International Conference of Data Protection and Privacy Officials offered its views on this evolving debate. Announcing that the "internet of things is here to stay," the group of international data officials issued a declaration highlighting the need for clarity, caution and cooperation in confronting emerging privacy challenges.
The declaration set out key observations and conclusions, which could foreshadow future policy considerations:
(1) Self-determination is an inalienable right. The internet of things increases the risk that personal development will be shaped by what others know.
(2) Big data derived from the internet of things should be treated as personal data. Identifiability is more likely than not, given the quantity, quality and sensitivity of collected data.
(3) New services and big data are key revenue drivers in the internet of things.
(4) Transparency is key. Providers "should be clear about what data they collect, for what purposes and how long this data is retained." Companies should eliminate "out-of-context surprises."
(5) The internet of things poses significant security challenges. Ensuring "local processing" helps minimize security risks. Otherwise, companies should offer end-to-end encryption.
(6) Security should be in place from the outset. The development of technology to facilitate protection is encouraged. "Privacy by design and default should no longer be regarded as something peculiar."
(7) Privacy authorities will continue to follow developments and ensure compliance with local laws and international principles. Authorities will seek appropriate enforcement action, either unilaterally or through international cooperation.
(8) Trust in connected systems is a joint responsibility. All actors should engage in an active debate to raise awareness of the choices to be made.
In the officials' view, informed choice and increased protection should steer the internet of things. They envision a structure where consumer benefit and privacy are not necessarily at odds. The authorities do not see existing privacy principles – consent, transparency and security – as impediments to innovation. The converse is their concern.
In particular, they seem worried that data could be nearing a point where protection cannot concurrently scale with collection. In a field expected by some to grow by $5 trillion this decade, innovation could increasingly outpace regulation. As a result, business could be the initial driver of accepted practice for activities outside the scope of current regulation.
Strong prospective engagement, the authorities feel, could raise awareness of the attendant risks and better serve privacy interests. Focusing on privacy by design, the officials urge companies to consider productizing protection. From this perspective, avoiding a 'farm now, fence later' approach to data collection could be critical, as retroactively addressing privacy concerns may be problematic. Indeed, if privacy is to be a cornerstone of the internet of things, broader initial deliberation is required. Whether the group’s call will increase collaboration remains to be seen. In the meantime, the debate about consensus will continue to be a defining narrative as the internet of things matures.
 - For example, on October 20, 2014, several U.S. Senators called for Congressional collaboration on the internet of things. Letter from Deb Fisher et al to Jay Rockefeller and John Thune (Oct. 20, 2014), http://www.fischer.senate.gov/public/_cache/files/e0a5801e-e239-4db8-812f-b9843f111b7d/internet-of-things-commerce-hearing-letter-1-.pdf. In addition, the Article 29 Data Protection Working Party in the EU recently issued an opinion on the internet of things. See Opinion 8/2014 on the Recent Developments on the Internet of Things (Sept. 16, 2014), http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf.
 - See Mauritius Declaration on the Internet of Things (Oct. 14, 2014), privacyconference2014.org/media/16596/Mauritius-Declaration.pdf. The group, which included data protection authorities from Europe and Asia, also issued several resolutions, including a big data resolution, and adopted an enforcement cooperation agreement. See Resolutions, privacyconference2014.org/en/about-the-conference/resolutions.aspx (last visited Oct. 23, 2014).
 - See Leon Spencer, Internet of Things Market to Hit $7.1 Trillion by 2020: IDC, ZDNet (June 5, 2014), http://www.zdnet.com/internet-of-things-market-to-hit-7-1-trillion-by-2020-idc-7000030236.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2014 White & Case LLP