This is the third post in a series on privacy by Andrew Pery. You might also be interested in Privacy by Design: The Intersection of Law and Technology and What Do the GDPR and new Privacy Laws Mean for U.S. Companies?
Resistance is futile. A recent Gartner report estimates that by 2020 the number of connected devices such as sensors and wearables will reach 21 billion, up from 6.4 billion in 2016. Such an unprecedented level of connectedness is expected to transform virtually every facet of our lives, largely in beneficial ways.
There are however increasing concerns as to how a pervasive use IoT devices will impact privacy rights. It’s not just the volume of data generated but also the variety of information collected such as geolocation, internet search habits and preferences which, taken together may infringe upon privacy rights.
There is an emerging school of thought which holds that the traditional consent model ought to be supplanted by the use model as “ensuring individual control over personal data is not only an increasingly unattainable objective of data protection, but in many settings it is an undesirable one, as well.” The rationale for this proposed overhaul of traditional notions of privacy is that there are compelling societal benefits to the collection and use of personal information as long as it is anonymized and aggregated so as to preclude identification of the data subject.
This includes de-identification of personally identifiable information and adherence to higher accountability standards including payment of fines in the event of infringement causing harm.
The use model acknowledges the impracticality of obtaining informed consent. Rather it places emphasis on the benefits associated with de-identified personal data that delivers social utility such as health-care prevention, more efficient transportation, environmental protection and education.
Regulating privacy associated with the use of IoT devices is vexing. A recent Ponemon report found that while there is no real standard governing IoT privacy there is a preference for some form of “labeling” associated with IoT devices that communicate in plain language the information such devices collect.
On the other hand the proponents of the social utility or use model, such as Rob van Kranenberg, the founder of the IoT Council, argues - “let’s embrace the IoT as something that can empower us”.
While privacy in the age of the IoT is nascent the legal framework based on informed consent has been considerably strengthened with the ratification of the GDPR . The onus is clearly on data controllers to implement and adhere to rigorous information governance best practices that empower them to capture, classify and use personally identifiable information in accordance with privacy regimes based on informed consent.
There are a number of new initiatives that show promise in balancing privacy rights and social utility. For example the 2013 World Economic Forum report proposes that personal data be tagged, including terms under which such data may be used, including an audit function that verifies compliance. There is a potentially useful technical initiative – “eXtensible Access Control Markup Language” (XACML) designed to embed privacy settings. The Federal Trade Commission Staff Report recommends the use of QR codes that provide details as to information collected by IoT devices and provision for privacy choices during device installation. Finally the Online Trust Alliance, a consortium of IoT device manufacturers, proposes rigorous disclosure policies prior to purchase including ability to control privacy settings.
Want some help developing your information governance strategy? Join the AIIM Community for this FREE virtual event.
About the author: Andrew Pery is a marketing executive with over 25 years of experience in the high technology sector focusing on content management and business process automation. Currenly Andrew is CMO of Top Image Systems. Andrew holds a Masters of Law degree with Distinction from Northwestern University is a Certified Information Privacy Professional (CIPP/C) and a Certified Information Professional (CIP/AIIM).
You might also be interested in this previous post by Andrew - Privacy by Design: The Intersection of Law and Technology.