AIIM - The Global Community of Information Professionals

Guest Post - Balancing Privacy Rights with Social Utility in the Age of the Internet of Things

Jun 28, 2017 6:39:03 PM by Andrew Pery

This is the third post in a series on privacy by Andrew Pery. You might also be interested in Privacy by Design: The Intersection of Law and Technology and What Do the GDPR and new Privacy Laws Mean for U.S. Companies?

bigstock-Manager-Touching-A-Super-Secur-93661655.jpg

Resistance is futile.  A recent Gartner report estimates that by 2020 the number of connected devices such as sensors and wearables will reach 21 billion, up from 6.4 billion in 2016.   Such an unprecedented level of connectedness is expected to transform virtually every facet of our lives, largely in beneficial ways.

There are however increasing concerns as to how a pervasive use IoT devices will impact privacy rights.   It’s not just the volume of data generated  but also the variety of information collected such as geolocation, internet search habits and preferences which, taken together may infringe upon privacy rights.

Is obtaining informed consent practical? A report by the World Economic Forum has found that data subjects would have to invest 250 working hours, or 30 working days each year just to read privacy policies. Let’s take a concrete example that illustrates the point.  Chances are that you use Uber but likely have not read their privacy policy. It makes it clear they collect your location, contact, transaction and device information.

There is an emerging school of thought which holds that the traditional consent model ought to be supplanted by the use model   as “ensuring individual control over personal data is not only an increasingly unattainable objective of data protection, but in many settings it is an undesirable one, as well.” The rationale for this proposed overhaul of traditional notions of privacy is that there are compelling societal benefits to the collection and use of personal information as long as it is anonymized and aggregated so as to preclude identification of the data subject. 

This includes de-identification of personally identifiable information and adherence to higher accountability standards including payment of fines in the event of infringement causing harm. 

The use model acknowledges the impracticality of obtaining informed consent. Rather it places emphasis on the benefits associated with de-identified personal data that delivers social utility such as health-care prevention, more efficient transportation, environmental protection and education. 

Regulating privacy associated with the use of IoT devices is vexing. A recent Ponemon report found that while there is no real standard governing IoT privacy there is a preference for some form of “labeling” associated with IoT devices that communicate in plain language the information such devices collect.

On the other hand the proponents of the social utility or use model, such as Rob van Kranenberg, the founder of the IoT Council, argues - “let’s embrace the IoT as something that can empower us”.

While privacy in the age of the IoT is nascent the legal framework based on informed consent has been considerably strengthened with the ratification of the GDPR .   The onus is clearly on data controllers to implement and adhere to rigorous information governance best practices that empower them to capture, classify and use personally identifiable information in accordance with privacy regimes based on informed consent.

There are a number of new initiatives that show promise in balancing privacy rights and social utility.  For example the 2013 World Economic Forum report proposes that personal data be tagged, including terms under which such data may be used, including an audit function that verifies compliance.   There is a potentially useful technical initiative – “eXtensible Access Control Markup Language” (XACML) designed to embed privacy settings.  The Federal Trade Commission Staff Report recommends the use of QR codes that provide details as to information collected by IoT devices and provision for privacy choices during device installation. Finally the Online Trust Alliance, a consortium of IoT device manufacturers, proposes rigorous disclosure policies prior to purchase including ability to control privacy settings. 

Want some help developing your information governance strategy? Join the AIIM Community for this FREE virtual event.

Click to Register for 'Developing a Modern Information Governance Strategy'

About the author:  Andrew Pery is a marketing executive with over 25 years of experience in the high technology sector focusing on content management and business process automation.  Currenly Andrew is CMO of Top Image Systems.  Andrew holds a Masters of Law degree with Distinction from Northwestern University is a Certified Information Privacy Professional (CIPP/C) and a Certified Information Professional (CIP/AIIM).

You might also be interested in this previous post by Andrew - Privacy by Design: The Intersection of Law and Technology.

Topics: privacy, security, information security, gdpr

Like what you see? Subscribe to get updates delivered straight to your inbox.

Back to Blog

About AIIM

AIIM provides market research, expert advice, and skills development to an empowered community of leaders committed to information-driven innovation.

Click to Download - The Next Wave: Moving from ECM to Intelligent Information Management

Subscribe to Email Updates