Guest Post - Balancing Privacy Rights with Social Utility in the Age of the Internet of Things

By: Andrew Pery on June 28th, 2017

Print/Save as PDF

Guest Post - Balancing Privacy Rights with Social Utility in the Age of the Internet of Things

privacy  |  security  |  information security  |  gdpr

This is the third post in a series on privacy by Andrew Pery. You might also be interested in Privacy by Design: The Intersection of Law and Technology and What Do the GDPR and new Privacy Laws Mean for U.S. Companies?


Resistance is futile.  A recent Gartner report estimates that by 2020 the number of connected devices such as sensors and wearables will reach 21 billion, up from 6.4 billion in 2016.   Such an unprecedented level of connectedness is expected to transform virtually every facet of our lives, largely in beneficial ways.

There are however increasing concerns as to how a pervasive use IoT devices will impact privacy rights.   It’s not just the volume of data generated  but also the variety of information collected such as geolocation, internet search habits and preferences which, taken together may infringe upon privacy rights.

Is obtaining informed consent practical? A report by the World Economic Forum has found that data subjects would have to invest 250 working hours, or 30 working days each year just to read privacy policies. Let’s take a concrete example that illustrates the point.  Chances are that you use Uber but likely have not read their privacy policy. It makes it clear they collect your location, contact, transaction and device information.

There is an emerging school of thought which holds that the traditional consent model ought to be supplanted by the use model   as “ensuring individual control over personal data is not only an increasingly unattainable objective of data protection, but in many settings it is an undesirable one, as well.” The rationale for this proposed overhaul of traditional notions of privacy is that there are compelling societal benefits to the collection and use of personal information as long as it is anonymized and aggregated so as to preclude identification of the data subject. 

This includes de-identification of personally identifiable information and adherence to higher accountability standards including payment of fines in the event of infringement causing harm. 

The use model acknowledges the impracticality of obtaining informed consent. Rather it places emphasis on the benefits associated with de-identified personal data that delivers social utility such as health-care prevention, more efficient transportation, environmental protection and education. 

Regulating privacy associated with the use of IoT devices is vexing. A recent Ponemon report found that while there is no real standard governing IoT privacy there is a preference for some form of “labeling” associated with IoT devices that communicate in plain language the information such devices collect.

On the other hand the proponents of the social utility or use model, such as Rob van Kranenberg, the founder of the IoT Council, argues - “let’s embrace the IoT as something that can empower us”.

While privacy in the age of the IoT is nascent the legal framework based on informed consent has been considerably strengthened with the ratification of the GDPR .   The onus is clearly on data controllers to implement and adhere to rigorous information governance best practices that empower them to capture, classify and use personally identifiable information in accordance with privacy regimes based on informed consent.

There are a number of new initiatives that show promise in balancing privacy rights and social utility.  For example the 2013 World Economic Forum report proposes that personal data be tagged, including terms under which such data may be used, including an audit function that verifies compliance.   There is a potentially useful technical initiative – “eXtensible Access Control Markup Language” (XACML) designed to embed privacy settings.  The Federal Trade Commission Staff Report recommends the use of QR codes that provide details as to information collected by IoT devices and provision for privacy choices during device installation. Finally the Online Trust Alliance, a consortium of IoT device manufacturers, proposes rigorous disclosure policies prior to purchase including ability to control privacy settings. 

About the author:  Andrew Pery is a marketing executive with over 25 years of experience in the high technology sector focusing on content management and business process automation.  Currenly Andrew is CMO of Top Image Systems.  Andrew holds a Masters of Law degree with Distinction from Northwestern University is a Certified Information Privacy Professional (CIPP/C) and a Certified Information Professional (CIP/AIIM).

[Note from JM:  All this has me thinking about privacy challenges of managing increasing volumes of data, and particularly compliance challenges looming with the pending new European privacy rules - the GDPR. Andrew and I wrote a new eBook on the topic -- Information Privacy and Data Protection Regulation --The EU GDPR is Just the Tip of the Iceberg. Check it out.

eu gdpr