Resistance is futile. A recent Gartner report estimates that by 2020 the number of connected devices such as sensors and wearables will reach 21 billion, up from 6.4 billion in 2016. Such an unprecedented level of connectedness is expected to transform virtually every facet of our lives, largely in beneficial ways.
There are, however, increasing concerns as to how a pervasive use of IoT devices will impact privacy rights. It’s not just the volume of data generated but also the variety of information collected, such as geolocation, internet search habits, and preferences, which, taken together, may infringe upon privacy rights.
Is obtaining informed consent practical? A report by the World Economic Forum has found that data subjects would have to invest 250 working hours, or 30 working days each year just to read privacy policies. Let’s take a concrete example that illustrates the point. Chances are that you use Uber but likely have not read their privacy policy. It makes it clear they collect your location, contact, transaction, and device information.
There is an emerging school of thought which holds that the traditional consent model ought to be supplanted by the use model as “ensuring individual control over personal data is not only an increasingly unattainable objective of data protection, but in many settings, it is an undesirable one, as well.” The rationale for this proposed overhaul of traditional notions of privacy is that there are compelling societal benefits to the collection and use of personal information as long as it is anonymized and aggregated so as to preclude identification of the data subject.
This includes de-identification of personally identifiable information and adherence to higher accountability standards, including payment of fines in the event of infringement causing harm.
The use model acknowledges the impracticality of obtaining informed consent. Rather it places emphasis on the benefits associated with de-identified personal data that delivers social utility such as health-care prevention, more efficient transportation, environmental protection, and education.
Regulating privacy associated with the use of IoT devices is vexing. A recent Ponemon report found that while there is no real standard governing IoT privacy, there is a preference for some form of “labeling” associated with IoT devices that communicate in plain language the information such devices collect.
On the other hand, the proponents of the social utility or use model, such as Rob van Kranenberg, the founder of the IoT Council, argues - “let’s embrace the IoT as something that can empower us”.
While privacy in the age of the IoT is nascent, the legal framework based on informed consent has been considerably strengthened with the ratification of the GDPR. The onus is clearly on data controllers to implement and adhere to rigorous information governance best practices that empower them to capture, classify, and use personally identifiable information in accordance with privacy regimes based on informed consent.
There are a number of new initiatives that show promise in balancing privacy rights and social utility. For example, the 2013 World Economic Forum report proposes that personal data be tagged, including terms under which such data may be used, including an audit function that verifies compliance. There is a potentially useful technical initiative – “eXtensible Access Control Markup Language” (XACML) designed to embed privacy settings. The Federal Trade Commission Staff Report recommends the use of QR codes that provide details as to information collected by IoT devices and provision for privacy choices during device installation. Finally, the Online Trust Alliance, a consortium of IoT device manufacturers, proposes rigorous disclosure policies prior to purchase, including the ability to control privacy settings.