Keeping privacy in mind when developing new technologies for the IoT

Earlier this year, Samsung’s Smart TV caused concern when it was reported that individuals’ private conversations could be listened in on when the voice recognition function was enabled.

Sounding like something George Orwell predicted in the classic novel “1984”, the idea of technology snooping on you in the privacy of your home is becoming an increasing reality, with voice recognition now used in everything from fridges to mobile phones.

The Internet of Things (IoT) offers the opportunity for significant growth for IT companies, however, the potential for privacy intrusion (and therefore even breaches of the law) is also very real.

With this in mind and with more technological devices in the average household possessing such “eyes and ears”, what are the obligations of companies developing these products with the ability to “snoop” from a legal and privacy perspective?

The legal framework

The relevant legal framework with which to assess these privacy and data protection issues is found primarily in Directive 95/46/EC (the “Data Protection Directive”).

The Data Protection Directive applies to all processing of personal data (including spoken voice data) carried out where a data controller is established in an EU country, or importantly in the context of the IoT, where a data controller makes use of equipment situated in the EU.

To re-cap, the “data controller” is the person (or entity) who determines the purposes for which and the manner in which any personal data is to be processed. In the context of connected TVs, the data controller could be, say, a TV manufacturer established in the EU or a TV manufacturer who is established outside the EU, but who collects voice data of users in the EU via voice recognition functionality on a connected TV.

In the context of a connected TV manufacturer, the data controller would need to ensure that any processing of voice data is “legitimate”, typically via the consent of its users.

The issue of what constitutes legitimate consent is a particularly complex area, with different views across the EU as to what it means and how it is obtained. However, it is questionable whether consent would be deemed valid if a notice that “voice data will be collected by a TV manufacturer when voice recognition functionality is enabled” was buried in a privacy policy, for example.

Further obligations on a TV manufacturer include the obligation to process the voice data only for the specified purposes for which it was collected, to not keep it for any longer than necessary to fulfill those purposes and to keep any data collected secure.

The identity of the controller, the purposes of the processing, the recipients of the data (if any), the existence of the rights of a user to access their data, and so on, should also all be set out in a clear and comprehensive manner in the data controller’s privacy policy. The controller should also ensure it has the consent to process data it believes it has before any collection or processing takes place.

Sanctions

In terms of sanctions where data breaches occur, there has been a recent push for more aggressive fine levels and enforcement in the EU. This is a result of too many companies taking a half-hearted approach to data protection compliance, a view expressed by the enforcers across Europe.

Expected over the coming months is a new Data Protection Regulation for the EU (the “Regulation”), which will replace the existing Data Protection Directive and usher in sweeping changes with proposals to beef up and alter the current regime. A key part of the Regulation is larger fines – 2 per cent to 5 per cent of global turnover, or up to 100 million Euros – have been proposed for data protection breaches. Fines for serious breaches have already increased significantly in the UK in recent years, with companies in breach able to be fined up to £500,000.

There is also an increasing trend in EU countries to permit privacy claims via the courts even where no financial loss has occurred, not to mention class actions, significantly broadening the circumstances in which data protection litigation can be brought and damages awarded.

Privacy by Design

In essence, companies manufacturing IoT devices and providing smart services need to be thinking about “privacy by design” from the outset, which has been a key mantra coming out of Europe for a long time – and is only going to become a hotter issue still. Essentially, companies must demonstrate that they are taking data protection seriously at the design and implementation stage. There are three key points for companies to remember:

  1. In practice, it is necessary to perform security assessments on systems and services as a whole, in addition to training staff and having policies in place for dealing with key issues such as data handling, data access for users, breach notification and so on.
  1. In drafting or reviewing policies and procedures, organisations should be mindful of the likely changes being introduced by the new Regulation (e.g. those relating to breach notification obligations) and the latest sanctions position for breaches.
  1. Whilst well drafted and user-facing privacy policies can help, far greater levels of transparency about data processing are also necessary, along with clearly signposted opt-outs and user-controls. When investigating a violation, enforcers are unlikely to have much sympathy for organisations that have taken a lackadaisical approach to compliance.

Rafi Azim-Khan, Head of Data Privacy, Europe and Steven Farmer, Counsel at Pillsbury Law

Image source: Shutterstock/iQoncept