Regulation of the Internet of Things

June 16, 2016

1. Introduction 

Technology poses one of the greatest challenges to the legal profession, with its unrivalled rapid progression meaning outdated laws are relied on to cover new technology. An emerging trend in technology is smart technology, and the Internet of Things (IoT). IoT is based on machine-to-machine communication, and enables the remote use of technology. It presents a genuine legal challenge, as it does not require active participation from the product user, meaning consent can be problematic. Additionally, it is based on the sharing and collection of data, which creates real issues of data privacy and security of the data. The European directives’ attention paid to consent could serve as an impediment to the European progression of IoT. Within the UK implementing legislation, the Data Protection Act 1998 presents specific issues to IoT in terms of the privacy of data. At times the consumer and legal expectations are in cohesion, but in some areas legislation demands standards that could limit the value of the technology to consumers, and in some areas the legislation falls below an adequate level of regulation and protection. To overcome the problems, unification in Europe is needed, but this study explores whether the formation of an IoT Act is needed, or whether evolution of the current system is satisfactory. 

2. Potential problems with Internet of Things

In order to be efficient, the technology stores large amounts of data about consumers. Therefore, it can create a profile for the users, and tailor its services to suit that particular consumer. As a result the main legal challenges for IoT are dealing with consent to the collection, storage and usage of data as well as protection of that data.

2.1. Consent

The main issue with consent arises because the nature of the technology means the use is ongoing and does not require active participation. There is, therefore, no clear moment when the user can consent to being monitored.[1] Given the potential prevalence of smart technology in homes, the amount of information gathered on people’s lives, routines and habits is immense, and so the threshold for consent is far too low. In fact, uninformed and very general consent is often made mandatory, ‘many IoT-related services do not give any alternatives to the end user’s data being created, stored or shared.’[2] This means that it is not a voluntary consent, which clearly poses a great legal challenge, and is not workable if IoT expands to the expected scale. As well as a future challenge, consent is equally a problem for technology that is currently readily available. The market pioneers, and best known example of smart technology, are smart meters. Although half-hourly data collection consent will require the user to ‘opt-in’, consent for daily collection will be automatic (with an option to revoke this), and checking monthly consumption, will require no consent at all.[3] This is clearly problematic as it, again, questions the quality of consent, and there is an obvious conflict between the importance of consent and the efficiency of having consumption data monitored automatically. 

2.2. Security and Privacy of Personal Data

Aside from consent, there are further problems with the collection of personal data, in terms of both the storage and security of it. Dr Richards (Fell & White) identified that, ‘data is “personal data” when it can be used to identify a “living individual.”‘[4] In a ‘smart house’ even eating habits and daily routines would be identified by the stored data, and therefore IoT technology deals with the most personal of data. Craig Spiezle, indeed, states that the ‘business models’ of IoT are ‘based’ on the sharing of data, meaning ‘the amounts of “ambient” data collected by networks and carriers is massive.’[5] In itself this is a clearly a huge legal issue, but is made worse by accusations that this data is poorly protected, and ‘security experts’ have been able to hack a variety of devices, ‘from connected baby monitors to automated lighting and smart fridges.’[6] Currently the industry is too small and there is not enough money in it to be a big target for hackers, but as it grows this threat increases, thus strict regulation is necessary to secure the data, in order to keep up with legal and consumer expectations. 

3. Legislative Restrictions 

3.1. European Legislation

The European directives and treaties are targeted principally at the rights of individuals, and therefore present an obvious conflict with and impediment to the IoT. Even legislation as fundamental as the European Convention on Human Rights (ECHR) provides a potential conflict with the IoT’s storage of private data. ECHR Article 8(1) provides for respect of one’s private life, and the justifications of IoT (efficiency and profitability of service) would be insufficient to satisfy an unlawful interference with this right. Furthermore, in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, the ECJ ruled that citizens had the right to be forgotten online. This again provides a potential hindrance to technology which relies on increased online storage of private data. Notably, also, the ECJ ruled that the right to privacy is more important than the economic value of it to companies, which may set a precedent for similar cases, which relate to IoT. In Europe, IoT will also be hindered by the principles of the Data Protection Directive 95/46/EC, particularly in terms of consent. Principle 30[7] stresses the importance of consent, but does give IoT some leeway in that they can justify the intrusion as necessary for the contract: such as with the collection of data for consumption with smart meters. Principle 33[8] appears to apply to the intrusive nature of IoT data, and requires ‘explicit’ consent, which currently is virtually impossible for IoT services to obtain. This is strengthened by Article 2(h) definitions[9], which requires an ‘informed’ consent that ongoing usage does not allow for. Therefore, in European legislation, protection of one’s data is a basic principle, and can only be infringed upon with very explicit and informed consent. As Susan Brenner identifies, however, IoT technology ‘allow[s] us…unconsciously to interact with embedded…technology,’[10] whereas the traditional definition of use is ‘a conscious intentional act,’[11] and it is around this that the ‘context-specific rules,’[12] on consent, were based. Therefore the suggestion is that the current regulations are not equipped to deal with these technologies, and the standards of consent are potentially too high for IoT. 

3.2. UK‘s Data Protection Act 1998 

Firstly, as with the Directive, it is notable that the Act is almost twenty years old, and yet is used to regulate technologies which could not have even been conceived when the Act was created. This, therefore, appears to be the major legal issue: legislation cannot evolve as rapidly as technology can develop. The Data Protection Act implemented the Directive, and really stressed the issues of collection and storage of data, as well as implementing some of the ideas regarding consent. The Act stresses in Schedule 1, Part 1, Section 2,[13] that personal data shall only be used for the specified reason, which can be very difficult to guarantee if the information is being passed on by machines to a third party. In a system reliant on machines communicating and passing on data in order to improve efficiency and adapt to the specific user, it is inevitable that information is being used for reasons other than the ‘specified purpose’. Additionally, Schedule 1, Part 1, Section 7[14] demands that measures must be taken to secure and protect information held. This has two distinct parts, in that IoT must firstly have made a real effort to have the measures in place (and any response in case of a breach), and IoT providers must also tailor this to the specific nature of the data held. Currently there are very limited measures in place for security, in proportion to the potential scale of IoT, and the highly personal nature of information revealed. The principles of the Act and Directive are relatively similar, but the presence of the separate pieces of legislation and guidance (although inevitable in the EU system) is evidence of the fragmentation of European telecoms market regulation. Therefore, there are a number of legal issues which currently challenge the progression of IoT in order for it to develop in line with rights of individuals – individuals who are greatly affected by the technology. 

4. Potential Solutions 

Purvi Parekh identified similar legal issues for IoT, and suggested that there are two potential strategies for moving forward: evolution of the current system or formation of an IoT Act,[15] which this essay will discuss in further detail. 

4.1. Evolution of Current System

With regards to the legal issue of consent, the legislation focuses mainly on the idea of consent being informed, this is difficult to establish with IoT technology. Dr Richards (Fell & White) suggests that the ‘government is encouraging the energy industry to develop a “privacy charter” to explain to consumers what their choices around data access are.’[16] This would allow for more information as to what users would actually be consenting to, and how exactly their data would be used. This would in turn raise the quality of consent, so that it could meet existing legislation. Similarly, Mark Webber suggested that evolution based around the current legislation may be sufficient, including ‘exploring the merit of a consumer education campaign exposing the potential benefits of the IoT to consumers.’[17] The suggestion here may even be that the IoT will be unable to meet the high threshold for informed consent set out in the Act, but consumers may still be willing to give their consent if they believe the benefits outweigh the risks. 

Nonetheless, to make current legislation fit the development of the IoT, in terms of other challenges to the model, a single telecoms market in Europe is needed. This, in turn, will sharpen regulation throughout Europe, and enable protection of privacy moving throughout the EU. For a number of years, discussions and developments have been made in this area, and the Commission has set up the connected continent package, ‘intended to address fragmentation and creating true single market making it easier to operate across Europe’s borders.’[18] The agreement will be ‘spectrumless’, remove charges for data roaming, establish ‘net neutrality laws.’[19] In other words attempts are already in progress to adapt and develop the system that is already in place, and work around this. 

4.2. Formation of an Internet of Things Act 

A report on the Public Consultation of IoT Governance, suggested that consumers actually consider current privacy regulations inadequate for dealing with IoT.[20] A creation of an Act (as suggested by Parekh) – or ideally a European Regulation – appears to be excessive given the current size of IoT and that data privacy concerns are not a new issue. Yet, ‘analysts at McKinsey predict the IoT industry is going to be in its trillions in the next 5 to 10 years.’[21] Moreover, the argument is that context-specific rules are needed, as IoT technology is a completely separate entity from previous technology, and we must legislate accordingly.  The main difference is, as Susan Brenner has written, the difference between ‘use’ and ‘interaction,’ it used to be clear when the user had, ‘assumed the risk of abiding by those standards on the process of “using” a technology.’[22] By the logic of Brenner’s argument, it is not much of a leap to suggest that a new set of specific rules are needed to deal with this new particular context. The new Act would be able to define exactly the standard of consent that would be needed, and specifically how the data would and would not be able to be used by companies (to third parties), and what information would be recorded by machines to allow for user-profiling. Furthermore, specific principles could be set out to deal with the issues of security of data, and what measures providers would be required to take. The European Commission has already set up the ‘Alliance for IoT Innovation’, and so from that could develop a directive or regulation, dealing specifically with IoT, which would work alongside attempts to remove European fragmentation, to create a strong and safe model. 

5. Conclusion

Regardless of their opinion as to what is required to legislate the IoT, there is general agreement that ‘data protection and privacy are the greatest barriers to the development of the IoT,’[23] in addition to the consent to use of the data. In order to establish what action should be taken it is necessary for an assessment of the extent to which existing data protection regulations fully encompass the IoT.[24] It is interesting to note that Purvi Parekh actually suggested that evolution of the current system would be more workable in practice, as the issues are not new.[25] If, however, IoT and user-profiling technology is to become the next big movement in technology (as many suggest it will), then it will be necessary to create context-specific regulation from the start, that assesses the point of use, and establishes the threshold for consent. Additionally the campaigns and charters, suggested above, would be helpful in combination with this. On their own, however, they are not enough to make IoT fit to legislation that is designed for a different context of user and technology. It is, therefore, important to establish an Act from an early stage that will regulate and monitor industry providers from the outset so that, as the industry grows, both the data, and individuals’ rights, are protected. 

6. Bibliography

 

6.1. Cases and Legislation

 

Data Protection Directive 95/46/EC, 1995.

 

European Convention on Human Rights 1998, [Article 8].

 

Data Protection Act, 1998.

 

Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, 2014, CJEU.

 

6.2. Articles

 

Brenner, Susan, Law in an Era of Smart Technology, (Oxford: Oxford University Press, 2007).

 

European Commission, Connected Continent: a single telecom market for growth and jobs, https://ec.europa.eu/digital-agenda/en/connected-continent-single-telecom-market-growth-jobs, (Updated June 2015), Date Accessed: 3/2/16.

 

Kobie, Nicole, What is the Internet of Things, http://www.theguardian.com/technology/2015/may/06/what-is-the-internet-of-things-google, (May 2015), Date Accessed: 1/2/2016.

 

OfCom, Promoting investment and innovation in the Internet of Things: Summary of responses and next steps, http://stakeholders.ofcom.org.uk/binaries/consultations/iot/statement/IoTStatement.pdf, (January 2015), Date Accessed: 9/2/15.

 

Purvi Parekh, Legal World of Internet Things, http://raconteur.net/technology/legal-world-of-internet-of-things, (July 2014), Date Accessed: 3/2/16.

 

Dr Richards, Patsy; Fell, Mike; White, Edward, Smart Meters, House of Commons Library.

 

Spiezle, Craig, Why an Internet of Things trust framework is needed, https://iapp.org/news/a/why-an-internet-of-things-trust-framework-is-needed-now, (October 2015), Date Accessed: 2/2/2016.

 

Taylor Wessing, The Internet of Things and privacy in Europe and the USA, http://united-kingdom.taylorwessing.com/globaldatahub/article_wp29_iot.html, (March 2015), Date Accessed: 1/2/16.

 

Webber, Mark, US and UK Regulators position themselves to meet the needs of the IoT market, http://privacylawblog.fieldfisher.com/2015/regulators-position-themselves-to-meet-the-needs-of-the-iot-market, (January, 2015), Date Accessed: 2/2/16.



[1] Taylor Wessing, The Internet of Things and privacy in Europe and the USA, http://united-kingdom.taylorwessing.com/globaldatahub/article_wp29_iot.html, (March 2015), Date Accessed: 1/2/16.

[2] Taylor Wessing, The Internet of Things.

[3] Dr Patsy Richards, Mike Fell, Edward White, Smart Meters, House of Commons Library, p.11.

[4] Richards (Fell & White), Smart Meters, p.11.

[5] Craig Spiezle, Why an Internet of Things trust framework is needed, https://iapp.org/news/a/why-an-internet-of-things-trust-framework-is-needed-now, (October 2015), Date Accessed: 2/2/2016.

[6] Nicole Kobie, What is the Internet of Things, http://www.theguardian.com/technology/2015/may/06/what-is-the-internet-of-things-google, (May 2015), Date Accessed: 1/2/2016.

[7] ‘the processing of personal data must in addition be carried out with the consent of the data subject or be necessary for the conclusion or performance of a contract binding on the data subject.’

[8] ‘Whereas data which are capable by their nature of infringing fundamental freedoms or privacy should not be processed unless the data subject gives his explicit consent’

[9] ‘freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’

[10] Susan Brenner, Law in an Era of Smart Technology, (Oxford: Oxford University Press, 2007), p.125.

[11] Brenner, Law, p.137.

[12] Brenner, Law, p.138.

[13] ‘Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.’

[14] ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

[15] Purvi Parekh, Legal World of Internet Things, http://raconteur.net/technology/legal-world-of-internet-of-things, (July 2014), Date Accessed: 3/2/16.

[16] Richards (Fell & White), Smart Meters, p.11.

[17] Mark Webber, US and UK Regulators position themselves to meet the needs of the IoT market, http://privacylawblog.fieldfisher.com/2015/regulators-position-themselves-to-meet-the-needs-of-the-iot-market, (January, 2015), Date Accessed: 2/2/16.

[18] Parekh, Legal World.

[19] European Commission, Connected Continent: a single telecom market for growth and jobs, https://ec.europa.eu/digital-agenda/en/connected-continent-single-telecom-market-growth-jobs, (Updated June 2015), Date Accessed: 3/2/16.

[20] European Commission, Report on the Public Consultation on IoT Governance, (January, 2013).

[21] Parekh, Legal World.

[22] Brenner, Law, p.138.

[23] OfCom, Promoting investment and innovation in the Internet of Things: Summary of responses and next steps, http://stakeholders.ofcom.org.uk/binaries/consultations/iot/statement/IoTStatement.pdf, (January 2015), Date Accessed: 9/2/15.

[24] Mark Webber, US and UK.

[25] Parekh, Legal World.