“Despite the disruptive impacts of Covid-19, 47% of organizations plan to increase their investments in the Internet of Things (IoT), according to a recent survey from Gartner, Inc.”
Gartner, 29 October 2020
1. No human intervention: The Internet of Things or, ‘IoT’, is a term that describes a network of physical objects (the ‘Things’) that incorporate technology for the purpose of connecting and exchanging data with other devices and systems over the internet. Devices that connect to the IoT are different from conventional devices as they can respond to instructions and environments through sensors that are connected to other objects or networks. The IoT doesn’t depend on human intervention to function, and this brings increased risk from a privacy and security perspective as security updates and settings may not be updated in line with best practice or to address more sophisticated threats.
2. Growth of the IoT: Applications of the IoT are increasing. Current applications include deploying IoT in consumer spaces (eg ‘smart’ homes and wearable technology), agriculture, advertising, infrastructure, transport and the health sector. The availability of cheaper technology and widespread access to the internet (particularly via mobile phone networks) has helped to enable the rapid growth of the IoT and IoT devices whilst increasing the number of targets for hackers. Growth areas and emerging applications of the IoT include smart cities, advances in security software, and autonomous and connected vehicles.
3. Cybercrime: Cybercrime and risks of data and IP theft are a very real concern, with cyber criminals adopting and constantly evolving a range of methods - from hacking passwords, phishing emails, staff impersonation to malware. There has been an increased focus on this issue during the COVID-19 pandemic due to the number of people working from home and purchasing IoT devices (see our article regarding IoT issues when working from home here). Hacked IoT devices could expose a huge amount of personal and intimate data about an individual’s home, work and health.
4. Security risks: IoT technologies carry security and cybersecurity risks, which go beyond the devices themselves and carry a risk to the wider network or system to which they connect. Many devices are small, low cost and low powered. Limited user interfaces in such devices mean that they are unable to implement common security features and are designed to operate over a long period of time without supervision or updates (which would include software updates to address security concerns). In many cases, the manufacturer would not be liable for a cybersecurity breach which means there is little incentive for device manufacturers within the IoT industry to incorporate security into device designs – it seems that could come under increasing scrutiny however on the basis of the European Commission’s report from the Expert Group on Liability and New Technologies, which addresses the various risks posed by emerging technologies such as IoT and whether existing rules on liability are fit for purpose. The report’s key findings suggest that amendments could be made in the future to the current product liability regime in the EU.
5. Regulation: The EC’s report on Liability and New Technologies demonstrates that authorities are increasingly looking at regulation for consumer IoT devices. In addition, authorities, industry bodies and large technology companies have produced guidance and recommendations on IoT security (including the Code of Practice for consumer IoT security (published by the UK’s Department of Digital, Culture, Media & Sport) and the UK’s National Cyber Security Centre’s guidance for using Smart Devices safely in the home). Organisations should track regulatory developments in this area to ensure that use of IoT solutions and networks does not fall out of compliance with any applicable laws, regulation and guidance.
6. Confidentiality: Many IoT device users may not appreciate the extent to which IoT devices are “live and listening”. Employers are rightly concerned about confidentiality and security while their staff work from home. Among wider directions to staff to address these concerns, there have been reports of employers requiring staff to turn off IoT devices that have ‘listening’ capabilities during work hours, for fear of confidential discussions being overheard. Data authorities are interested too - the UK ICO has recently issued guidance for employers and individuals on working securely from home and security considerations around use of personal devices.
7. Personal data: Every instance of the IoT in the consumer context is likely to involve the processing of personal data and the collection and transfer of personal data by IoT devices is high on the agenda in relation to the associated legal issues. Under the General Data Protection Regulation (GDPR, meaning the EU GDPR and the retained UK version of the GDPR), parties involved in the processing of personal data are determined as being either a controller or processor. This in turn determines what obligations they have in relation to the protection of that personal data. IoT services involve several parties (for example, sensor manufacturers, hardware manufacturers, software vendors, cloud infrastructure and services, and communications network operators etc) and a key difficulty in this area is determining whether a stakeholder is acting as a controller or processor in relation to any personal data that is collected by an IoT device. It is not uncommon for several participants in the IoT ‘stack’ to be a controller of personal data. It will be important for organisations to conduct assessments of the relevant processing activities to identify the relevant roles under applicable data protection laws and correctly allocate responsibilities, particularly in relation to data breach obligations.
8. Special category data: Certain IoT devices may process sensitive or ‘special category data’. For example, smart wearables may collect data about an individual’s health, including their heart rate or even data around mental wellbeing. Under applicable data protection laws, processing this kind of data is generally met with more stringent rules, and further consideration will be needed in relation to the processing of any sensitive or special category data. For example, under the EU/UK GDPR, explicit informed consent from an individual may be required before their data is collected. In addition, organisations are required to establish an additional ground for processing special category data. This presents an additional challenge for organisations developing IoT technologies, as they will be required to assess the potential for holding and processing sensitive or special category data as part of their overall compliance and risk assessment and must ensure that they are transparent with individuals about their processing activities in order to obtain any necessary consents.
9. Data transfers: Under the EU and UK GDPR, transfers of personal data to a country outside the EU or UK are subject to certain restrictions. These restrictions also apply to any onward transfers of personal data. In the case of IoT, controllers will need to check where personal data is being sent, whether any sub-processors are used and whether any onward transfers are made by such sub-processors. This may require a careful assessment of any third-party data processing arrangements (ie cloud services) which are likely to involve cross border transfers of personal data.
10. Privacy by design: Compliance with data protection laws is an issue of increasing importance in the IoT as development and growth of the industry continues. Under the EU and UK GDPR, data protection should be a principal consideration in the development and lifecycle of a product – IoT devices are no exception. Data protection impact assessments may need to be carried out prior to the deployment of an IoT device or network, particularly in cases where special category data is being processed.
Found this article useful? Read others in our TechNotes series.
.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
