Data privacy policies for the IoT

08 Jan 2015

Edith Ramirez, chairwoman of the Federal Trade Commission (FTC), played the privacy card during her keynote at the 2015 Consumer Electronics Show in Las Vegas. In a speech titled "Privacy and the IoT: Navigating Policy Issues," Ramirez highlighted "three key challenges" that she feels "the IoT poses to consumer privacy."

The head of the US government body, founded a century ago to promote consumer protection and combat anticompetitive business practices, described her three areas of concern:

(1) ubiquitous data collection
(2) the potential for unexpected uses of consumer data that could have adverse consequences
(3) heightened security risks.

Trust critical for IoT adoption
"These risks to privacy and security undermine consumer trust," said Ramirez. "And that trust is as important to the widespread consumer adoption of new IoT products and services as a network connection is to the functionality of an IoT device."

Pay heed when government officials like Ramirez brandish the word "trust" in public speeches. "The IoT could improve global health, modernize city infrastructures, and spur global economic growth," she said. But also: "Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing, and often sharing vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks."

The FTC chairwoman's comments are like the proverbial iron fist in the velvet glove: the organization she heads can suggest regulation for the IoT, or parts thereof. Government intervention always moves more slowly than private enterprise—especially so in the tech sector—but some aspects of the IoT depend on regulation. There's not much use for emergency-sensors in automobiles, for example, unless they communicate seamlessly with the relevant emergency-services.

Sic semper trust
Many IoT logistical considerations remain gauzy, but authority-figures like Ramirez have their bullet-points lined up. She outlined "three key steps that companies should take to enhance consumer privacy and security and thereby build consumer trust in IoT devices":

• adopting “security by design.”
• engaging in data minimization.
• increasing transparency and providing consumers with notice and choice for unexpected data uses.

"I believe these steps will be key to successful IoT business models and to the protection of consumer information," said Ramirez.

Data privacy in Asia
Certain regions within Asia-Pacific have existing laws that may help frame future policy-decisions. "Hong Kong is one of Asia’s early adopters of data privacy legislation," writes Perspecsys, a Toronto-based provider of cloud data protection solutions, on their site. "Hong Kong has a well-developed data protection regulatory framework compared to the rest of Asia and Hong Kong’s Privacy Commissioner for Personal Data is very active."

According to the PCPD's website: "The Office of the Privacy Commissioner for Personal Data is an independent statutory body set up to oversee the enforcement of the Personal Data (Privacy) Ordinance which came into force on 20th December, 1996."

By comparison, Singapore's Personal Data Protection Act was passed by the Singapore Parliament on 15 October 2012—almost 16 years later. It "governs the collection, use and disclosure of personal data and requires the mandatory compliance for organizations," says the SG PDPA Compliance Resource Centre website.

Singapore's PDPA established a National Do-Not-Call (DNC) registry intended to stop unwanted cold calls and SMS messages of a marketing or promotional nature, says the site.

Perhaps most important of all, both Singapore and Hong Kong offer workshops and seminars on practical data privacy.

Ramirez talks about trust, and that's good. But Hong Kong and Singapore offer courses in "trust-and-verify," and that's better.

Related content

No Comments Yet! Be the first to share what you think!