Data protection and IoT

The Data Protection Act applies to IoT devices in the UK – just like all other laws.

It’s not yet clear how the growing number of devices will interact with these laws, however. IoT is increasing levels of data collection and capture while simultaneously increasing the attack surface and coupling of our online selves to our physical selves. The next few years are likely to see a growth in the number of cases and the outcomes are not easy to predict.

How much data can devices collect about you before ‘anonymous’ is no longer anonymous? Websites have already been increasing the amount of data collected to the extent that many will have details on who you know, where you are, what sites you visit, what you buy, what you search for and so on. Will the extension of the internet into the devices we use add even more information?

Who is responsible if a breach happens inside a home? The company you bought the breached device from? The people who wrote the code? The hardware manufacturer? What if the producer of the device is in a different jurisdiction?

What is personal data? Does every third-party know what they process and store? What if I decide to store my personal details using an IoT device – should the cloud service on which it ends up be riffling through to see if they have anything covered by the Data Protection Act?

Will that be possible with over eight billion IoT devices using various cloud services?

The 2017 EU consultation on IoT didn’t bring up many big new challenges or solutions, but did highlight one issue: what is the difference between a product and a service in the IoT world? This raises a number of questions that people haven’t been used to asking when, for example, purchasing a kettle, such as:

• What are you buying? A kettle with a computer in it, a computer that boils water, or hardware that interacts with an online kettle management service?
• How long will it be supported?
• If the service stops but the device is still nominally functional, does the supplier have any liability, even if they don’t provide the service portion?

Your task

Read this article about the IoT from PwC. In the article, a number of cases of potential collections of personal data in IoT systems are discussed. Can you think of any other devices or services that collect our information that might be unexpected sources of data breaches?

Post your ideas in the comments.

Further reading

An overview of building a European data economy is available from the European Commission with links to the full report in a variety of languages.

Information on HIPAA.

Information on Summary of US State Data Breach Notification Statutes.

References

_{Legislation.gov.uk (2018) Data Protection Act 2018 [online] available from http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted [31 July 2019]}