Archive for the ‘Data security’ Category

Google’s legal battle to continue in the Supreme Court

Posted on July 30th, 2015 by

Google was yesterday granted permission by the UK Supreme Court to appeal against the Court of Appeal’s decision in the Vidal-Hall case (previously reported on here). In particular, the Supreme Court will consider the issue of whether the claimants can bring a claim for compensation under section 13 of the Data Protection Act 1998 even if they have not suffered actual financial loss – the milestone ruling in the original case.

The Court of Appeal ruling on this issue was thought to greatly expand the scope for data protection claims to be brought in the UK, as it opened the gates for claimants to bring DPA breach claims based on distress alone.

“The Supreme Court has granted permission in part for Google to appeal the Court of Appeal of England and Wales decision in a case relating to a dispute over the user information through cookies via use of the Apple Safari browser,” it held.

In media reports, Google welcomed the outcome, saying: “We are pleased that the Supreme Court has agreed to consider key issues in this complex case.”

The announcement by the Supreme Court can be found here. The hearing is still likely to be many months away, but watch this space… the appeal will determine a very important question for defendants operating websites and other businesses within the UK.

The Digital Single Market: Has Europe bitten off more than it can chew?

Posted on May 8th, 2015 by

You may have read a lot of chatter about the European Commission’s Digital Single Market (DSM) over the last two days. The reaction in the blogosphere has already been a mix of optimism, hope, consternation, cynicism… and general Brussels fatigue.

What is the DSM?

In a nutshell, it is a strategy that seeks to create a true ‘single market’ within the EU – that is, a market where there is total free movement of goods, persons, services and capital; where individuals and businesses can seamlessly and fairly access online services, regardless of where in the EU they are situated.

Theoretically, EU citizens will finally be able to use their mobile phones across Europe without roaming charges, and access the same music, movies and sports events online at the same price wherever they are.

Whatever the public reaction, there is no doubt that the DSM is a highly ambitious strategy. It sets out wide legislative initiatives across a vast range of issues: from copyright, e-commerce, geo-blocking, competition, cross-border shipment, data protection, to telecoms regulation.

Much has already been written about these proposals and the Fieldfisher team has written this great summary of all the legislative proposals.

For the readers of this blog, we’d like to focus only on those proposals that relate to privacy and data protection.

Privacy & Data Protection issues

In our view, data issues lie at the heart of these reforms and there are 4 key initiatives that impact directly on these rights:

1. Review of data collection practices by online platforms

As part of the DSM, the Commission is proposing a “comprehensive analysis” of online platforms in general, including anything from search engines, social media sites, e-commerce platforms, app stores and price comparison sites.

One of the concerns of the Commission is that online platforms generate, accumulate and control an enormous amount of data about their customers and use algorithms to turn this into usable information. One study it looked at, for example, concluded that 12% of search engine results were personalized, mainly by geo-location, prior search history, or by whether the user was logged in or out of the site.

The Commission found that there was a worrying lack of awareness by consumers about the data collection practices of online platforms: they did not know what data about their online activities was being collected and how it was being used. In the Commission’s view, this not only interfered with the consumers’ fundamental rights to privacy and data protection, it also resulted in an asymmetry between market actors.

As platforms can exercise significant influence over how various players in the market are remunerated, the Commission has decided to gather “comprehensive evidence” about how online platforms use the information they acquire, how transparent they are about these practices and whether they seek to promote their own services to the disadvantage of competitors. Proposals for reform will then follow.

2. Review of the e-Privacy Directive

The e-Privacy Directive is currently a key piece of privacy legislation within the EU – governing the rules for cookie compliance, location data and electronic marketing amongst other things.

Not a huge amount has been said about this review in the DSM documents. All that we know at this stage is that the Commission plans to review the e-Privacy Directive after the adoption of the General Data Protection Regulation, with a focus on “ensuring a high level of protection for data subjects and a level playing field for all market players”. For instance, the Commission has said that it will review the e-Privacy Directive to ensure “coherence” with the new data protection provisions, and consider whether it should apply to a much wider set of service providers. It further says that the rules relating to online tracking and geo-location will be re-evaluated “in light of the constant evolution of technology” (Staff Working Document, p. 47).

3. Cloud computing and big data reforms

Cloud computing and big data services haven’t escaped the grasp of the Commission either. The Commission sees these types of services as central to the EU’s competitiveness. European companies are lagging significantly behind in their adoption and development of cloud computing and big data analytics services.

In its report, the Commission has diagnosed a number of key reasons for this lag:

  • EU businesses and consumers still do not feel confident enough to adopt cross-border cloud services for storing or processing data because of concerns relating to security, compliance with privacy rights, and data protection more generally.
  • Contracts with cloud providers often make it difficult to terminate or unsubscribe from the contract and to port their data to a different cloud provider.
  • Data localization requirements within Member States create barriers to cross-border data transfers, limiting competitive choice between providers and raising costs by forcing businesses to store data on servers physically located inside a particular countries.

The Commission are therefore proposing to remove what it sees as a series of “technical and legislative barriers” – such as rules restricting the cross-border storage of data within the EU, the fragmented rules relating to copyright, the lack of clarity over the rights to use data, the lack of open and interoperable systems, and the difficulty of data portability between services.

4. Step up of cyber-security reforms

Cyber threats have led to significant economic losses, huge disruptions in services, violations of citizens’ fundamental rights and a breakdown in public trust in online activities. The Commission proposes to step up its efforts to reduce cybersecurity threats by requiring a more “joined up” approach by the EU industry to stimulate take up of more secure solutions by enterprises, public authorities and citizens. In addition, it seeks a “more effective law enforcement response” to online criminal activity.

Too ambitious…? 

The above is just the tip of the iceberg of the reforms that are being proposed. Outside of privacy and data protection issues, the DSM Strategy includes initiatives such as harmonizing copyright laws, extending media regulation to all online platforms, and prohibiting unjustified geo-blocking.

As with all ambitious reforms of this kind in the EU, there will be vocal critics on both sides, and a huge degree of political scrutiny. The timetable for completion is either the end of 2015 or the end of 2016 but, no doubt, it will be years before any legislation is actually signed off and transposed into national law.

In an industry which changes at such a rapid speed – week after week, month after month – the real danger of EU reform is that such legislation can already be conceptually outdated by the time it is brought into force and a whole new set of problems may, by then, have emerged.

But whatever the eventual outcome of these legislative initiatives, it is clear that there is an important, wider debate to be had about the global digital market: Why is the rest of the world so behind the US? What is the secret to the US’ success and dominance? Do these proposals really go to the heart of the problem? Such questions merit a post, if not a treatise, of their own. We should perhaps show some admiration towards the European Commission for trying to tackle these deep and knotty issues head on.



Finally, some certainty around Europe’s Single Digital Market Strategy

Posted on May 7th, 2015 by

If you haven’t already spotted it among the leaks, tweets and general pre-announcement noise, today the EU released its Digital Single Market Strategy. In an orchestrated tweet-fest the clunky machine of the EU ventured online endlessly pronouncing “let’s go digital with European #DigitalSingleMarket“. All the fanfare and hype was for a new Strategy “A Digital Single Market for Europe“.

The back-drop; a fear Europe is falling behind, a slow awakening to the inevitable truth – the Internet and digital technologies are transforming our world. Dealing with such technologies across 28 different Member States is at best extremely complex and frequently simply impossible. And yes, perhaps sometimes, the humble consumer is overwhelmed and exploited in order to deliver online gains for others.

There is a detailed commentary and explanation on our sister tech blog here.

However, readers should be aware that there are the following three privacy-related legislative initiatives:

  1. A review of the e-Privacy Directive (2002/58/EC)(by the end of 2016);
  2. The establishment of a cyber-security contractual public-privacy partnership (by the end of 2016); and
  3. Initiatives on data ownership, free flow of data (e.g. between cloud providers) and on a European cloud (by the end of 2016).

We’ll soon be reporting on the consequences and the interplay with the plans for the new General Data Protection Regulation.

What about timing?

The Single Digital Market Strategy promises: “The Digital Single Market project team will deliver on these different actions by the end of 2016. With the backing of the European Parliament and the Council, the Digital Single Market should be completed as soon as possible.” This will first be aired by the European Council in meetings on the 25th June 2015.

At the fore is a desire to champion and protect the consumer. As with the General Data Protection Regulation, perhaps underneath all this the US, Silicon Valley and the general success of its internet and online platforms in the EU markets is in the firing line. We all know these privacy law reform proposals have struggled to emerge and, even today, remain some way from agreement and becoming law. The constant leaking and previewing is over – will they now be able to deliver and advance any of these promises?

Perhaps the only certainty: this digital overhaul is likely to play out at analogue speed.

Mark Webber – Fieldfisher Silicon Valley Office
@digitechlaw for more and for updates



US and European moves to foster pro-active cybersecurity threat collaboration

Posted on March 12th, 2015 by

In this blog we report a little further on the proposals to share cybersecurity threat information within the United States. We also draw analogies with a similar initiative under the EU Cybersecurity Directive aimed at boosting security protections for critical infrastructure and enhancing information sharing around incidents that may impact that infrastructure within the EU.

Both of these mechanisms reflect a fully-formed ambition to see greater cybersecurity across the private sector. Whilst the approaches taken vary, both the EU and US wish to drive similar outcomes. Actors in the market are being asked to “up” their game. Cyber-crimes and cyber-threats are impacting companies financially, operationally and, at times, are having a detrimental impact on individuals and their privacy.

Sharing of cyber-threat information in the US

Last month we reported on Obama’s privacy proposals which included plans to enhance cybersecurity protection. These plans included requests to increase the budget available for detection and prevention mechanisms as well as for cybersecurity funding for the Pentagon. They also outlined plans for the creation of a single, central cybersecurity agency: the US government is establishing a new central agency, modelled on the National Counterterrorism Centre, to combat the threat from cyber attacks.

On February 12th 2015, President Obama signed a new Executive Order to encourage and promote sharing of cybersecurity threat information within the private sector and between the private sector and government.  In a Whitehouse Statement they emphasised that “[r]apid information sharing is an essential element of effective cybersecurity, because it enables U.S. companies to work together to respond to threats, rather than operating alone”.  The rhetoric is that, in sharing information about “risks”, all actors in the United States will be better protected and prepared to react.

This Executive Order therefore encourages a basis for more private sector and more private sector and government cybersecurity collaboration.  The Executive Order:

  • Encourages the development of Information Sharing Organizations: with the development of information sharing and analysis organizations (ISAOs) to serve as focal points for sharing;
  • Proposes the development of a common set of voluntary standards for information sharing organizations: with Department of Homeland Security being asked to fund the creation of a non-profit organization to develop a common set of voluntary standards for ISAOs;
  • Clarifies the Department of Homeland Security’s authority to enter into agreements with information sharing organizations: the Executive Order also increases collaboration between ISAOs and the federal government by streamlining the mechanism for the National Cybersecurity and Communications Integration Center (NCCIC) to enter into information sharing agreements with ISAOs. It goes on to propose streamlining private sector companies’ ability to access classified cybersecurity threat information.

All in, Obama’s plan is to streamline private sector companies’ ability to access cybersecurity threat information. These plans were generally well-received as a step towards collective responsibility and security. Though some have voiced concern that there is scant mention of liability protection for businesses that share information threats with an ISAO. Commentators have pointed out that it is this fear of liability which is a major barrier to effective threat sharing.

Past US initiatives around improving cybersecurity infrastructure

This latest Executive Order promoting private sector information sharing came one year after the launch of another US-centric development. In February 2014, the National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity pursuant to another Executive Order of President Obama’s issued back in February 2013.

This Cybersecurity Framework contains a list of recommended practices for those with “critical infrastructures”.   The Cybersecurity Framework’s executive summary explains that “[t]he national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk.”

Obama’s 2013 Executive Order had called for the “development of a voluntary risk-based Cybersecurity Framework” being a set of industry standards and best practices to help organisations manage cybersecurity risks.  The resulting technology neutral Cybersecurity Framework was the result of interaction between the private sector and Government institutions. For now the use of the Cybersecurity Framework is voluntary and it relies on a variety of existing standards, guidelines, and practices to enable critical infrastructure providers to achieve resilience. “Building from those standards, guidelines, and practices, the [Cybersecurity] Framework provides a common taxonomy and mechanism for organizations to:

  • Describe their current cybersecurity posture;
  • Describe their target state for cybersecurity;
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  • Assess progress toward the target state;
  • Communicate among internal and external stakeholders about cybersecurity risk.”

The Cybersecurity Framework was designed to complement, and not to replace, an organisation’s existing risk management process and cybersecurity program. There is recognition that it cannot be a one-size-fits-all solution and different organisations will have their own unique risks which may require additional considerations.

The Cybersecurity Framework states that it could be used a model for organisations outside of the United States. Yet even in the US there are open questions about how many are actually adopting and following it.

Similarities between US and European cybersecurity proposals

We have to draw analogies between the US initiatives in relation to cybersecurity and the more recent information sharing proposals with the draft EU Cybersecurity Directive which the team reported on in more detail in a recent blog. Both initiatives intend to drive behavioural change. But, as you may expect, the EU wants to introduce formal rules and consequences while the US remains focussed on building good cyber-citizens through awareness and information sharing.

The proposed Cybersecurity Directive would impose minimum obligations on “market operators” and “public administrations” to harmonise and strengthen cybersecurity across the European Union. Market operators would include energy suppliers, e-commerce platforms and application stores. The headline provision for business and organisations is the mandatory obligation to report security incidents to a national competent authority (“NCA”). The NCA being analogous to the ISAO information sharing body concept being developed in the US.  In contrast to the US Framework the EU’s own cybersecurity initiatives are now delayed (with a likely date for mere agreement of the rules of summer 2015 and implementation not likely until 2018) and somewhat diluted compared to the original announced plans.

Both the US and EU cybersecurity initiatives aim to ensure that governments and private sector bodies involved in the provision of certain critical infrastructure take appropriate steps to deal with cybersecurity threats. Both encourage these actors to share information about cyber threats. Both facilitate a pro-active approach to cyber-risk. Whist the US approach is more about self-regulation within defined frameworks the EU is going further and mandating compliance – that’s a seismic shift.

In the EU we await to see the final extent of the “critical infrastructure providers” definition and whether or not “key internet enablers” will be caught within the rules or whether the more recent and narrower definition will prevail. Interplay with data breach notification rules within the upcoming General Data Protection Regulation is also of interest.


Undoubtedly cyber-risk can hit a corporate’s bottom-line. Keeping up with the pace of change and multitude of risks can be a real challenge for even the most agile of businesses. Taking adequate steps in this area is a continuous and often fast-moving process. Only time will tell us whether the information sharing and interactions that these US and EU proposals are predicated on are going to be frequent enough and fast enough to make any real difference. Cyber-readiness remains at the fore because the first to be hit still wants to preserve an adequate line of defence. The end game remains take appropriate technical and organisational measures to secure your networks and data.

Of course cyber-space does not respect or recognise borders. How national states co-operate and share cybersecurity threat information beyond the borders of the EU is a whole other story. What is certain is that as the cyber-threat response steps up, undoubtedly so too will the hackers and cyber-criminals. The EU’s challenge is to foster a uniform approach for more effective cybersecurity across all 28 Member States. The US also wants to improve its ability to identify and respond to cyber incidents. The US and EU understand that economic prosperity and national security depend on a collective responsibility to secure.

For those acting within the EU and beyond in the future, they will have to adjust to operating (and where required complying) in an effective way across each of the emerging cybersecurity systems.

Mark Webber, Partner Palo Alto,


Progress update on the draft EU Cybersecurity Directive

Posted on February 27th, 2015 by

In a blog earlier this year we commented on the status of the European Union (“EU”) Cybersecurity Strategy. Given that the Strategy’s flagship piece of legislation, the draft EU Cybersecurity Directive, was not adopted within the proposed institutional timeline of December 2014 and the growing concerns held by EU citizens about cybercrime, it seems that an update on EU legislative cybersecurity developments is somewhat overdue.


As more of our lives are lived in a connected, digital world, the need for enhanced cybersecurity is evident. The cost of recent high-profile data breaches in the US involving Sony Pictures, JPMorgan Chase and Home Depot ran into hundreds of millions of dollars. A terrorist attack on critical infrastructure such as telecommunications or power supplies would be devastating. Some EU Member States have taken measures to improve cybersecurity but there is wide variation in the 28 country bloc and little sharing of expertise.

These factors gave rise to the European Commission’s (the “Commission”) publication in February 2013 of a proposed Directive 2013/0027 concerning measures to ensure a high common level of network and information security across the Union (the “proposed Directive”). The proposed Directive would impose minimum obligations on “market operators” and “public administrations” to harmonise and strengthen cybersecurity across the EU. Market operators would include energy suppliers, e-commerce platforms and application stores. The headline provision for business and organisations is the mandatory obligation to report security incidents to a national competent authority (“NCA”).

Where do things stand in the EU institutions on the proposed Directive?

On 13 March 2014 the European Parliament (the “Parliament”) adopted its report on the proposed Directive. It made a number of amendments to the Commission’s original text including:

  • the removal of “public administrations” and “internet enablers” (e.g. e-commerce platforms or application stores) from the scope of key compliance obligations;
  • the exclusion of software developers and hardware manufacturers;
  • the inclusion of a number of parameters to be considered by market operators to determine the significance of incidents and thus whether they must be reported to the NCA;
  • the enabling of Member States to designate more than one NCA;
  • the expansion of the concept of “damage” to include non-intentional force majeure damage;
  • the expansion of the list of critical infrastructure to include, for example, freight auxiliary services; and
  • the reduction of the burden on market operators including that they would be given the right to be heard or anonymised before any public disclosure and sanctions would only apply if they intentionally failed to comply or were grossly negligent.

In May-October 2014 the Council of the European Union (the “Council”) debated the proposed Directive at a series of meetings. It was broadly in favour of the Parliament’s amendments but disagreed over some high-level principles. Specifically, in the interests of speed and efficiency, the Council preferred to use existing bodies and arrangements rather than setting up a new cooperation mechanism between Member States.

In keeping with the Council’s general approach to draft EU legislation intended to harmonise practices between Member States, the institution also advocated the adoption of future-proofed flexible principles as opposed to concrete prescriptive requirements. Further, it contended that Member States should retain discretion over what information to share, if any, in the case of an incident, rather than imposing mandatory requirements.

In October-November 2014 the Commission, Parliament and Council commenced trilogue negotiations on an agreed joint text. The institutions were unable to come to an agreement during the negotiations due to the following sticking points:

  1. Scope. Member States are seeking the ability to assess (to agreed criteria) whether specific market operators come within the scope, whereas the Parliament wants all market operators within defined sectors to be captured.
  2. Internet enablers. The Parliament wants all internet enablers apart from internet exchanges to be excluded, whereas some Member States on the Council (France and Germany particularly) want to include cloud providers, social networks and search engines.
  3. There was also disagreement on the extent of strategic and operational cooperation and the criteria for incident notification.

What is the timetable for adoption of the proposed Directive?

There is political desire on behalf of the Commission to see the proposed Directive adopted as soon as possible. The Council has also stated that “the timely adoption of … the Cybersecurity Directive is essential for the completion of the Digital Single Market by 2015“.

Responsibility for enacting the reform now lies with the Latvian Presidency of the Council. On 30 January 2015, Latvian Transport Minister Anrijs Matiss stated that further trilogue negotiations would be held in March 2015, with the aim of adopting the proposed Directive by July 2015.

Once adopted, Member States will have 18 months to enact national implementing legislation so we could expect to see the proposed Directive come into force by early 2017.

How does the proposed Directive interact with other EU data privacy reforms?

In our previous blog we highlighted the difficulties facing market operators of complying with the proposed Directive in view of the potentially conflicting notification requirements in the existing e-Privacy Directive and the proposed General Data Protection Regulation (the “proposed GDPR”).

Although the text of the proposed Directive does anticipate the proposed GDPR, obliging market operators to protect personal data and implement security policies “in line with applicable data protection rules“, there has still been no EU guidance issued on how these overlapping or conflicting notification requirements would operate in practice.

Furthermore, any debate over which market operators fall within the scope of the breach notification requirements of the proposed Directive would seem to become superfluous once the proposed GDPR, with mandatory breach notifications for all data controllers, comes into force.


Rather unsurprisingly, the Commission’s broad reform has been somewhat diluted in Parliament and Council. This is a logical result of Member States seeking to impose their own standards, protect their own industries or harbouring doubts regarding the potential to harmonise practices where cybersecurity/infrastructure measures diverge markedly in sophistication and scope.

Nonetheless, the proposed Directive does still impose serious compliance obligations on market operators in relation to cybersecurity incident handling and notification.

At the risk of sounding somewhat hackneyed, for organisations, cyber data breaches are no longer a question of “if” but “when” for private and public sector bodies. Indeed, there is an increasing awareness that a high level of security in one link is no use if this is not replicated across the chain. Whether the proposed Directive meets its aim of reducing weak links across the EU remains to be seen.

US and UK Regulators position themselves to meet the needs of the IoT market

Posted on January 30th, 2015 by

The Internet of Things (“IoT“) is set to enable large numbers of previously unconnected devices to communicate and share data with one another.

In an earlier posting I examined the future potential regulatory landscape for the IoT market and introduced Ofcom’s (the UK’s communications regulator) 2014 consultation on the Internet of Things. This stakeholder consultation was issued in order to examine the emerging debate around this increasing interconnectivity between multiple devices and to guide Ofcom regulatory priorities. Since the consultation was issued, the potential privacy issues associated with IoT continue to attract the most attention but, as yet, no IoT issues have led to any specific laws or legal change.

In two separate developments in January 2015, the UK and US Internet of Things markets were exposed to more advanced thinking and guidance around the legal challenges of the IoT.

UK IoT developments

Ofcom published its Report: “Promoting investment and innovation in the Internet of Things: Summary of responses and next steps” (27 January 2015) which responded to the views gathered during the consultation which closed in the autumn of 2014. In this report Ofcom has identified several priority areas to focus on in order to support the growth of the IoT. These “next step” Ofcom priorities are summarised across four core areas:

Spectrum availability: where Ofcom concludes that “existing initiatives will help to meet much of the short to medium term spectrum demand for IoT services. These initiatives include making spectrum available in the 870/915MHz bands and liberalising licence conditions for existing mobile bands. We also note that some IoT devices could make use of the spectrum at 2.4 and 5GHz, which is used by a range of services and technologies including Wi-Fi.” Ofcom goes on to recognise that, as IoT grows and the sector develops, there may be a renewed need to release more spectrum in the longer term.

Network security and resilience: where Ofcom holds the view that “as IoT services become an increasingly important part of our daily lives, there will be growing demands both in terms of the resilience of the networks used to transmit IoT data and the approaches used to securely store and process the data collected by IoT devices“. Working with other sector regulators where appropriate, Ofcom plans to continue existing security and resilience investigations and to extend its thoughts to the world of IoT.

Network addressing: where Ofcom, previously fearing numbering scarcity, now recognises that “telephone numbers are unlikely to be required for most IoT services. Instead IoT services will likely either use bespoke addressing systems or the IPv6 standard. Given this we intend to continue to monitor the progress being made by internet service providers (ISPs) in migrating to IPv6 connectivity and the demand for telephone numbers to verify this conclusion“; and

Privacy: In the particularly hot privacy arena there is nothing particularly new within Ofcom’s preliminary conclusions. Ofcom concludes that there is a need for “a common framework that allows consumers easily and transparently to authorise the conditions under which data collected by their devices is used and shared by others will be critical to future development of the IoT sector.” In a world where the UK’s Data Protection Act already applies, it was inevitable that Ofcom (without a direct regulatory remit over privacy) would offer little further insight in this regard.

It’s not surprising to read from the Report that commentary within the responses highlighted data protection and privacy to potentially be the “greatest single barrier to the development of the IoT“. The findings from its consultation do foresee potential inhibitors to the IoT adoption resulting from these privacy challenges, and Ofcom acknowledges that the activities and guidance of the UK Information Commissioner (ICO) and other regulators will be pertinent to achieving clarity. Ofcom will be co-ordinating further cooperation and discussion with such bodies both nationally and internationally.

A measured approach to an emerging sector

Ofcom appears to be striking the right balance here for the UK. Ofcom suggests that future work with ICO and others could include examining some of the following privacy issues:

  • assessing the extent to which existing data protection regulations fully encompass the IoT;
  • considering a set of principles for the sharing of data within the IoT looking to principles of minimisation and restricting the overall time any data is stored for;
  • forming a better understanding of consumer attitudes to sharing data and considering techniques to provide consumers “with the necessary information to enable them to make an informed decision on whether to share their data“; and
  • in the longer term, exploring the merit of a consumer education campaign exposing the potential benefits of the IoT to consumers.

The perceived need for more clarity around privacy and the IoT

International progress around self-regulation, standards and operational best practice will inevitably be slow. On the international stage, Ofcom suggests it will work with existing research groups (such as the ones hosted by BEREC amongst other EU regulators).

We of course already have insight from Working Party 29 in its September 2014 Opinion on the Internet of Things. The Fieldfisher privacy team expounded the Working Party’s regulatory mind-set in another of our Blogs. The Working Party has warned that the IoT can reveal ‘intimate details’; ‘sensor data is high in quantity, quality and sensitivity’ and the inferences that can be drawn from this data are ‘much bigger and sensitive’, especially when the IoT is seen alongside other technological trends such as cloud computing and big data analytics.

As with previous WP29 Opinions (think cloud, for example), the regulators in that Opinion have taken a very broad brush approach and have set the bar so high, that there is a risk that their guidance will be impossible to meet in practice and, therefore, may be largely ignored. This is in contrast to the more pragmatic FTC musings further explained below, though following a similar approach to protect privacy, the EU approach is far more alarmist and potentially restrictive.

Hopefully, as practical and innovative assessments are made in relation to technologies within the IoT, we may find new pragmatic solutions emerging to some of these privacy challenges. Perhaps the development of standard “labels” for transparency notifications to consumers, industry protocols for data sharing coupled with associated controls and possibly more recognition from the regulators that swamping consumers with more choices and information can sometimes amount to no choice at all (as citizens start to ignore a myriad of options and simply proceed with their connected lives ignoring the interference of another pop-up or check-box). Certainly with increasing device volumes and data uses in the IoT, consumers will continue to value their privacy. But, if this myriad of devices is without effective security, they will soon learn that both privacy and security issues count.

And in other news….US developments

Just as the UK’s regulators are turning their attention to the IoT, the Federal Trade Commission (FTC) also published a new Report on the IoT in January 2015: As Ofcom’s foray into the world of the IoT, the FTC’s steps in “Privacy & Security in a Connected World” are also exploratory. To a degree, there is now more pragmatic and realistic guidance around best practices in making IoT services available in the US than we have today in Europe.

In this report the FTC recommends “a series of concrete steps that businesses can take to enhance and protect consumers’ privacy and security, as Americans start to reap the benefits from a growing world of Internet-connected devices.” As with Ofcom, it recognises that best practice steps need to emerge to ensure the potential of the IoT can be recognised.  This reads as an active invitation to those playing in the IoT to self-regulate and act as good data citizens. With the surge in active enforcement by the FTC in during 2014, this is something worthy of attention for those engaged in the consumer facing world of the IoT.

As the Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them the FTC’s approach focusses more on the risks that will arise from a lack of transparency and excessive data collection than the practical challenges the US IoT industry may encounter as the IoT and its devices create an increasing demand on infrastructure and spectrum.

The report focuses in on three core topics of (1) Security, (2) Data Minimisation and (3) Notice and Choice. Of particular note the FTC report makes a number of recommendations for anyone building solutions or deploying devices in the IoT space:

  • build security into devices at the outset, rather than as an afterthought in the design process;
  • train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
  • ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
  • when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
  • consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
  • monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.”

With echoes of privacy by design and data minimisation as well as recommendations to limit the collection and retention of information, suggestions to impose security on outside contractors and then recommendations to consider and notice and choice, it could transpire that the IoT space will be one where we’ll be seeing fewer differences in the application of US/EU best practice?!

In addition to its report, the FTC also released a new publication designed to provide practical advice about how to build security into products connected to the Internet of Things. This report “Careful Connections: Building Security in the Internet of Things” encourages both “a risk-based approach” and suggests businesses active in the IoT “take advantage of best practices developed by security experts, such as using strong encryption and proper authentication“.

Where next?

Both reports indicate a consolidation in regulatory thinking around the much hyped world of IoT. Neither report proposes concrete laws for the IoT and, if they are to come, such laws are some time off. The FTC even goes as far as saying “IoT-specific legislation at this stage would be premature“. However, it does actively “urge further self-regulatory efforts on IoT, along with enactment of data security and broad-based privacy legislation”. Obama’s new data privacy proposals are obviously seen as a complementary step toward US consumer protection? What is clear is there are now emerging good practices and a deeper understanding at the regulators of the IoT, its potential and risks.

On both sides of the Atlantic the US and UK regulators are operating a “wait and see” policy. In the absence of legislation, with other potentially privacy sensitive emerging technologies we’ve seen self-regulatory programs within particular sectors or practices emerging to help guide and standardise practice around norms. This can protect at the same time as introducing an element of certainty around which business is able to innovate.

Mark Webber – Partner, Palo Alto California


A New ISO Standard for Cloud Computing

Posted on November 5th, 2014 by

The summer of 2014 saw another ISO Standard published by the International Standards Organisation (ISO). ISO27018:2014 is a voluntary standard governing the processing of personal data in the public cloud.

With the catchy title of “Information technology – Security techniques – Code of the practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (“ISO27018“), it is perhaps not surprising that this long awaited standard is yet to slip off the tongue of every cloud enthusiast.  European readers may have assumed references to PII meant this standard was framed firmly on the US – wrong!

What is ISO27018?

ISO27018 sets out a framework of “commonly accepted control objectives, controls and guidelines” which can be followed by any data processors processing personal data on behalf of another party in the public cloud.

ISO27018 has been crafted by ISO to have broad application from large to small and from public entity to government of non-profit.

What is it trying to achieve?

Negotiations in cloud deals which involve the processing of personal data tend to be heavily influenced by the customer’s perceptions of heightened data risk and sometimes very real challenges to data privacy compliance. This is hurdle for many cloud adopters as they relinquish control over data and rely on the actions of another (and sometimes those under its control) to maintain adequate safeguards. In Europe, until we see the new Regulation perhaps, a data processor has no statutory obligations when processing personal data on behalf of another. ISO27018 goes some way to impose a level of responsibility for the personal information it processes.

ISO27018’s introductory pages call out its objectives:

  • It’s a tool to help the public cloud provider to comply with applicable obligations: for example there are requirements that the public cloud provider only processes personal information in accordance with the customer’s instructions and that they should assist the customer in cases of data subject access requests;
  • It’s an enabler of transparency allowing the provider to demonstrate why their cloud services are well governed: imposing good governance obligations on the public cloud provider around its information security organisation (eg the segregation of duties) and objectives around human resource security prior to (and during employment) and encouraging programmatic awareness and training. Plus it echoes the asset management and access controls elements of other ISO standards (see below);
  • It will assist the customer and vendor in documenting contractual obligations: by addressing typical contractually imposed accountability requirements; data breach notification, imposing adequate confidentially obligations on individuals touching on data and flowing down technical and organisation measures to sub-processors as well as requiring the documentation of data location. This said, a well advised customer may wish to delve deeper as this is not a full replacement for potential data controller to processor controls; and
  • It offers the public cloud customer a mechanism to exercise audit and compliance rights: with ISO27018’s potential application across disparate cloud environments, it remains to be seen whether a third party could certify compliance against some of the broader data control objectives contained in ISO27018. However, a regular review and reporting and/or conformity reviews may provide a means for vendor or third party verification (potentially of more use where shared and/or virtualised server environments practically frustrate direct data, systems and data governance practice audit by the customer).

ISO27018 goes some way towards delivering these safeguards. It is also a useful tool for a customer to evaluate the cloud services and data handling practices of a potential supplier. But it’s not simple and it’s not a substitute for imposing compliance and control via contract.

A responsible framework for public cloud processors

Privacy laws around the world prescribe nuanced, and sometimes no, obligations upon those who determine the manner in which personal information is used. Though ISO27018 is not specifically aimed at the challenges posed by European data protection laws, or any other jurisdiction for that matter, it is flexible enough to accommodate many of the inevitable variances. It cannot fit all current and may not fit to future rules. However, in building this flexibility, it loses some of its potential bite to generality.

Typically entities adopting ISO27001 (Information security management) are seeking to protect their own assets data but it is increasingly a benchmark standard for data management and handling among cloud vendors. ISO27018 builds upon the ISO27002 (Information technology – Security technique – Code of practice for information security controls) reflecting its controls, but adapting these for public cloud by mapping back to ISO27002 obligations where they remain relevant and supplementing these controls where necessary by prescribing additional controls for public cloud service provision (as set out separately in Annex A to ISO27018). As you may therefor expect, ISO27018 explicitly anticipates that a personal information controller would be subject to wider obligations than those specified and aimed at processors.

Adopting ISO27018

Acknowledging that the standard cannot be all-encompassing, and that the flavours of cloud are wide and varied, ISO27018 calls for an assessment to be made across applicable personal information “protection requirements”.  ISO27018 calls for the organisation to:

  • Assess the legal, statutory, regulatory and contractual obligations of it and its partners (noting particularly that some of these may mandate particular controls (for example preserving the need for written contractual obligations in relation to data security under Directive (95/46/EC) 7th Principle));
  • To complete a risk assessment across its business strategy and information risk profile; and
  • To factor in corporate policies (which may, at times, go further than the law for reasons of principle, global conformity or because of third party influences).

What ISO27018 should help with

ISO27018 offers a reference point for controllers who wish to adopt cloud solutions run by third party providers. It is a cloud computing information security control framework which may form part of a wider contractual commitment to protect and secure personal information.

As we briefly explained in an earlier post in our tech blog, the European Union has also spelled out its desire to promote uniform standard setting in cloud computing. ISO27018 could satisfy the need for broadly applicable, auditable data management framework for public cloud provision. But it’s not EU specific and lacks some of the rigour an EU based customer may seek.

What ISO27018 won’t help with

ISO27018 is not an exhaustive framework. There are a few obvious flaws:

  • It’s been designed for use in conjunction with the information security controls and objectives set out in ISO27002 and ISO27001 which provide general information security frameworks. This is a high threshold for small or emerging providers (many of which do not meet all these controls or certify to these standards today). So more accessible for large enterprise providers but something to weigh up – the more controls there are the more ways there are to slip up;
  • It may be used as a benchmark for security and, coupled with contractual commitments to meet and maintain selected elements of ISO27018, it won’t be relevant to all cloud solutions and compliance situations (though some will use it as if it were);
  • It perpetuates the use of the PII moniker which, already holding specific US legal connotation (i.e. narrower application) is now used is a wider defined context under ISO27018 (in fact PII under ISO27018 is closer to the definition of personal data under EU Directive 95/46/EC). This could confuse the stakeholders in multi-national deals and the corresponding use of PII in the full title to ISO27014 potentially misleads around the standard’s potentially applicability and use cases;
  • ISO27018 is of no use in situations where the cloud provider is (or assumes the role) of data controller and it assumes all data in the cloud is personal data (so watch this space for ISO27017 (coming soon) which will apply to any data (personal or otherwise)); and
  • For EU based data controllers, other than constructing certain security controls, ISO27018 is not a mechanism or alternative route to legitimise international data transfers outside of the European Economic Area. Additional controls will have to be implemented to ensure such data enjoys adequate protection.

What now?

ISO27018 is a voluntary standard and not law and it won’t entirely replace the need for specific contractual obligations around processing, accessing and transferring personal data. In a way its ultimate success can be gauged by the extent of eventual adoption. It will be used to differentiate, but it will not always answer all the questions a well-informed cloud adaptor should be asking.

It may be used in whole or in part and may be asserted and used alongside or as a part of contractual obligations, information handling best practice or simply a benchmark which a business will work towards. Inevitability there will be those who treat the Standard as if it is the law without thought about what they are seeking to protect against and what potential wrongs they are seeking to right.  If so, they will not reap the value of this kind of framework.


What does EU regulatory guidance on the Internet of Things mean in practice? Part 1

Posted on October 31st, 2014 by

The Internet of Things (IoT) is likely to be the next big thing, a disruptive technological step that will change the way in which we live and work, perhaps as fundamentally as the ‘traditional’ Internet did. No surprise then that everyone wants a slice of that pie and that there is a lot of ‘noise’ out there. This is so despite the fact that to a large extent we’re not really sure about what the term ‘Internet of Things’ means – my colleague Mark Webber explores this question in his recent blog. Whatever the IoT is or is going to become, one thing is certain: it is all about the data.

There is also no doubt that the IoT triggers challenging legal issues that businesses, lawyers, legislators and regulators need to get their heads around in the months and years to come. Mark discusses these challenges in the second part of his blog (here), where he considers the regulatory outlook and briefly discusses the recent Article 29 Working Party Opinion on the Internet of Things.

Shortly after the WP29 Opinion was published, Data Protection and Privacy Commissioners from Europe and elsewhere in the world adopted the Mauritius Declaration on the Internet of Things. It is aligned to the WP29 Opinion, so it seems that privacy regulators are forming a united front on privacy in the IoT. This is consistent with their drive towards closer international cooperation – see for instance the latest Resolution on Enforcement Cooperation and the Global Cross Border Enforcement Cooperation Agreement (here).

The regulatory mind-set

You only need to read the first few lines of the Opinion and the Declaration to get a sense of the regulatory mind-set: the IoT can reveal ‘intimate details’; ‘sensor data is high in quantity, quality and sensitivity’ and the inferences that can be drawn from this data are ‘much bigger and sensitive’, especially when the IoT is seen alongside other technological trends such as cloud computing and big data analytics. The challenges are ‘huge’, ‘some new, some more traditional, but then amplified with regard to the exponential increase of data processing’, and include ‘data losses, infection by malware, but also unauthorized access to personal data, intrusive use of wearable devices or unlawful surveillance’.

In other words, in the minds of privacy regulators, it does not get much more intrusive (and potentially unlawful) than this, and if the IoT is left unchecked, it is the quickest way to an Orwellian dystopia. Not a surprise then that the WP29 supports the incorporation of the highest possible guarantees, with users remaining in complete control of their personal data, which is best achieved by obtaining fully informed consent. The Mauritius Declaration echoes these expectations.

What the regulators say

Here are the main highlights from the WP29 Opinion:

  1. Anyone who uses an IoT object, device, phone or computer situated in the EU to collect personal data is captured by EU data protection law. No surprises here.
  2. Data that originates from networked ‘things’ is personal data, potentially even if it is pseudonymised or anonymised (!), and even if it does not relate to individuals but rather relates to their environment. In other words, pretty much all IoT data should be treated as personal data.
  3. All actors who are involved in the IoT or process IoT data (including device manufacturers, social platforms, third party app developers, other third parties and IoT data platforms) are, or at least are likely to be, data controllers, i.e. responsible for compliance with EU data protection law.
  4. Device manufacturers are singled out as having to take more practical steps than other actors to ensure data protection compliance (see below). Presumably, this is because they have a direct relationship with the end user and are able to collect ‘more’ data than other actors.
  5. Consent is the first legal basis that should be principally relied on in the IoT. In addition to the usual requirements (specific, informed, freely given and freely revocable), end users should be enabled to provide (or withdraw) granular consent: for all data collected by a specific thing; for specific data collected by anything; and for a specific data processing. However, in practice it is difficult to obtain informed consent, because it is difficult to provide sufficient notice in the IoT.
  6. Controllers are unlikely to be able to process IoT data on the basis that it is on their legitimate interests to do so, because it is clear that this processing significantly affects the privacy rights of individuals. In other words, in the IoT there is a strong regulatory presumption against the legitimate interests ground and in favour of consent as the legitimate basis of processing.
  7. IoT devices constitute ‘terminal devices’ for EU law purposes, which means that any storage of information, or access to information stored, on an IoT device requires the end user’s consent (note: the requirement applies to any information, not just personal data).
  8. Transparency is absolutely essential to ensure that the processing is fair and that consent is valid. There are specific concerns around transparency in the IoT, for instance in relation to providing notice to individuals who are not the end users of a device (e.g. providing notice to a passer-by whose photo is taken by a smart watch).
  9. The right of individuals to access their data extends not only to data that is displayed to them (e.g. data about calories burnt that is displayed on a mobile app), but also the raw data processed in the background to provide the service (e.g. the biometric data collected by a wristband to calculate the calories burnt).
  10. There are additional specific concerns and corresponding expectations around purpose limitation, data minimisation, data retention, security and enabling data subjects to exercise their rights.


It is also worth noting that some of the expectations set out in the Opinion do not currently have an express statutory footing, but rather reflect provisions of the draft EU Data Protection Regulation (which may or may not become law): privacy impact assessments, privacy by design, privacy by default, security by design and the right to data portability feature prominently in the WP29 Opinion.

The regulators’ recommendations

The WP29 makes recommendations regarding what IoT stakeholders should do in practice to comply with EU data protection law. The highlights include:

  1. All actors who are involved in the IoT or process IoT data as controllers should, carry out Privacy Impact Assessments and implement Privacy by Design and Privacy by Default solutions; should delete raw data as soon as they have extracted the data they require; and should empower users to be in control in accordance with the ‘principle of self-determination of data’.
  2. In addition, device manufacturers should:
    1. follow a security by design principle;
    2. obtain consents that are granular (see above), and the granularity should extend to enabling users to determine the time and frequency of data collection;
    3. notify other actors in the IoT supply chain as soon as a data subject withdraws their consent or opposes a data processing activity;
    4. limit device finger printing to prevent location tracking;
    5. aggregate data locally on the devices to limit the amount of data leaving the device;
    6. provide users with tools to locally read, edit and modify data before it is shared with other parties;
    7. provide interfaces to allow users to extract aggregated and raw data in a structured and commonly used format; and
    8. enable privacy proxies that inform users about what data is collected, and facilitate local storage and processing without transmitting data to the manufacturer.
  3. The Opinion sets out additional specific expectations for app developers, social platforms, data platforms, IoT device owners and additional data recipients.



I have no doubt that there are genuinely good intentions behind the WP29 Opinion and the Mauritius Declaration. What I am not sure about is whether the approach of the regulators will encourage behaviours that protect privacy without stifling innovation and impeding the development of the IoT. I am not even sure if, despite the good intentions, in the end the Opinion will encourage ‘better’ privacy protections in the IoT. I explain why I have these concerns and how I think organisations should be approaching privacy compliance in the IoT in Part 2 of this piece.

PART 2 – The regulatory outlook for the Internet of Things

Posted on October 22nd, 2014 by

In Part 1 of this piece I posed a question asking: the Internet of Things – what is it? I argued that even the concept of the Internet of Things (“IoT“) itself is somewhat ill-defined making the point there is no definition of IoT and, even if there were, that the definition will only change. What’s more, IoT will mean different things to different people and talk to something new each year.

For all the commentary, there is not specific IoT law today (sorry there is no Internet of Things (Interconnectivity) Act in the UK (and nor will there be any time soon)). We are left applying a variety of existing laws across telecoms, intellectual property, competition, health and safety and data privacy / security. Equally, with a number of open questions about how the IoT will work, how devices will communicate and identify each other etc., there is also a lack of standards and industry wide co-operation around IoT.

Frequently based around data use and with potentially intrusive application in the consumer space (think wearables, intelligent vehicles and healthtech) there is no doubt that convergence around IoT will fan privacy questions and concerns.

An evolving landscape

This lack of definition, coupled with a nascent landscape of standards, interfaces, and protocols leaves many open questions about future regulation and the application of current laws. On the regulatory front there is little sign of actual law-making or which rules may evolve to influence our approach or analysis.

Across the US, UK and the rest of Europe some of the regulatory bodies with an interest in IoT are diverse with a range of regulatory mandates and sometimes with a defined role confined to specific sectors. Some of these regulators are waking up to potential issues posed by IoT and a few are reaching out to the industry as a whole to consult and stimulate discussion. We’re more likely to see piecemeal regulation addressing specific issues than something all encompassing.

The challenge of new technology

Undoubtedly the Internet of Things will challenge law makers as well as those of us who construe the law. It’s possible that in navigating these challenges and our current matrix of laws and principles that we may influence the regulatory position as a result. Some obvious examples of where these challenges may come from are:

  • Adaptations to spectrum allocation. If more devices want to communicate, many of these will do so wirelessly (whether via short range or wide area comms or mobile). The key is that these exchanges don’t interfere with each other and that there is sufficient capacity available within the allocated spectrum. This may need to be regulated.
  • Equally, as demand increases, with a scarce resource what kind of spectrum allocation is “fair” and “optimal” and is some machine to machine traffic more important than other traffic? With echoes of the net neutrality debate the way this evolves will be interesting. Additionally, if market dominance emerges around one technology will there be competition/anti-trust concerns;
  • The technologies surrounding the IoT will throw up intellectual property and licensing issues. The common standards and exchange and identification protocols themselves may be controlled by interested party or parties or released on an “open” basis. Regulation may need to step-in to promote economic advance via speedy adoption or simply act as an honest broker in a competitive world; and
  • In some applications of IoT the concept of privacy will be challenged. In a decentralised world the thorny issues of consent and reaffirming consent will be challenging. This said, many IoT deployments will not involve personal information or identifiers. Plus, whatever the data, issues around security become more acute.

We have a good idea what issues may be posed, but we don’t yet know which will impose themselves sufficiently to force regulation or market intervention.

Consultation – what IoT means for the policy agenda

There have been some opening shots in this potential regulatory debate because a continued interconnectivity between multiple devices raises potential issues.

  • In issuing a new Consultation: “Promoting investment and innovation in the Internet of Things“, Ofcom (the UK’s communications regulator) kicked off its own learning exercise identify potential policy concerns around:
  • spectrum allocation and providing for potential demand;
  • understanding of the robustness and reliability issues placed upon networks which demand resilience and security. The corresponding issue of privacy is recognised also;
  • a need for each connected device to have an assigned name or identifier and questioning just how those addresses should be determined and potentially how they would be assigned; and
  • understanding their potential role as the UK’s regulator in an area (connectivity) key to the evolution of IoT.

In a varied and quite penetrable paper, Ofcom’s consultation recognises what many will be shouting, their published view “is that industry is best placed to drive the development, standardisation and commercialisation of new technology“. However, it goes on to recognise that “given the potential for significant benefits from the development of the IoT across a range of industry sectors, ][Ofcom[ are interested in views on whether we should be more proactive; for example, in identifying and making available key frequency bands, or in helping to drive technical standards.”

Europe muses while Working Party 29 wades in early warning about privacy

IoT adoption has been on Europe’s “Digital Agenda” for some time and in 2013 it reported back on its own Conclusions of the Internet of Things public consultation. There is also the “Connected Continent” initiative chasing a single EU telecoms market for jobs and growth.   The usual dichotomy is playing out equating technology adoption with “growth” while Europe wrestles with an urge to protect consumers and markets.

In just one such fight with this urge, in the past month the Article 29 Working Party (comprising the data privacy regulators of Europe) published its own Opinion 8/2014 on the Recent Developments on the Internet of Things. Recognising that it’s impossible to predict with any certainty the extent to which the IoT will develop the group also calls out that the development must “respect the many privacy and security challenges which can be associated with IoT“.

Their Opinion focuses on three specific IoT developments:

  • Wearable Computing;
  • Quantified Self; and
  • Domotics (home automation).

This Opinion doesn’t even consider B2B applications and more global issues like “smart cities”, “smart transportations”, as well as M2M (“machine to machine”) developments. Yet, the principles and recommendations their Opinion may well apply outside its strict scope and cover these other developments in the IoT. It’s one of our only guiding lights (and one which applies high standards of responsibility).

As one would expect, the Opinion identifies the “main data protection risks that lie within the ecosystem of the IoT before providing guidance on how the EU legal framework should be applied in this context”. What’s more the Working Party “supports the incorporation of the highest possible guarantees for individual users at the heart of the projects by relevant stakeholders. In particular, users must remain in complete control of their personal data throughout the product lifecycle, and when organisations rely on consent as a basis for processing, the consent should be fully informed, freely given and specific.”

The Fieldfisher team will shortly publish its thoughts and explanation of this Opinion. As one may expect, the IoT can and will challenge the privacy notions of transparency and consent let alone proportionality and purpose limitation. This means that accommodating the EU’s data privacy principles within the application of some IoT will not always be easy. Security poses another tricky concept and conversation. Typically these are issues to be tacked at the design stage and not as a legal afterthought. Step forward the concept of privacy by design (a concept recognised now around the globe).

In time, who knows, we may even see the EU Data Protection Regulation pass and face enhanced privacy obligations in Europe with new focus on “profiling” and legal responsibilities falling beyond the data processor exacting its own force over IoT.

The US is also alive to the potential needs of IoT

But Europe is not alone, with its focus on activity specific laws or laws regulating specific industries, even the US may be addressing particular IoT concerns with legislation. Take the “We Are Watching You Act” currently with Congress and the “Black Box Privacy Protection Act” with the House of Representatives. Each now apparently have a low chance of actually passing, but may regulate monitoring of surveillance by video devices in the home and force car manufacturers to disclose to consumers the presence of event data recorders, or ‘black boxes’, in new automobiles.

A wider US development possibly comes from the Federal Trade Commission who hosted public workshops in 2013, itself interested in privacy and security in the connected world and the growing connectivity of devices. In the FTC’s own words: “[c]onnected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors. The workshop brought together academics, business and industry representatives, and consumer advocacy groups to explore the security and privacy issues in this changing world. The workshop served to inform the Commission about the developments in this area.” Though there are no concrete proposals yet, 2014 has seen a variety of continued commentary around “building trust” and “maximising consumer benefits through consumer control”. With its first IoT enforcement action falling in 2013 (in respect of connected baby monitors from TRENDnet whose feeds were not secure) there’s no doubt the evolution of IoT is on the FTC’s radar.

FTC Chairwomen, Edith Ramirez commented that “The Internet of Things holds great promise for innovative consumer products and services. But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet“.

No specific law, but plenty of applicable laws

My gut instinct to hold back on my IoT commentary had served me well enough. In the legal sense with little to say, perhaps even now I’ve spoken too soon? What is clear is that we’re immersing ourselves in IoT projects, wearable device launches, health monitoring apps, intelligent vehicles and all the related data sharing already. The application of law to the IoT needs some legal thought and, without specific legislation today, as for many other emerging technologies we must draw upon:

  • Our insight into the existing law across and its current application across different legal fields; and
  • Rather than applying a rule specific to IoT, we have to ask the right questions to build a picture of the technology, the way it communicates and figure out the commercial realities and relative risks posed by these interactions.

Whether the internet of customers, the internet of people, data, processes or even the internet of everything; applied legal analysis will get us far enough until we actually see some substantive law for the IoT. This is today’s IoT challenge.

Mark Webber – Partner, Palo Alto California

Part 1: Cutting through the Internet of Things hyperbole

Posted on October 15th, 2014 by

I’ve held back writing anything about the Internet of Things (or “IoT“) because there are so many developments playing out in the market. Not to mention so much “noise”.

Then something happened: “It’s Official: The Internet Of Things Takes Over Big Data As The Most Hyped Technology” read a Forbes headline. “Big data”, last week’s darling, is condemned to the “Trough of Disillusionment” while Gartner moves IoT to the very top of its 2014 emerging technologies Hype Cycle. Something had to be said.

The key point for me is that the IoT is “emerging”. What’s more, few are entirely sure where they are on this uncharted journey of adoption. IoT has reached an inflexion point and a point where businesses and others realise that identifying with the Internet of Things may drive sales, shareholder value or merely kudos. We all want a piece of this pie.

In Part 1 of this two part exploration of IoT, I explore what the Internet of Things actually is.

IoT –what is it?

Applying Gartner’s parlance, one thing is clear; when any tech theme hits the “Peak of Expectations” the “Trough of Disillusionment” will follow because, as with any emerging technology, it will be sometime until there is pervasive adoption of IoT. In fact, for IoT, Gartner says widespread adoption could be 5 to 10 years away. However, this inflexion point is typically the moment in time when the tech industry’s big guns ride into town and, just as with cloud (remember some folk trying to trade mark the word?!), this will only drive further development and adoption. But also further hype.

The world of machine to machine (“M2M“) communications involved the connection of different devices which previously did not have the ability to communicate. For many, the Internet of Things is something more, as Ofcom (the UK’s communications regulator) set out in its UK consultation, IoT is a broader term, “describing the interconnection of multiple M2M applications, often enabling the exchange of data across multiple industry sectors“.

The Internet of Things will be the world’s most massive device market and save companies billions of dollars” shouted Business Week in October 2014, happy to maintain the hype but also acknowledging in its opening paragraph that IoT is “beginning to grow significantly“. No question, IoT is set to enable large numbers of previously unconnected devices to connect and then communicate sharing data with one another. Today we are mainly contemplating rather than experiencing this future.

But what actually is it?

The emergence of IoT is driving some great debate. When assessing what IoT is and what it means for business models, the law and for commerce generally, arguably there are more questions than there are answers. In an exploratory piece in ZDNET Richie Etwaru called out a few of these unanswered questions and prompted some useful debate and feedback. The top three questions raised by Ritchie were:

  • How will things be identified? – believing we have to get to a point where there are standards for things to be sensed and connected;
  • What will the word trust mean to “things” in IoT? – making the point we need to redefine trust in edge computing; and
  • How will connectivity work? – Is there something like IoTML (The Internet of Things Markup Language) to enable trust and facilitate this communication?

None of these questions are new, but his piece reinforces that we don’t quite know what IoT is and how some of its technical questions will be addressed. It’s likely that standardisation or industry practice and adoption around certain protocols and practices will answer some of these questions in due course. As a matter of public policy we may see law makers intervene to shape some of these standards or drive particular kinds of adoption. There will be multiple answers to the “what is IoT?” question for some time. I suspect in time different flavours and business models will come to the fore. Remember when every cloud seminar spent the first 15 minute defining cloud models and reiterating extrapolations for the future size of the cloud market? Brace yourselves!

I’ve been making the same points about “cloud” for the past 5 years – like cloud the IoT is a fungible concept. So, as with cloud, don’t assume IoT has definitive meaning. As with cloud, don’t expect there is any specific Internet of Things law (yet?). As Part 2 of this piece will discuss, law makers have spotted there’s something new which may need regulatory intervention to cultivate it for the good of all but they’ve also realised  that there’s something which may grow with negative consequences – something that may need to be brought into check. Privacy concerns particularly have raised their head early and we’ve seen early EU guidance in an opinion from the Article 29 Working Party, but there is still no specific IoT law. How can there be when there is still little definition?

Realities of a converged world

For some time we’ve been excited about the convergence of people, business and things. Gartner reminds us that “[t]he Internet of Things and the concept of blurring the physical and virtual worlds are strong concepts in this stage. Physical assets become digitalized and become equal actors in the business value chain alongside already-digital entities“.   In other words; a land of opportunity but an ill-defined “blur” of technology and what is real and merely conceptual within our digital age.

Of course the IoT world is also a world bumping up against connectivity, the cloud and mobility. Of course there are instances of IoT out there today. Or are there? As with anything that’s emerging the terminology and definition of the Internet of Things is emerging too. Yes there is a pervasiveness of devices, yes some of these devices connect and communicate, and yes devices that were not necessarily designed to interact are communicating, but are these examples of the Internet of Things? Break these models down into constituent parts for applied legal thought and does it necessarily matter?

Philosophical, but for a reason

My point? As with any complex technological evolution, as lawyers we cannot apply laws, negotiate contracts or assess risk or the consequences for privacy without a proper understanding of the complex ecosystem we’re applying these concepts to. Privacy consequences cannot be assessed in isolation and without considering how the devices, technology and data actually interact. Be aware that the IoT badge means nothing legally and probably conveys little factual information around “how” something works. It’s important to ask questions. Important not to assume.

In Part 2 of this piece I will discuss some early signs of how the law may be preparing to deal with all these emerging trends? Of course the answer is that it probably already does and it probably has the flexibility to deal with many elements of IoT yet to emerge.