Internet of things rules might change after the recommendations issued by the US Federal Trade Commission, FTC, and the commitments taken by the UK telecom regulator, Ofcom, which set out the principles for the future of the IoT that any other regulator worldwide might follow.
I discussed in several posts about the legal issues relating Internet of Things and whether Internet of Things regulations are now necessary. But the move from the FTC and Ofcom might considerably change the future scenario.
The FTC Internet of Things report
The FTC issued a report named “Privacy and Security in a Connected World“ where it provides some recommendations in terms of best practices for companies in relation to:
1. Data Security
Companies should implement a “security by design” approach in relation to Internet of Things devices embedding security feasures into the products at the outset through privacy and security assessments of the risks connected to collection and retention of consumer information.
The increase of cybercrime risks is a major issue for IoT technologies, an the principle of “privacy by design” is one of the backbones of the upcoming new European privacy regulation therefore a consistent approach is envisaged by US and European companies.
2. Data Minimization
Companies should have policies and practices that impose reasonable limits on the collection and retention
of consumer data deleting or de-identifying data which they no longer have a business need to retain.
European data protection laws prescribe the same principle; data should not be collected and processed in excess of what necessary to achieve the purposes of the data processing.
3. Notice and Choice
Individuals should be able to make informed choices on the processing of their data. This does not apply to “practices that are consistent with the context of a transaction or the company’s relationship with the consumer” since this data processing would fall within the “with consumers’ reasonable expectations” and the cost to consumers and businesses of providing notice and choice likely outweighs the benefits. According to the FTC, no informed consent is necessary for instance if a company uses an individual’s data for a functionality of one of their products and then decides to use the same data for another functionality of the product or to recommend a different product of them.
And this is a major difference between the FTC’s approach and what prescribed by European privacy regulations which are much less flexible. However, as performed by the Italian data protection authority in relation to the consent to the usage of cookies, some more flexible approaches might and shall be introduced by privacy authorities to ensure the growth of the Internet of Things in Europe.
4. No need of an Internet of Things specific legislation
The Internet of Things industry is in its relatively early stages and there is no need that the privacy and security risks are addressed through IoT-specific legislation at this time. But, according to the FTC, data security legislation and “baseline” privacy legislation should be introduced.
The scenario in Europe is just the opposite since privacy regulations are already in place also providing for stringent security obligations and, if no exceptions to their applicability or more flexible approaches are adopted, Internet of Things technologies might face regulatory barriers.
The Ofcom Internet of Things report
Ofcom had launched a call for inputs on how to regulate on the Internet of Things followed by the Italian telecom authority AgCom and the result of such consultation is a report named “Promoting Investment and Innovation in the Internet of Things“. Ofcom have identified four main areas of concerns for the Internet of Things:
1. Data Privacy and Consumer Literacy
The growth of the Internet of Things sector requires a system whereby users remain comfortable providing their personal data for IoT applications. According to Ofcom, current privacy regulations may soon become outdated when run in conjunction with the new services arising out of the IoT. As a result, Ofcom will cooperate with privacy authority to facilitate and explore solutions to data privacy issues that the IoT may present.
This represents a crucial step forward since telecom and privacy authorities should cooperate with other public authorities and private companies to identify the best approach to regulate Internet of Things technologies which might affect our entire lifes.
2. Network Security and Resilience
As the IoT reaches more and more individuals and begins to play a larger part in their lives, safe and reliable networks – along with data protection – will become a top priority.
This is a priority recognised by any regulator. The issue is whether authorities or the market itself shall set the standard of compliance.
3. Availability of Spectrum for IoT networks
Many of the Internet of Things devices and services will operate over a wireless network. It is therefore essential that there is spectrum availability. But at present Ofcom do not see this as a barrier to the IoT and are confident that the 870/915MHz bands will be able to deal with the low data rates that are typical of the majority of the emerging IoT applications. However, the scenario might change in the future with the development of IoT technologies.
And indeed the Internet of Things sector will grow so quickly that a continous review of the regulations will be necessary.
4. Telephone Number and Address Management
Telephone number and address management will not be a barrier to the development of the Internet of Things. IoT services are most likely to use bespoke addressing systems that are able to generate billions of addresses. The IPv6 will offer a massively increased range of addresses.
This seems to be a consolidated view in the market also after the negative experience of Spain that introduced a umbering system dedicated to the IoT which was never used by operators since it restricted the number portability.
This is an extremely exciting time for the Internet of Things and we will see the next steps in the sector. And following the positions taken above it is interesting that the Italian telecom regulator issued its report on the Internet of Things covered in this blog post and the privacy regulator launched a consultation on the IoT addressed in this blog post.