L E G A L A N D P R I VA C Y I M P L I C AT I O N S O F I O TD R A N D R E S G U A D A M U Z , U N I V E R S I T Y O F S U S S E X

A P O L O G I E S

A N D S O M E T O I L E T H U M O U R

L E G A L I S S U E S

• Cybercrime

• Liability

• Security

• Intellectual property (patents, database and data mining)

• Standards

• Data protection / privacy

E X I S T I N G L E G A L F R A M E W O R K

• Mostly unregulated at the moment.

• IoT covered by traditional aspects of the law: Tort, contract, Terms of Use, database rights.

• Hacking an IoT device is a criminal offence (Computer Misuse Act).

• The most regulated area is data protection.

T H E U K 1 9 9 8 D ATA P R O T E C T I O N A C T

• Principles for data controllers, rights for data subjects.

• Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing.

• Restriction on transferring personal data to countries that do not provide adequate data protection.

D ATA S E C U R I T Y E N F O R C E M E N T

• Crown Prosecution Service fined £200,000 for data security breach.

• Most enforcement orders involve minor incidents (sending email to wrong recipient).

• Major incidents on the increase (loss or theft of unencrypted devices).

S A F E H A R B O U R

• System enacted to allow enterprises to send data to the United States, which does not provide as a country adequate levels of protection.

• Was working until…

M A X I M I L L I A N S C H R E M S V D ATA P R O T E C T I O N C O M M I S S I O N E R ( C- 3 6 2 / 1 4 )

• Austrian law student and privacy advocate Maximilian Schrems initiated legal proceedings against the Irish Data Protection Commissioner (DPC) because he is a European Facebook user, and as such he signed up to the terms of use set by Facebook Ireland, the European subsidiary of the US company.

• He claimed that Snowden’s revelations of mass surveillance mean that US does not adequately protect European citizen’s personal data.

• Court agreed, and they declare safe harbour agreement invalid.

P R I VA C Y S H I E L D

• New system that replaces safe harbour, just signed.

• “…effective supervision mechanisms to ensure that companies respect their obligations including sanctions or exclusion if they do not comply”.

• Companies with bad security could be excluded and/or fined.

G E N E R A L D ATA P R O T E C T I O N R E G U L AT I O N ( G D P R )

• Will come into effect later this year (July most probably).

• Overhauls the existing DP regime, bringing several directives and rights under one roof (cookies, right to be forgotten, etc).

• Creates a few new rights, principles and concepts that could apply to IoT.

• Existing principles regarding export and security remain.

P R I VA C Y B Y D E S I G N

• Art 23 enacts data protection by design and default.

• “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed…”

F O R T H C O M I N G I O T E U A C T I O N

• Commission has agreed to consult industry on next steps. Possible action includes:

• Open data

• Standardisation and interoperability

• Data protection

• Telecoms: roaming, spectrum, numbering, etc.

• Authentication of objects.

C O N C L U D I N G …

B E W A R E O F G E E K S B E A R I N G G I F T S@ T E C H N O L L A M A