Before exploring the implications of the convergent points of the law on privacy and IoT, an understanding of the stakeholders in a personal information transaction would be helpful.
Consequently, the interaction of IoT devices with individuals, and their almost unacknowledged but pervasive presence in daily living and privacy of an individual, would pose ongoing and real-time challenges as well as risks to the privacy of an individual.
One set of stakeholders in an IoT transaction comprises device manufacturers, data platforms, data aggregators or brokers, application developers, social platforms, etc. Their intervention involves extensive access, use and processing of data, resulting in the device operating in an unobtrusive and seamless manner for the user.
Another category of stakeholders is the users. In data protection legal frameworks such stakeholders possess different designations, based on their attributes. There is the (user of the IoT device) who provides the data for availing services and the (IoT device manufacturers/service providers) who controls the data and uses the data for providing services/functions rendered through the IoT device. Further, the data may travel through multiple entities present between the and the , who process the data on behalf of the data controller ().
Law at developmental stage
The law on privacy and data security in India in today’s electronic age is still at a developmental stage. The Supreme Court has recently recognised the right to privacy in India as a fundamental right under the Constitution. This right also includes the right to informational privacy, which is the individual’s right to control dissemination of his/her data, including electronic data and data over the Internet.
The Supreme Court has also set up a committee (the BN Srikrishna Committee) to frame legislation on data protection. As a result, any new law on privacy that gets enacted should recognise and accommodate the unique nature of IoT.
However, till an omnibus privacy and data protection legislation is put in place, the existing regulatory framework on data privacy and security in India under the Information Technology Act, 2000, merits discussion.
The Information Technology Act, through its Reasonable Security Practices and Procedure Rules in 2011 (Data Privacy Rules) specifies certain requirements for data controllers to follow, while collecting, storing, processing and transmitting personal or sensitive data over the internet.
Under the Data Privacy Rules, the data controller is required to give notice of the information collected and get written (or electronically communicated) consent of the user or the data subject, before the data is collected.
The data controller must give the user an option to withdraw consent, change the information in case of a mistake, etc. Further, the collection of information must be limited to the identified purpose for which it is collected, and must be used and disclosed only for the identified purpose (data minimisation). The flowchart below provides a better idea of the flow of information and the regulatory steps involved.
IoT challenges traditional principles
Essentially, the Data Privacy Rules incorporate traditional principles found in any other legal framework on data privacy such as notice, choice, consent, and limitations on purpose and collection. The advent of IoT has challenged these traditional principles.
Providing notice to the data subject within the IoT ecosystem may not be feasible, as traditional forms of notice on information practices are difficult to implement in an environment where many sensors/devices at multiple levels are measuring and tracking various data simultaneously. It is difficult to give notice in all instances of collection and processing, as it will be burdensome on both the consumers and the IoT stakeholders.
The same challenge exists for following traditional methods of providing choice and written or electronically communicated consent. Further, most IoT devices do not have a screen or interface where they can communicate notice and obtain consent from the data subject, or the existing interface in the device is not sufficient for such communication.
Data minimisation as a concept, (where companies should limit the data they collect and retain, and dispose it once they no longer need it) may not be realistic for IoT, as it is overtly rigid and may hinder the potential for innovation, in terms of developing and creating more streamlined and refined services within the IoT ecosystem.
However, it continues to remain an essential element for the protection of privacy within the IoT ecosystem and cannot be ignored.
The above are just legal touchpoints that demonstrate the gulf between existing law around data privacy and the inherent delivery systems and user interfaces in IoT.
Regulation for data protection
The White Paper recently released by the BN Srikrishna Committee on data protection laws has taken the growth of IoT into consideration in contemplating the type of regulation for data protection. However, the onus is not just on law makers but the IoT industry who need to adopt and reinvent compliant devices, practices and processes that meet current and future data privacy and data protection/security norms.
For instance, IoT industry stakeholders could start with capturing and maintaining user data in an anonymised or de-identified form for services or devices that are not dependent on the identity of an individual. They can adopt a protocol at the device level and user interaction level, to de-identify such data and also ensure that it is not capable of re-identification.
Device manufacturers can adopt privacy by design, where privacy and data security measures are incorporated into the design architecture of the device/software. This can ensure that the requirements of data privacy law are incorporated into the device itself and pre-emptively enable data privacy compliance, if not help prevent data security breaches.
Of course, a system of frequent security threat and weakness checks and follow-up patches would make this approach more robust.