Only imagination limits the opportunities available from our rapidly connected world. It’s hard to think of a household product or work device that could not have some benefit from being connected to another application via the internet of things (IoT), which adapts based on data from another source.
Unsurprisingly, Gartner identified that the number-one strategic technology trend for 2016 would be the so-called device mesh: the ever-expanding set of end points that people can use to find information and communicate online. It includes traditional devices such as computers, mobile phones and tablets that we would ordinarily use to access information and interact with each other, as well as wearable, home, electronic and automotive devices that have sensors and are connected to the IoT. As the number of these connection points between consumers and the internet increases, it creates a consistent and ever-present web of connectivity - or mesh - around individuals.
This creates endless possibilities, especially as the interaction between devices increases and they begin to "talk" to each other, share data and cooperate to provide the best user experience in a more streamlined and efficient way. It is anticipated that it will be commonplace to monitor our homes from a distance and manage automated systems to put on the heating, turn off the lights and close the blinds, and we will be able to receive real-time information on when our next train or bus is due. This will all be down to the connectivity of these devices to the internet and the inter-connectivity between them.
All too often the law is seen as a barrier to development and innovation. However, factoring in the legal and regulatory requirements early on will enable technologies to reach their full potential as products are created and designed in a manner that is safe, secure and able to be enjoyed by consumers.
Undertaking privacy impact assessments
Privacy is a key issue that developers should have regard to early on if any personal information is to be used and relied upon by a project. This is especially true in Europe, where a new general data protection regulation is due to come into force in May 2018 to replace the existing 1998 regime. In the UK, the regulation is likely to endure in a similar form regardless of Brexit.
We find that conducting a privacy impact assessment early on is the best way to consider the implications of an application or project. An assessment should consider what data is being shared by the device, how it is shared and what impact this is likely to have on the individuals concerned. Through gauging the data sharing involved at the outset, developers are able to implement privacy by design and put measures in place to reduce the impact on privacy. For example, the device could be set up to delete automatically any raw data that is no longer required so that it is not shared any further beyond what is required.
User consent and notice
In Europe, use of personal information requires a fair processing ground to entitle a business to use the information. User consent is perceived as the most common method to secure the right to be able to use personal data. The law requires consent to be specific, freely given and given in a manner that clearly demonstrates that the individual agrees to the sharing and use of their data. As a result, the mechanism through which users grant or withhold their consent will need to be carefully designed and configured to meet these requirements.
Consent is going to be important where any devices use health data, otherwise known as the "medical mesh". Higher legal standards apply to any use of any medical information and must be carefully scrutinised.
Any consent given by the user must be informed so that the user is aware of what they are being asked to agree to. As a result, we would recommend that users receive regular updates on what information is being collected and shared about them through their devices and applications and prompted regularly to review their settings to confirm they are comfortable with the data being shared. Keeping users informed will be vital for device mesh technologies that could see data being shared widely and in the background without much user involvement.
Notice is going to be particularly important where sharing data with third-party devices. Users should have a good understanding of how far their data will travel.
We are seeing more clients looking at innovative ways to give notice, such as deploying video to explain more complicated areas.
Cybersecurity is another consideration to be mindful of. Many of the items in the device mesh will be standalone and won’t benefit from being part of a connected network or corporate system that has a sophisticated security system in place. This could leave them vulnerable to access by any type of user, including hackers and organised criminals.
As a result efforts should be made to ensure that devices are regularly updated with software to protect against any cyber threats and protections and disaster recovery plans should be in place from the beginning for even the simplest of connected products. Reputational harm and financial penalties, such as monetary penalties of up to 4% of annual worldwide turnover where personal information is at risk, should always be on the risk register of any organisation.
The right to mesh
As this area of the law develops we expect to see the development of standards and common protocols that will govern the connectivity and interaction between devices in the device mesh so that they are able to talk with each other but within a framework that priorities user privacy, the prevention of data breaches and the protection of connection networks to which devices are attached.
While the law works to regulate devices, it does not look to limit to the opportunities of our imagination that are presented by the connected world.
About the Authors
Callum Sinclair is a partner and head of the technology sector at law firm Burness Paull. He specialises in legal support for major technology and sourcing projects including ITO, SIAM/towers and cloud transformation deals and was recently named in FutureScot/The Times’ 2016 Digital List of 100 people from Scotland’s digital technologies industry who are “changing the world”.
Ross McKenzie is a senior associate and qualified data-protection practitioner at Burness Paull. He has extensive experience advising on the privacy implications arising from software development and connected technology projects, and on international data transfers.