legal and privacy implications of iotfiles.meetup.com/18611894/5_iot-legal_aspects.pdf · privacy...
TRANSCRIPT
L E G A L A N D P R I VA C Y I M P L I C AT I O N S O F I O TD R A N D R E S G U A D A M U Z , U N I V E R S I T Y O F S U S S E X
A P O L O G I E S
A N D S O M E T O I L E T H U M O U R
L E G A L I S S U E S
• Cybercrime
• Liability
• Security
• Intellectual property (patents, database and data mining)
• Standards
• Data protection / privacy
E X I S T I N G L E G A L F R A M E W O R K
• Mostly unregulated at the moment.
• IoT covered by traditional aspects of the law: Tort, contract, Terms of Use, database rights.
• Hacking an IoT device is a criminal offence (Computer Misuse Act).
• The most regulated area is data protection.
T H E U K 1 9 9 8 D ATA P R O T E C T I O N A C T
• Principles for data controllers, rights for data subjects.
• Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing.
• Restriction on transferring personal data to countries that do not provide adequate data protection.
D ATA S E C U R I T Y E N F O R C E M E N T
• Crown Prosecution Service fined £200,000 for data security breach.
• Most enforcement orders involve minor incidents (sending email to wrong recipient).
• Major incidents on the increase (loss or theft of unencrypted devices).
S A F E H A R B O U R
• System enacted to allow enterprises to send data to the United States, which does not provide as a country adequate levels of protection.
• Was working until…
M A X I M I L L I A N S C H R E M S V D ATA P R O T E C T I O N C O M M I S S I O N E R ( C- 3 6 2 / 1 4 )
• Austrian law student and privacy advocate Maximilian Schrems initiated legal proceedings against the Irish Data Protection Commissioner (DPC) because he is a European Facebook user, and as such he signed up to the terms of use set by Facebook Ireland, the European subsidiary of the US company.
• He claimed that Snowden’s revelations of mass surveillance mean that US does not adequately protect European citizen’s personal data.
• Court agreed, and they declare safe harbour agreement invalid.
P R I VA C Y S H I E L D
• New system that replaces safe harbour, just signed.
• “…effective supervision mechanisms to ensure that companies respect their obligations including sanctions or exclusion if they do not comply”.
• Companies with bad security could be excluded and/or fined.
G E N E R A L D ATA P R O T E C T I O N R E G U L AT I O N ( G D P R )
• Will come into effect later this year (July most probably).
• Overhauls the existing DP regime, bringing several directives and rights under one roof (cookies, right to be forgotten, etc).
• Creates a few new rights, principles and concepts that could apply to IoT.
• Existing principles regarding export and security remain.
P R I VA C Y B Y D E S I G N
• Art 23 enacts data protection by design and default.
• “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed…”
F O R T H C O M I N G I O T E U A C T I O N
• Commission has agreed to consult industry on next steps. Possible action includes:
• Open data
• Standardisation and interoperability
• Data protection
• Telecoms: roaming, spectrum, numbering, etc.
• Authentication of objects.
C O N C L U D I N G …
B E W A R E O F G E E K S B E A R I N G G I F T S@ T E C H N O L L A M A