Menu visibility control

Video

Events

Startup Surgery

Most Recent

News

Top tech stats: Virgin’s business predictions, developers have their say and more

FinTech

London FinTech Aire raises $5m Series A from Sunstone Capital and White Star Capital

Sponsored

Tech Chats: EY’s Daniel Lyons on how tech is revolutionising transport

Press Releases

GreenKey Technologies and Red Box Recorders partner to launch integrated trading voice collaboration and compliance recording solution
Leading light in British HealthTech, Network Locum, rebrands to Lantum
SteelEye announces regulatory tech specialist Matt Smith as CEO

Big Brother is watching and listening

Topics

twitterlinkedinFacebookgoogle_plustwitterlinkedinFacebookgoogle_plus

Striking a balance with privacy concerns in The Internet of Things can be difficult; Rafi Azim-Khan and Steven Farmer from Pillsbury Law look at your obligations on data.

Smart TVs raised privacy concerns earlier this year with reports that people could unknowingly have their private conversations recorded in their homes when the voice recognition functionality was enabled.

The idea of connected devices snooping on your conversation is like something out of George Orwell’s “1984”, but is becoming an increasingly widespread phenomenon – voice recognition is now used in everything from fridges to mobile phones.

The Internet of Things holds significant potential for growth within creative companies, however the potential for privacy intrusion where voice activated features are used, for example, is also very real.

As more devices in the home develop networked “ears and eyes”, what precisely are the obligations of companies with the ability to “snoop” from a privacy perspective?

The legal framework

The relevant legal framework with which to assess these privacy and data protection issues is composed primarily of Directive 95/46/EC (the “Data Protection Directive”).

The Data Protection Directive applies to all processing of personal data (including spoken voice data) carried out where a data controller is established in an EU country, or importantly in the context of the IoT, where a data controller makes use of equipment situated in the EU.

To re-cap, the “data controller” is the person (or entity) who determines the purposes for which and the manner in which any personal data is to be processed and so in the context of connected TVs, the data controller could be, say, a TV manufacturer established in the EU or a TV manufacturer who is established outside the EU but who collects voice data of users in the EU via voice recognition functionality on a connected TV.

In the context of a connected TV manufacturer, the data controller would need to ensure that any processing of voice data is “legitimate”, typically via the consent of its users.

The issue of what constitutes valid consent is a particularly complex area, with different views across the EU as to what it means and how it is obtained. However, it is questionable whether consent would be deemed valid if a notice that “voice data will be collected by a TV manufacturer when voice recognition functionality is enabled” was buried in a privacy policy, for example.

Further obligations on a TV manufacturer include the obligation to process the voice data only for the specified purposes for which it was collected and to not to keep it for any longer than was necessary to fulfil those purposes.

The identity of the controller, the purposes of the processing, the recipients of the data (if any), the existence of the rights of a user to access their data, and so on, should also all be set out in a clear and comprehensive manner in the data controller’s privacy policy and the controller should ensure it has the consents to process data it believes it has before any collection or processing takes place.

Sanctions

In terms of sanctions for data breaches, there has been a recent push for more aggressive fine levels and enforcement in the EU as a result of too many companies taking a half-hearted approach to data protection compliance, a view expressed by the enforcers across Europe.

Expected over the coming months is a new Data Protection Regulation for the EU which will replace the existing Data Protection Directive and usher in sweeping changes with proposals to beef up and alter the current regime.

A key part of the Regulation is larger fines – 2% to 5% of global turnover, or up to 100 million Euros, for data protection breaches have been proposed.  Fines for serious breaches have already increased significantly in the UK in recent years (companies in breach can be fined up to £500,000).

There is also an increasing trend in EU countries to permit privacy claims via the courts even where no financial loss has occurred, significantly broadening the circumstances in which data protection litigation can be brought and damages awarded.

Privacy by design

Companies manufacturing IoT devices and providing smart services need to be thinking about “privacy by design” which has been a key mantra coming out of Europe for some time now.

Essentially, companies must now demonstrate that they are taking data protection seriously at the design and implementation stage.

In practice, it is necessary to perform security assessments on systems and services as a whole, in addition to training staff and having policies in place dealing with key issues such as data handling, data access for users, breach notification and so on.

In drafting or reviewing policies and procedures, organisations should be mindful of the likely changes being introduced by the new Regulation (e.g. those relating to breach notification obligations) and the latest sanctions position for breaches.

Whilst well drafted and user-facing privacy policies can help, far greater levels of transparency about data processing are also necessary, along with clearly signposted opt-outs and user-controls.  When investigating a violation, enforcers are unlikely to have much sympathy for organisations that have taken a lackadaisical approach to compliance.

 

Rafi Azim-Khan is head, data privacy, Europe, and Steven Farmer is counsel, both at Pillsbury Law

Enter your email address to receive updates straight to your inbox

* indicates required
Send me news on...
twitterlinkedinFacebookgoogle_plustwitterlinkedinFacebookgoogle_plus

Editor's picks

startup tech laptop

Top tech stats: Virgin’s business predictions, developers have their say and more
posted 9 hours ago

Aire Team picture June 2017_9

London FinTech Aire raises $5m Series A from Sunstone Capital and White Star Capital
posted on July 21, 2017

Tech Chats June - digital mobility

Tech Chats: EY’s Daniel Lyons on how tech is revolutionising transport
posted on July 21, 2017

mobile phone

London machine learning startup Sportr closes $350k Seed round
posted on July 21, 2017

The Week in Tech

A $170m tech fund, a drowning robot and more in The Week in Tech
posted on July 21, 2017

Graphcore founders Nigel Toon CEO (right) & Simon Knowles CTO (left)

Bristol-based Graphcore raises $30m from backers including DeepMind co-founder and Atomico
posted on July 20, 2017