Internet of Things (IoT) privacy related concerns require the implementation of a privacy by design approach otherwise suppliers might face major fines and risks.

How Internet of Things devices are manufactured

We are working on very interesting Internet of Things projects and the feeling is always that lawyers are involved at the very late stage when the product is already completed and ready to be launched in the very next days.  At that stage a “negotiation” between the legal team and the technical and commercial teams starts on what changes can be implemented without requiring further developments/costs, what risks should be taken, and whenever lawyers raise an issue, the technical and commercial teams have almost a “heart attack“…

The solution is privacy by design?

The above is just the opposite of the approach recommended by data protection regulators both in the United States and in Europe where a “privacy by design” approach is highly recommended.

The current draft of the EU Privacy regulation provides that

the principle of data protection by design require data protection to be embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal. This should also include the responsibility for the products and services used by the controller or processor. 

The above means that a detailed and thorough process shall be documented from the design and manufacturing of the Internet of Things devices, to their launch to the market, to the implementation of updates/upgrades in order to ensure that the IoT device is compliant with privacy laws.

What risks/liabilities can privacy by design minimize?

In a period of considerable uncertainty as to the regulatory framework applicable to the Internet of Things and of potential risks and liabilities, a privacy by design approach would:

  • limit the risk that Internet of Things devices are deemed not compliant with privacy laws avoiding sanctions that under the new EU Privacy Regulation will reach 5% of the global turnover;
  • reducing the potential liabilities deriving from cybercrimes since data breaches have to be reported to privacy regulators only if the data controller is unable to prove to have adopted the security measures adequate to the data processing and
  • exclude liabilities in case of processing of data that are not necessary for the provision of the service also through the usage of anonymization tecniques which is relevant especially for B2B suppliers that have no relationship with final users.

Additionally, a privacy by design approach has been required by both US authorities and European data protection regulators such as the Italian regulator that emphasized the need to adopt it in its consultation on the Internet of Things.

All in all a privacy by design approach is something that any entity involved in the Internet of Things sector and in general any entity processing personal data shall adopt in the shortest possible term.