Written by Tim Lyons

Addressing privacy concerns: a question solely for regulators?

Much has been written about the application and potential shortfalls of data privacy laws in the context of the IoT. Legal protection of data privacy is obviously essential, and legislators and regulators around the world are grappling with how to best provide sufficient protection for consumers, and useful guidance for IoT developers, without stifling innovation.

However, given the rapid rate of technological development in the IoT, it may be that legislation and other regulatory guidance develops into a general (but useful) framework for IoT developers to operate in, rather than a step-by-step guide for data privacy compliance. Indeed, while the law sets certain standards for data privacy, when dealing with technology it can be difficult for legislators and regulators to be too specific, given the rate of change. Aside from any legal compliance, many consumer technology providers instinctively understand the importance that consumers place on the protection of their personal data. These providers are actively seeking to strike the right balance between leveraging the great insights that can be gleaned from personal data generated in the IoT and building consumer trust through privacy enhancing applications.

Therefore, the key question now emerging is how do IoT providers meet data privacy expectations and legal requirements, not why they should be seeking to do so.

Privacy by Design in the IoT: A refocus on ‘the user’

Privacy by Design (PbD) refers to the process of building privacy enhancing mechanisms into the design of technology, as opposed to considering such mechanisms as an afterthought. Originally conceived by regulators, PbD holds that the future of data privacy cannot be assured solely by compliance with regulatory frameworks. The current Victorian Privacy Commissioner Mr David Watts has said that: “at a high level, what Privacy by Design mandates is embedding privacy into the information technologies, business practices and networked infrastructure, as a core functionality, right from the outset“. Large private sector providers such as Microsoft and Apple now publicly state that PbD is a key focus.

PbD is arguably crucial to privacy enhancement and legal compliance in the IoT given the difficulties presented by new IoT technologies. For example, it may be difficult to obtain meaningful consent from individuals to the collection of personal data through certain IoT devices that do not have traditional user interfaces, such as a connected utility meter. Similarly, it may be difficult to provide sufficient data collection notices to consumers using devices like internet-enabled floor tiles or coffee machines.

However, much of the guidance on how to implement PbD issued by regulators and the private sector is often very general, out of date and at times assumes that data security is the same as privacy or conflates the two issues. In the absence of clear guidance, technology developers are struggling to meet the key requirements and outcomes of data privacy as distinct from security, which is often their native area of expertise.

In recent times, some developers have turned to a tried and tested but as yet, largely overlooked approach to solving these issues: a focus on the user. While security engineers are needed to build secure systems, software developers are needed to address key data privacy issues in software and hardware specifications, and lawyers are needed to ensure compliance with the law, a key division is often overlooked: user experience designers (UX). UX designers specialise in improving the aesthetics, ergonomics and usability of products and services.

In placing the user experience at the heart of technology products and services, Apple has been able to transform the consumer technologies market. Utilising UX design principles, IoT developers may approach data privacy compliance in a similar way. Examples of UX data privacy include data ‘featureisation’, which is the practice of making data a consumer-side feature of products and services, building systems that allow users to access their data in an easy, usable format while providing mechanisms that place a value on the sharing of data, and developing tools that permit providers to obtain real, meaningful consent to data collection and use.

IoT providers must tell their UX designers to take privacy considerations in account in the same way as they take into account aesthetics, ergonomics and usability when developing products and services.