The Internet of Things (IoT) requires certainty and this is why the Online Trust Alliance (OTA) published a draft framework of privacy and security guidelines for IoT devices.  Will regulators will validate that setting a more suitable playfield for the IoT? 

The current scenario

We have recently discussed about the negative publicity surrounding Internet of Things technologies after the recent hacker attacks to connected cars.  But my article also stressed that industry driven standardization validated by governmental bodies as well as a privacy by design approach are the key to ensure the growth of Internet of Things technologies without potential risks for not only users, but also manufactures and distributors.

The response from the Internet of Things industry

A famous motto is

United we stand, divided we fall

and it seems that the Internet of Things industry has understood the need to start joined initiatives in order to create a playfiled where IoT devices can flourish.  An essential component of such playfield is to create a higher level of certainty around applicable privacy and security obligations.

This is why the Online Trust Alliance, an alliance of major technology manufacturers, adopted a draft framework of  best practices applicable initially to home automation and connected home products (i.e. smart home devices) and health and fitness wearable technologies (i.e. eHealth technologies).  The contents of the draft framework focus, among others, on the following main categories:

  1. Increase of transparency towards users on accessibility of privacy notice and information on processed data;
  2. Limitations on entities to whom data is communicated and on data storage period;
  3. Individuals’ rights of control on processed data including right to either remove it or require its anonymization;
  4. Security measures to protect processed data which shall include, among others,
    • data and protocols encryption,
    • change and recovery of passwords,
    • performance of penetration tests,
    • manufacturers’ ability to remediate vulnerabilities in a prompt and reliable manner and
    • adoption of a breach response and consumer safety notification plan.

What feedback from regulators?

OTA is seeking public and industry comment on this list of best practices from now until 14 September 2015.  And the timing of this initiative is interesting since the Italian privacy authority recently launched a consultation on the Internet of Things seeking inputs from the industry on how to better regulate the IoT.

There is a general feeling indeed that:

  • Current privacy regulations are excessively burdensome and might hinder the growth of IoT technologies;
  • The Internet of Things sector needs more certainty on applicable obligations as otherwise the current unclear legal scenario might delay the development/launch of products due to the potential legal risks and
  • Such additional certainty needs to be the result of a joined initiative of the industry and regulators to ensure that  privacy and security obligations are imposed in a manner that protects individuals ensuring at the same time that the potentials of the sector are not hampered.

Shall the OTA best practices be reviewed and validated by regulators?  Is the right time for the industry and regulators to cooperate to ensure that their country does not miss the massive opportunities of the Internet of Things?  What is your view on that?