Internet of Things is generally understood as the connection of electronic objects and devices to the internet. For businesses to enjoy lower operating costs, improved communication and efficiency, increased productivity through prompt decisions that guarantee, better customer experiences then processing and analyzing customer data is key to achieving such a strategy. Subsequently, IoTs have proved helpful when it comes to aspects of controlling and monitoring domestic activities processes for improved security options, energy savings and environmental impact.
Ostensibly, there are billions of IoT devices each designed to process a wealth of data. These easily provide real-time information about a data subject relating to their health, finances, locations, contacts, behaviours and activities. However, while more and more electronic products are being designed with software functionality and internet connectivity, very few attempt to incorporate basic privacy safeguards or protections thus posing a real risk to personal data and consumer privacy.
International IoT privacy regulation
In Europe, most IoT processing activities fall within the material scope of the European Union General Data Protection Regulations (GDPR) given that IoT devices tend to process a large amount of personal data. Data subjects using IoT devices ought to be accorded heightened privacy rights and their data processed according to principles of data protection.
Another example of regulation is the Eprivacy Regulation that is a cornerstone regulation in the privacy realm in the EU. It covers a wider scope than GDPR in terms of IoT devices and non-personal data communication as it regulates machine-to-machine communications.
In America, Congress has passed a law governing the security of the IoT known as The Internet of Things Cybersecurity Improvement Act of 2019 which sets the baseline cybersecurity standard prescribed by the federal government with regard to IoT devices. This was especially developed after the realization that the Internet of Things was a weak link to consumer privacy.
IoT regulation in Kenya
Although there is no direct mention of the Internet of Things in any laws or legal provisions in the country, other laws such as Privacy laws, Competition/antitrust laws, and communication laws provide guidance on the breach of certain aspects introduced by the IoT. The Constitution of Kenya 2010 is the fundamental law that governs privacy in Kenya under Article 31 that protects the privacy of communications.
Further, section 25 of the Data Protection Act (DPA) echoes Article 19 of the GDPR and provides for principles of data protection among which is to ensure that personal data is processed in accordance with the right to privacy of the data subject. Section 41 further requires technical and organisational measures designed to implement privacy by design and default.
IoT Privacy challenges
There are a number of privacy challenges faced within the IoT space. IoT services involve significantly more parties than traditional services, for example, sensor manufacturers, hardware manufacturers, IoT operating systems vendors, IoT software vendors, mobile operators, device manufacturers, third-party app developers amongst others. This diversity means that IoT is subject to multi-jurisdictional laws since these providers are scattered across jurisdictions. Enforcement of compliance requirements may not be fully achieved in that regard.
In addition, apps and devices on IoT may process sensitive data in an unregulated space e.g. smart wearables which collect and deduce the health and wellbeing of an individual.
Further, IoT devices are vulnerable to the same kinds of cyber-attacks that affect computer programs such as hacking which could lead to detrimental results. This is a major concern considering most IoT are used in domestic activities.
Consumers also face the risk of unsolicited marketing since companies collect data through the consumer’s activities online.
Steps towards achieving privacy on IoT
To ensure maximum benefits of IoT technology, there are certain steps that can be taken to achieve privacy and enhance business strategies:
- a widespread adoption of a single, consistent set of international standards like in the US and Europe. This requires stakeholder engagement in the IoT ecosystem to develop sound legal solutions.
- Regulation could be two-fold:- by way of government policies giving the general direction in handling privacy and data protection or self-regulation to ensure that industries adopt best practices in cybersecurity and data minimization.
- Adopting privacy policies that incorporate best practices. Policies could be three-fold i.e. a legal code that is prepared by lawyers and interpreted by courts, human readable code that is easily understandable by consumers and a machine-readable code that is embedded in the IoT softwares.
- Create awareness on the level of exposure associated with connectivity through interaction with IoT and ensure consumers are afforded opportunities to access and control their own data.
- Adopt privacy by design and default by embedding privacy in the technology used. Data protection should be built into the IoT solution from the outset through-out the development life cycle as part of the principle of ‘privacy by design.’
Recently, the Office of the Data Protection Commissioner issued a communique stating that the office is working on sector specific guidelines in collaboration with data controllers and processors. Businesses in the IoT space could leverage on such engagement to ensure practicable legislation is enacted. Practitioners and stakeholders ought to work with legislators to push for a regulatory environment that fosters the growth of the IoT. Laws that cover a global arena and cross border practice would be the preferred package that ensure an unparalleled global reach.
This article was initially published in the CIO Africa Magazine July edition available for purchase at CIO Magazine Shop.