Peter Leonard DATA SYNERGIES
Key points
The trajectory of statutory requirements affecting smart devices and connected services is becoming more clear. Australian law will impose greater burdens upon all entities collecting, using and sharing data, including non-identifying data and particularly, where data is used to enable automated outcomes or handled in any way that may compromise the security of critical infrastructure or the safety of humans.
Providers of smart devices and connected services should be anticipating likely changes to regulation. Many providers have only recently evolved connected services towards data privacy by design. The next phase has already arrived — expectations of consumer groups, many civil society organisations and some regulators, both in Australia and in peer-regulated jurisdictions that providers of smart devices and connected services should implement data privacy, information security and data trustworthiness, each by design and default.
This article comes from the experts behind the Privacy Law Bulletin. This bulletin is written by expert lawyers, academics, and legal experts covering the rapidly changing legal landscape around privacy laws and cases that continue to shape Australia's privacy framework.
Subscribers to the Privacy Law Bulletin can access the full article HERE.
Over the last 12 months, there has been a global focus on limitations in the cybersecurity of smart devices, including shipping of devices with open security settings and inadequate labelling as to security vulnerabilities. At the same time, the range of smart devices and their uses has continued to rapidly expand. Smart devices and the various connected services to which they are connected are evolving to be more sophisticated, reliable, affordable, and easier to set up.
Many consumers now rely upon insights and other outputs derived from these devices and services without understanding and/or evaluating the reliability of input data or outputs for the reliance that those consumers are placing upon those outputs. Data and algorithmic quality and provenance, and therefore output quality and reliability, are highly variable.
Consumer guarantees under the Australian Consumer Law (ACL) are difficult to apply to the complex mix of “goods” and “services” (as separately regulated under the ACL) and supply-side multiparty data ecosystems that are characteristic of most deployments and uses of connected smart devices. Allocations of legal responsibility to warn as to risks of harm and take steps to mitigate those risks are complex — often, it is not legally clear whether legal responsibility and liability should be attached to the manufacturer or supplier of the smart device or to the provider of the connected service, or should remain with the end user (if the end user failed to take reasonable steps to consider risks inherent to particular deployments and to mitigate those risks).
It has become clear that legislative reform is now required to provide appropriate incentives and imperatives to address these risks. Many jurisdictions are currently developing proposals for new statutory regulation of smart devices and connected services. In the current geopolitical environment, it appears unlikely that there will be harmonisation of national approaches — cross-border providers of devices and services should anticipate both increasing regulation and diversity of statutory requirements.
To be ready for statutory and regulator-led changes and to be ready to enter global markets, providers need to assess their:
- design and specification of IoT devices
- data labelling and data ontologies, as well as data handling architectures
- technical, operational, and contractual arrangements with other entities with whom they share data
- data security profile, including by taking active steps to avoid over-collection of personal identifiers, over-sharing within their organisation (who “really” need access, to which data sets?) and over-retention (do data sets “really” need to be retained, either at all or in internet-accessible form?)
- notices and disclosures, including by catching up with rapidly evolving good practices as to the publication of responsible user guides, artificial intelligence (AI) model cards and data sheets and by making fair and frank disclosures about data quality and reliability (or otherwise) of smart devices and services for reasonably anticipated uses likely to be made of those devices and services and
- transparency notices to affected individuals and forms as to customer consent
Regulatory reforms will:
- expand the range of IoT deployments that are regulated as collecting and using personal information
- impose new limitations upon monitoring of public and semi-public spaces, including in retail stores and in-and-around buildings, and within workplaces and remote working environments (such as use of company vehicles and at-home use by employees of workplace system resources and employer-issued devices)
- impose new requirements as to transparency to affected individuals by deployers of IoT devices as to data analytics and insights derived from such deployments, in particular, in circumstances where humans that are being monitored or observed are unaware of the deployment or derived insights (eg, the lovely Airbnb apartment that you are staying in may be bristling with IoT data collection points. Neither Airbnb, nor the guest, currently know what IoT devices are in use. Should the renter tell you?)
- create application-specific rules addressing particular higher-risk of harm use cases, such as services enabling uses of geolocation and other tracking (mobility) data, consumer health and wellness applications and services likely to be used by children
- require entities that permit regulated data sets to be made available in multiparty data ecosystems to impose safeguards and associated assurance controls to mitigate risks that other entities that can access that data may use that data in ways that are inconsistent with contractual arrangements or not within the bounds of reasonable expectations of affected individuals. New requirements as to the responsibility and accountability of data-collecting entities are likely to create significant liability exposures for organisations. It will no longer be a viable legal option to impose contractual restrictions on other entities on a set-and-forget basis and without taking active steps to ensure compliance by those other entities
When considering control of multiparty IoT data ecosystems, it is often necessary to differentiate:
- device level control through permissioning of which services may use which sensors within a device, under what conditions and with what level of assurance as to data practices of those service providers, including data labelling and provenance tracking of data exiting the device and
- service-level control of subservices (data hosting, billing, permissions management etc) enabling an end-to-end service to be delivered
Each IoT data ecosystem utilises the Internet, so by definition, security of data in transit over the internet and on cloud platforms should be a key concern, regardless of whether personal information about individuals is being handled.
An IoT data ecosystem may be open to multiple entities or closed. Many industry-specific IoT deployments are closed—water and energy smart meters, building management systems, surveillance systems in shopping malls and transport hubs and so on. The fairness and legality of data handling in these scenarios should be relatively easy to establish and assure. That said, we continue to see errors, either as to legality or expectations of citizens as to trustworthiness (see eg, 7-Eleven Stores and the Office of the Australian Information Commissioner (OAIC) investigations into the personal information handling practices of Bunnings Group Ltd and Kmart Australia Ltd, focusing on the companies’ in-store use of facial recognition technology).
Most IoT data ecosystems are open to at least some degree because many service providers rely upon other entities to enable the collection and handling of this data. Many open systems are “too open” because maturity of different entities as to good data governance is highly variable. Many service providers using data from IoT devices do not identify and address issues that result from poor allocation of risk, responsibility, and liability between the entities in the supply-side data ecosystem. This poor allocation may be due to failure to identify issues as issues, or failure to allocate to an entity management of issues that a particular entity should own until root cause analysis is conducted after something goes wrong. Data risk management is too often reactive, not proactive. Data leakage from supposedly closed data ecosystems is common because many service providers do not implement technical, operational and controls to mitigate risks of their personnel or their data processors or other sub-contractors, doing the wrong thing.
Of course, smart service providers often have limited visibility as to the characteristics of the physical environment in which an IoT device is deployed and other settings of a device made by a user of that device. These characteristics and settings may affect the legality of collection of relevant data, and the quality and security of data collected by the devices, in turn, lead to concerns as to reliability of data insights and security vulnerabilities. One of the most difficult areas for developing regulation is fairly allocating responsibility and liability as between service providers and deployers and users of smart devices and connected services. Often, fair allocation is not obvious and needs to be determined in a periocular data context for a particular application.
New regulation of smart devices and connected services will fundamentally affect the business case of many IoT service providers, and how and where smart devices and connected services may be deployed and used by many entities. Businesses should now be taking practical steps to be ready for diverse new rules.