IoT Is In The Dark When It Comes To ePrivacy

Uploaded on 2019-02-21 in TECHNOLOGY--Developments, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-IT & Telecoms, TECHNOLOGY-Key Areas-Internet of Things

Roll the clocks back to 25th May 2018. Businesses were fearing the worst about the General Data Protection Regulation (GDPR), cue a string of last-minute website changes, consent emails being sent, and records removed from databases.

Surprisingly, a December 2018 survey by IT Governance discovered that only 29% of firms in the EU are fully GDPR compliant.

If we look back, although GDPR stole much of the limelight, there were three other data protection regulations brought about at the same time, with the new UK Data Protection Act 2018, Data Protection, Charges and Notifications Act 2018, and the Privacy and Electronic Communications Regulation of 2003 (PECR), which goes to show how much of a challenge businesses face when it comes to data protection in 2019 and beyond.

In late-2019 to early-2020, the landscape is set to change again.

As if GDPR wasn’t enough of a challenge, the new ePrivacy regulation is set to shake things up massively when it comes to the Internet of Things. You’d be forgiven for not knowing much about ePrivacy, as the regulation remains in European Parliament for approval, with decisions on its future likely being made in the Spring of 2019.

What you do need to know, however, is that ePrivacy will intensify the levels of consent needed to operate online, in an effort to provide greater transparency on personal data processes.

Now, while the ePrivacy regulation will affect many types of business, none are as in the dark as those within IoT. While we outlined this as a piece that could spell trouble for the IoT, it could as easily be resolved as it is brought to a (temporary) standstill.

The current issue is that the ePrivacy regulation is broad, with no specific information on individual types of communication, which means machine to machine transmissions that include personal data and those that don’t contain this type of information are currently classed in the same bracket.

What does this mean? Well for those transmissions that contain personal data, it’s soon to become apparent that people will have to consent to the processing of this data. Which in reality is completely fine, as it’s something we’ve all become used to over the last year or two, particularly following the introduction of GDPR.

However, a complaint made currently is that there is no indication of how blanket rules would be applied as they currently are. Theoretically, a user would have to consent to personal data processing every time they enter a new network range whilst using a smartwatch, for example, which is completely unmanageable. There is a proposal in front of the EU petitioning for the two to be separated.

In essence, this would make total sense, as there is a clear distinction between the type of data a smartwatch would monitor (where it’s processing incredibly personal data, whether that be anything from body mass to exercise habits) and the information an application that controls home heating would process.

A recent amendment of Recital 12 of the ePrivacy regulation provided some hope, which made a distinction between the types of transmissions IoT devices make, only one of which falls under the scope of ePrivacy.

This outlines that previous consent, given at the time of installation would be enough to provide long-term consent without having to ask each time a different interaction is noticed. However, there is still come debate about the personal data processed in terms of there being more than one subject.

Kieran McGeehan, Data Protection Specialist at Univate, commented:

“Anyone operating within the IoT finds themselves in an unfortunate position. The ePrivacy is the next phase of the intensification of data privacy, and while its effect will be huge to the industry, as it’s still in draft stage, many of the implications are changing on a regular basis.

Therefore, while it’s easy to interpret current legislation as spelling disaster for the industry, we’d recommend preparing for the elements we know are going to come into force, and keeping a keen eye on the draft updates.

This involves a fightback against the number of unsolicited emails are sent, particularly relevant to the B2B arena, as this previously didn’t affect them as specifically as the ePrivacy regulation will.

Whilst we know that consent is a key element of the legislation, cookies apply to more than the devices within our homes. Ensuring websites and other methods of electronic communication have processes in place that control consent is essential and will provide a footing when it comes to complying with any law that relates to IoT.”

Ensuring compliance in 2019 and beyond

As we saw with GDPR, there is a practical aspect to ensuring compliance in terms of putting measures in place to effectively handle the changes, and another in terms of ensuring policies and procedures are up to date should an investigation ever take place.

Ensuring these formal documents are up to date, covering the requirements of the latest regulations, is an essential aspect of compliance. And remember, this will apply whether the UK is part of the EU or not!

Author: Kieran McGeehan, Managing Director & Compliance / Data Protection Specialist at Univate.  

Kieran has over 15 years of experience in data compliance, holding positions within businesses such as AXA Insurance, HSBC, The Co-Operative Insurance, and is currently chairperson of the Global Association of Data Protection Representatives.

 

« Edward Snowden Likes Zcash
Russian Hacking Intensifies Closer To Ukrainian Election »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Council on Foreign Relations (CFR)

Council on Foreign Relations (CFR)

CFR is dedicated to better understanding the world and the foreign policy choices facing the USA and other countries. Cyber security is covered within the CFR topic areas.

National Trading Standards eCrime Team (NTSeCT) - United Kingdom

National Trading Standards eCrime Team (NTSeCT) - United Kingdom

The National Trading Standards eCrime Team tackles online consumer scams, rip-offs and fraud, as well as those committed by text or email.

Forensic Control

Forensic Control

Forensic Control specialise in providing simple & straightforward Cyber Security to organisations, helping them assess, prevent and respond to cyber threats.

Recorded Future

Recorded Future

Recorded Future arms security teams with threat intelligence powered by patented machine learning to lower risk.

Subgraph

Subgraph

Subgraph is an open source security company, committed to making secure and usable open source computing available to everyone.

miniOrange

miniOrange

miniOrange is a cloud and on-premise based identity and access management (IAM) solution provider.

NITA Uganda (NITA-U)

NITA Uganda (NITA-U)

NITA-U has put in place the Information security framework to provide Uganda with the necessary process, policies, standards and guideline to help in Information Assurance.

TechArch

TechArch

TechArch helps customers to optimize their investments in cybersecurity by providing them independent and vendor-neutral consultation and guidance.

Cybersecurity Competence Center (C3)

Cybersecurity Competence Center (C3)

The Cybersecurity Competence Center was created to further strengthen the Luxembourg economy in the field of cybersecurity.

e-End

e-End

e-End provides hard drive shredding, degaussing and data destruction solutions validated by the highest electronic certifcations to keep you compliant with GLB, SOX, FACTA, FISMA, HIPAA, COPPA, ITAR.

Cube 5

Cube 5

The Cube 5 incubator, located at the Horst Görtz Institute for IT Security (HGI), supports IT security startups and people interested in starting a business in IT security.

Xperience

Xperience

Xperience solves our clients’ toughest challenges by delivering business efficiency through digital transformation solutions across cloud, managed IT, CRM and ERP.

Triaxiom Security

Triaxiom Security

Triaxiom Security offers penetration testing, security audits, and strategic consulting customized to meet your needs.

Computacenter

Computacenter

Computacenter is a leading independent technology partner, trusted by large corporate and public sector organisations. We help our customers to source, transform and manage their IT infrastructure.

Blattner Technologies

Blattner Technologies

Blattner Technologies mission is to be the leading provider of predictive transformation services and tools in the Data Analytics, Artificial Intelligence and Machine Learning industry.

NewEvol

NewEvol

Don’t React, Evolve! Outsmart threats with real-time AI-powered dynamic defense capability of NewEvol all-in-one cybersecurity platform.