Data Protection – How to deal with Subject Access Requests?
John Warchus | 22.08.2019
18.09.2019 Louise Hayward
The outstanding progression of technology in the 21st Century has resulted in the phenomenon known as ‘the Internet of Things’; whereby devices can connect via the internet in order to communicate not only with us, but also with each other. The aim is to create a smarter way of life.
Many devices are already available to consumers, such as smart TVs, smart cars and smart phones. We can even control heating at home using our phones in order to lead a more cost effective life. However, ethical, legal and security issues surrounding these innovative devices remain for consideration.
With the vast amount of data collected through the numerous devices that communicate with one another via the Internet there comes an increased risk of security breaches, including data leaks or threat from external networks/hackers.
This problem is furthered by the fact that technology is advancing faster than that of the security techniques, meaning that many existing security measures are now insufficient for the application to IoT.
Due to the personal nature of the information processed by IoT devices, the data can provide substantial insights into an individual’s movements, preferences and activities. For example, take an IoT boiler attachment, which self-regulates its temperature by connecting to your phone (so that the boiler knows when you are home or away, and awake or asleep). From this, we can work out when a house is likely to be empty, and therefore more vulnerable to crimes such as burglary.
Furthermore, doctors use IoT technology to hold vital information on patients in order to prescribe their required medication; should this information be hacked, the consequences could be life threatening. Whilst these examples may be extreme, they highlight the severe consequences that could occur as a result of a security breach.
Data protection goes hand in hand with security risks. Under the current data protection regime there is greater emphasis on the protection against unlawful or unauthorised processing, access, loss, destruction or damage of data information. This increased scrutiny of how our personal data is protected should put pressure on designers and manufacturers of IoT devices to ensure that security provisions are up to date and effectively take into account the type of data and the risk and consequences presented by IoT devices. The EU Commissioner’s report already recommends that IoT devices are designed from the onset with privacy and data principles in mind, such as the right of deletion and the right to be forgotten.
With companies potentially holding this vast collection of data and information about IoT users and their habits, there is an opportunity (and temptation) to generate additional revenue by selling the same to third parties, including advertising agencies. For example, by tracking our likes and dislikes, advertisements can be tailored to a certain individual. Likewise, there have been speculations that phones are listening to our conversations and device cameras are watching in the background, but many operators have denied this.
Ultimately, whilst advertising may be a useful way to learn about products or experiences, the way in which advertisers gain information about us has the potential to breach ethical guidelines.
There is an undeniable increased reliance on technology to automate our lives. The problem arises when determining liability. For example, who is at fault if technology fails or gets something wrong, or hackers breach the security of the IoT device and cause damage in the real world? Is the user or the provider or someone else entirely liable? It would then also be necessary to consider whether or not the matter would be a criminal or civil offense; however the law has yet to catch up.
The question stands as to whether IoT is innovative (in the way that it helps to facilitate an easier modern way of life), or dangerous (due to the many legal, ethical and security implications associated with technological advances). What is clear is the concern of how security provisions and the law can keep up with rapid technological advances.
If you require any more information, please contact our corporate and commercial team.
John Warchus | 22.08.2019
Jasnoop Cheema | 08.07.2019
Dorothy Agnew | 24.05.2019