Privacy, regulation and the IoT

10th February 2016

The recent announcement of the new General Data Protection Regulation (GDPR) has spurred intense discussions on personal data protection and its effect on businesses. So, it was unsurprising that this topic dominated the talks at the Computers, Privacy and Data Protection (CPDP) conference, held in Brussels 27-29th of January. CPDP has a unique and diverse following of policy makers, privacy activists, technologists, businesses, and academics. It creates a platform for them to exchange sometimes complementary, sometimes conflicting views on privacy and regulation.  But, there is one thing that everybody agrees: personal data and privacy challenges will grow with the evolution of IoT.

Before delving into the privacy challenges of IoT, a few words on GDPR.  On December 15, 2015 European Parliament and Council announced their agreement on a consolidated text of a new General Data Protection Regulation (GDPR). GPDR brings a set of requirements: lawfulness of personal data collection; consent; purpose binding; necessity and data minimization; transparency and openness; rights of the individual; information security; and accountability and privacy (protection) by design. “Privacy by Design” has been coined as a development method for privacy friendly systems and services, going beyond technical solutions, and addressing organizational procedures and business models as well.  Hence, to meet GDPR’s requirements, most businesses will need to make some changes to their data handling practices at both technical and organizational levels, and they have two years to make these changes.

GDPR takes significant steps to protect individual rights, but equally significant challenges are expected in its implementation. This may have a crippling effect on the economy, and especially, on the tech companies and start-ups targeting the IoT market. How can the IoT vision be achieved without compromising the rights of the data subjects? It is even a question whether privacy and IoT is a paradox given that the majority of IoT applications are enabled using personal data.

The main goal of GDPR is to address the power imbalance between the data processing entities and the individuals whose data is at stake. However, this power imbalance becomes more prominent when data is collected in an IoT context.  One panellist in CPDP likened this to having digital pheromones – released without control and with no ability to cover, making it clear that what we understand as personal data will be quickly outdated. The services like’s webcam browser add to this sense of loss of control (  In the recent past, “the creep factor” has caused setbacks to products such as Google Glass. Interestingly, the concept of “Trusted IoT” labels, which could be used to restore some confidence, were received sceptically by the audience in a panel in CPDP. This then raises questions for GDPR’s encouragement for data protection seals and marks. While such seals may not be the ultimate solution, user-friendly designs for informing users about how their personal data is used and shared, and helping them assess their risks will be very important.

Finally, the current state of the IoT platforms is also problematic –  the lack of standardization and interoperability means that the IoT is dominated by vertical silos, which restrict horizontal markets for IoT (a problem Nominet is addressing directly with our IoT Tools). This hinders data portability too.  It is a recognized right in GDPR that data subjects will be able to receive their personal data in a “structured and commonly used and machine readable format” and have the right to transmit those data to another data controller. Without interoperability, this will not be possible.

In summary, the future looks uncertain for privacy regulation and IoT. But, there are a number of opportunities in this uncertainty. The essence of GPDR is improving individual ownership and control of data.  This will definitely be a key business differentiator in the data-driven IoT market.