A vision for the future: how exactly do you regulate a seamless network of ‘social machines’?

Ofcom recently published a statement on promoting UK investment and innovation in the Internet of Things (IoT) – commonly described as the online interconnection of multiple machine-to-machine (M2M) applications. The statement follows on from Ofcom’s public call for inputs last July, in which it requested evidence on issues that might affect the development of the IoT sector. Ofcom hoped that this evidence would enable it to gain a better understanding of the development of new and innovative IoT applications, standards and networks. In turn, the IoT promises the potential for data exchange at an unprecedented scale across multiple industry sectors – using multiple devices currently unconnected and new technologies – with potential benefits in sectors such as energy, transport, and healthcare, as well as economic growth at large. From an individual perspective, by comparison, the IOT is all about human augmentation through networks of interconnected sensors and objects.

Based on the responses received, Ofcom identifies several policy priority areas that might help support future IoT growth and innovation within the UK. Ofcom also highlights what it sees as the main challenges in each of these areas and the next steps it proposes to take to meet these challenges. The areas identified are spectrum availability, network address management, network security and resilience, and data privacy.

Ofcom has a direct regulatory remit in each of these areas, except data privacy in relation to which it states that it intends to explore how it can support and work with the ICO, the government, other regulators, as well as industry, to allay consumer concerns at both a national and international level. Despite shifting the regulatory buck here (quite rightly in this case), Ofcom identifies the most important data privacy theme for those who responded to its call: the need to address the concerns of consumers about the collection and use of personal data as part of the IOT. While acknowledging that data protection law will regulate this area, Ofcom also shares its belief that a consumer-facing ‘common framework’ will be critical to future development of the IoT sector. This would allow consumers to authorise the conditions under which data collected by their devices are shared and used in a transparent and user-friendly fashion.

Ofcom estimates that there are currently over 40 million devices in the IoT within the UK and this figure may increase eightfold by 2022, when 360 million devices and more than a billion daily data transactions are predicted. As we move forwards quickly into a future where the human and machine element will be bound together into closely intertwined (indeed, perhaps inseparable?) ‘social machines’, will law and policy makers in Europe prove themselves ready for that challenge?

There are some indications from Brussels that they are aware of the magnitude of the task ahead. For example, the sixth in a series of annual IoT European Summits takes place on 11-13 May, while last September, the EU Article 29 Data Protection Working Party (WP) adopted an Opinion on recent IoT developments. This Opinion focused on wearable computing, quantified self – things designed to be regularly carried by individuals to record information about their own lifestyles – and home automation. While the Opinion stressed that data protection rules apply fully in these areas, it also highlights essential privacy and security obligations and provides a comprehensive set of practical recommendations for IoT stakeholders encouraging approaches that allow users to remain in control of the sharing of their personal data and rely as much as possible on their consent. By contrast, in 2013, the European Commission published a report on the results of its 2012 consultation on IoT governance, reporting that business stakeholders – on the whole – considered that IoT-specific rules were unnecessary in light of the existing legal framework of data protection and competition rules. Consumers associations disagreed. The Commission declined to take a position in that report, but it is clearly monitoring the policy environment closely and is expected to publish a Recommendation on a policy framework for the future management and governance of IoT imminently.

Over the Trans-Atlantic pond, US regulators are already firmly on the case. Last month the Federal Trade Commission (FTC) released a staff report, entitled Internet of Things: Privacy & Security in a Connected World. The report summarises the FTC’s November 2013 public workshop in this area and, in particular, the application of traditional US privacy principles (e.g. notice, choice, data minimisation, and accountability) in dealing adequately with the new risks that may arise with IoT. While the FTC states that IoT-specific legislation in the US may be premature at this time, its staff advocates the development of self-regulatory programmes designed for particular industries as a means to encourage the adoption of strong, consumer-centric privacy and data security practices. In particular, businesses are urged to take a series of best-practice steps now. These include: minimising the collection and retention of consumer data; providing consumers with notice and choice as to how their data is collected and used; and, implementing reasonable and appropriate security practices, such as building security into device design from the start, monitoring and managing known risks appropriately, and notifying consumers when there is a security breach.

The similarities between the US recommendations and the emphasis in European proposals under the new data protection regime currently making its way through the legislative process are striking…perhaps a ‘nod to the wink’ that seamless interoperability may, ultimately, also require seamless regulation?

Alison Knight