In Part One of our series on the Internet of Things ("IoT"), we introduced the business of connected devices and its potential to get big, fast. Companies are quietly amassing customers' personal data to optimize business decision-making, but recent reports highlight consumer uneasiness with the world of connected devices.
In 2015, Accenture surveyed more than 28,000 consumers in 28 countries of which 47% reported that they did not plan to buy an IoT device because of concern over privacy and security issues. A 2015 report from the U.S. Federal Trade Commission documented security and privacy IoT device shortfalls, and called on manufacturers to take a more active approach to integrating informed consent and security measures in their products.
Consumers are primarily concerned with consent, use and transparency surrounding the data that is being collected by IoT devices. While the Personal Information Protection and Electronic Documents Act ("PIPEDA") provides ground rules for how companies can collect, use or disclose personal information for commercial activities, connected devices require further consideration of the traditional methods of providing consent.
Connected devices make compliance with PIPEDA privacy principles difficult. As noted in the Office of the Privacy Commissioner of Canada's recent report, IoT devices are designed to operate quietly in the background of our lives. Potentially unaware of data collection by connected devices, consumers are unable to provide meaningful consent. Similarly, notice is difficult to provide, given that the user interface of many connected devices is often invisible or controlled remotely.
Recently, the Office of the Privacy Commissioner of Canada announced that it is joining a global study on the privacy implications of IoT health devices. The "privacy sweep," coordinated by the Global Privacy Enforcement Network, is a collaboration between privacy organizations across the globe with the goal of increasing awareness of privacy rights and responsibilities for consumers and businesses. Concerns identified as a result of the "sweep" could result in outreach and engagement with organizations in the business of connected devices and/or enforcement action by authorities.
Privacy organizations around the world are taking note of IoT devices and considering appropriate ways to apply traditional privacy principles to the evolving "smart" environment. The OPC's involvement in the "sweep" evidences the organization's commitment to identifying the risks to consumers in this new space, but we still have not seen any meaningful progress on guidelines for corporations to ensure that they are addressing privacy concerns around consent, accountability and transparency. We hope that results from the "sweep" will help Canadian privacy policy-makers identify an actionable course moving forward.
*This article was written with the assistance of Alyssa Gebert, an articling student at Aird & Berlis LLP. Alyssa will be returning to the firm in September as an associate.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
