internet of things (iott) legal issues privacy and cybersecurity
TRANSCRIPT
Warsaw IT & Privacy Seminar
Internet of Things and the legal
issues
Dariusz Czuchaj, Senior Associate
Karol Laskowski, Senior Associate
2
IoT and the expectations
2015
Source: Gartner Inc. : http://na2.www.gartner.com/imagesrv/newsroom/images/HC_ET_2014.jpg
3
What is „Internet of Things”
2015
uniquely identifiable embedded computing devices
• directly or indirectly process data
connected to telecommunication networks
4
Categories of data
2015
Related to a thing/state
Related to a person
Related to a
person’s health,
etc.
5
Applicable laws
2015
•Protection of personal data
•Telecommunication laws
•Cybersecurity
•Ownership
7
What is personal ?
2015
„any information relating to an identified or identifiable natural
person”
Data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade-union membership, concerning health or
sex life.
Personal data
Sensitive data
8
Is it personal ? Is it sensitive ?
2015
IP address
Device fingerprint
Location
Voice sample
Daily number of steps
Sleep pattern
House energy use pattern
9
When data is no longer „personal”?
2015
Can we get rid of „personal” ?
Pseudonymous data
Anonymous data
ISO 29100:2011
Are you sure the data is anonymous ?
10
Am I a data controller ? (1)
2015
Data controller vs data processor
Many actors processing the data
What your DPA thinks about it ?
11
Group Article 29 Opinion on recent developments of Internet of Things
2015
• Most of the actors classified as data controllers
• Consent of a data subject
• „legitimate interest” – likely to be insufficient
• Right to access to data includes „raw data”
12
Draft of the New Data Protection Regulation (1/2)
2015
• Application to non-EEA countries
• Penalties
• Data subject may claim for a monetary compensation
• Profiling framed
13
Draft of the New Data Protection Regulation (2/2)
2015
• Data breach notification
• Certification
• One – stop shop
• Coming into force – 2017 ?
15
Telecommunication
2015
Providing the services by „permanent roaming”
Using the frequencies for M2M data transfers
Numbering issue –IP or reparate numbering for M2M?
Regulatory issues – data retention
17
NIS Directive Draft (1/2)
2015
Critical infrastructure providers
Cloud computing, social media providers ?
New obligations: • Notification of critical incidents • Obligatory external audits of cybersecurity • Obligatory documentation• Penalties for non compliance
18
NIS Directive Draft (2/2)
2015
Pros and cons of the new regulation
Legal obligation = clear basis for IT spending on cybersecurity solutions
Are the written policies really helpful ?
19
(re)Structuring your agreements
2015
• agreements should oblige software vendors to:• Update software permanently • Deliver updates immediately upon reported security
issues• Access to code:
• Plan B (1) –escrow of source code in case of failure to react • Plan B (2) – consider use of Open Source
* need of indemnification clauses in the supply chain
21
Harvesting Data
2015
• American Farm Bureau Federation:
• „Companies that are collecting these data may be able to see how much grain is being harvested, minute by minute, from tens of thousands of fields. That's valuable information.”
22
Harvesting Data
2015
• No clear answers but …
• Existing EU Directive on database protection
• New type of vendor lock-in – business data
• Structuring of an effective agreement