The Internet of Things: Guidance, Regulation and the Canadian Approach
The Internet of Things (IoT) has been identified as a disruptive technology, bringing with it both the promise of seamless interconnectivity of devices and, the flip side of that interconnectivity, single-point vulnerability of multiple systems. While businesses rush to embrace the technology, the regulators have begun considering the issues raised by it.
What is the Internet of Things?
The “Internet of Things” is a phrase that refers to everyday products that are connected to the internet that can send and/or receive communications from other devices. It includes internet-enabled products such as thermostats, fitness trackers, watches, cars, light bulbs, washers and dryers or even toasters and toothbrushes. On a larger scale, it can include industrial controls and factory machinery.
The Internet of Things is expected to have an economic impact of $3.9 trillion to $11.1 trillion per year by 2025, which will represent up to 11% of the world’s economy. The world’s largest manufacturers have already jumped onboard the Internet of Things, but as with any disruptive industry it will take a few years for the regulatory frameworks to catch up.
With this new industry comes a host of new legal issues. Some areas of law that will be affected by the Internet of Things include: security, privacy and competition law. Regulators may introduce minimum security protocols for IoT devices since breaches of security can lead to more direct and physical effects on a consumer’s safety. Privacy also becomes exponentially more important since the amount of information about an individual’s life will increase as more products become internet-enabled. Consumers of these products will demand more control over their private information, while companies will want to store that information for commercial purposes. Competition will also be an issue as the big technological players attempt to standardize and control the frameworks that connect these devices through patenting these technologies and seeking exclusive commercial deals.
The Internet of Things can help make society more effective, safer and greener so it is important that these future regulations strike a proper balance between supporting helpful innovation and protecting consumers. It is also important that these future regulations be in accordance with international approaches, since asymmetric regulations can lead to increased regulatory compliance costs to enter the Canadian market and they can also increase the barriers of Canadian companies to enter the global markets.
As of yet, there have not been any direct regulatory adjustments to deal with these unique issues. However, there have been committees established and meetings taking place around the world to deal with the Internet of Things. Businesses that have begun to embrace Internet of Things technologies, whether in their products or as part of their manufacturing processes and controls, should pay close attention to the increasing activity of regulators in this area.
The European Union
The European Commission, the executive body of the European Union, has created the “Alliance for Internet of Things Innovation” (“AIOTI”). The European Commission has suggested that future regulations must focus on security, privacy, consumer protection, functioning competition and choice.
The European Commission released a report based on a public consultation on the Internet of Things. The public consultation found, amongst other things, the following:
- Privacy: Industry representatives wanted to see no changes to current privacy laws to help promote innovation, while the majority of consumers and consumer organizations considered the current privacy regulations inadequate and wanted to see IoT-specific Data Protection Impact Assessment guidelines. In addition, consumers thought that they should be in control of their data and wanted stronger enforcement for privacy breaches.
- Security and Safety: Industry representatives wanted to see no changes to the current security requirements and did not want to see overregulation. Consumers, on the other hand, wanted to see the creation of guidelines and standards for security to ensure data confidentiality, integrity and availability in an IoT context.
- Competition: The majority of respondents agreed that IoT devices should inter-operate to promote competition and service innovation. Industry leaders, however, pointed out that non-interoperable vertically-integrated systems should not be prevented by legislation, especially in non-consumer facing products.
The United States
In January, 2015, the Federal Trade Commission released a Staff Report on the Internet of Things. The report was prepared in conjunction with leading technologists, academics, industry representatives and consumer advocates. This report focused on the issues of privacy, security and whether legislation is required to regulate the Internet of Things. The report suggested the following:
- Privacy: The report suggested that companies practice “data minimization” which involves limiting the collection of data and the time that data is held for the period of time it needs to be used.
- Security and Safety: The report recognized that security in the context of the Internet of Things is becoming more important. Namely, the report outlined the various ways that security breaches can lead to real-life safety concerns.  The report suggests that companies should prioritize the building of security into devices, should train employees adequately, should ensure that contractors can maintain security, and should monitor devices and report to the consumer when security breaches are detected.
The reports suggests that IoT-specific legislation would be premature at this point. Instead, the report suggests that broad security and privacy legislation should be introduced to deal with these matters while remaining flexible enough to adapt to technological innovations.
The Canadian Approach
It remains to be seen how Canada will adapt to a world of connected devices. From the reports created in the EU and US it is apparent that there will be tension in the creation of new regulatory frameworks since these have the potential to stifle innovation and increase business costs. Nonetheless, the security, privacy and competition implications of the Internet of Things are equally apparent. Companies should ensure that they are continually monitoring and improving their privacy and security practices to stay in front of any legislative changes. In the long run, this will decrease compliance costs and help gain the trust of consumers.
The federal Privacy Commissioner has taken what it describes as a “keen interest” in the problems associated with the Internet of Things and notes that is conducting various research projects related to the Internet of Things. In June, 2015 Privacy Commissioner Daniel Therrien in his submission to the House of Commons Standing Committee on Industry, Science and Technology said that his Office planned to release “several reports on the Internet of Things”.
While no reports have been forthcoming, the Privacy Commissioner reiterated his Office’s interest in and concern with the Internet of Things, noting specifically that in Spring, 2016, it will produce a “discussion paper” outlining the various challenges associated with the current consent model, explore potential solutions, such as industry codes and other forms of self-regulation, and enhanced regulation. While these are not specific to the Internet of Things, the Internet of Things, and IoT-enabled devices, will be included.
The Privacy Commissioner also anticipates “provid[ing] guidance to businesses and technology developers on how to build privacy protections into products and services; and educate users on the privacy risks associated with wearable devices” and other connected technologies.
 Internet of Things: the next revolution, CONNECT Advisory Forum, the European Commission, at page 10.
 Report on the Public Consultation on IoT Governance, January 16, 2013.
 Yesterday was already tomorrow… The Internet of Things: The need for an adequate information security and privacy framework, Remarks at the Information Security Rendez-vous (ISR) 2014, Montreal, Quebec, May 7, 2014 (Address by Daniel Caron, Legal Counsel, OIPC).
 Study on the State of Disruptive Technologies, Submission to the House of Commons Standing Committee on Industry, Science and Technology, June 18, 2015 (Address by Daniel Therrien, Privacy Commissioner of Canada).
 National Security and Privacy in 2015, Remarks at the Privacy and Access 20/20 Conference, November 12, 2015, Vancouver, British Columbia (Address by Daniel Therrien, Privacy Commissioner of Canada).
Internet of Things privacy Privacy Commissioner of Canada regulatory guidance