The Clash of GDPR and IoT
The EU’s upcoming data protection rules will have a big impact on the realm of connected devices, from voice assistants to smart toasters.
The Internet of Things: It’s that fascinating development where your smart fridge talks to your connected coffee machine and plots where to best hide your favourite mug. Right?
Not quite. But the sheer volume of IoT devices now on the market — from smart toothbrushes and toasters to WiFi-enabled vacuums — can make it seem that way. Indeed, according to current estimates, there will be 30 billion connected devices on Earth by 2020.
Questionable smart gadgets aside, IoT devices really do possess huge innovative potential. Consider voice-enabled devices. Our voice is one of the most instinctive human traits. Being able to talk to the internet with no clunky intermediary, like a keyboard, can do great things for inclusion: literacy, or familiarity with the Latin alphabet, will no longer be prerequisites to coming online.
One day soon, kids growing up with the Alexas, Siris, and Cortanas of the world will stare in confusion as older generations debate the differences between QWERTY or QWERTZ. Keyboards will seem as antiquated as VHS tapes. As WIRED recently wrote: “Smart speakers, podcasts, and a massive pivot to voice will revolutionize how we navigate the world.”
But wait a second. Surely there are complications. For example: What about the incredible amount of energy used to power these smart devices? What do more devices mean for our throw-away culture? And amid this proliferation of internet-connected items, what will happen to our privacy rights? Regarding the latter — our privacy rights — the IoT industry is about to meet an existential force: the EU’s General Data Protection Regulation (GDPR).
Privacy has been recognised as a fundamental human right by the 193 United Nations member states since 1948: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation,” the declaration reads. The European Union’s Charter of Fundamental Rights goes even one step further adding data protection to the list. And with the May 25 implementation of the GDPR, these rights are now backed by laws with real teeth. The penalties for not complying with the GDPR’ mandate of data minimisation and user control can reach up to €20 million or 4% of annual turnover.
The GDPR strengthens user rights, introduces new requirements for entities handling data, and requires tech to build in privacy by design. And so plenty of organisations, companies, and device manufacturers now find themselves facing new realities. With data protection growing more important, these companies now must ask a range of questions many had previously glossed over. Questions like: What data does the device collect? How is that data processed and stored? Is the data used for profiling, personalisation, or other forms of analytics? What happens to data from underage kids living in a smartly connected household, given that they are subject to special protections? How are devices being secured?
As a result of asking and answering these questions, we’ll see IoT devices with much stronger privacy protections. And we’ll see fewer devices that play fast and loose with user data. (Remember the Cayla doll?) The GDPR can also foster interoperability: You won’t find yourself buying three smart coffee machines, just so that your Echo, your smart alarm clock, and your smart fridge all have one that speaks their “language.” (This is not a fictitious example; just read this.)
This is all good news. But technologists and policymakers should remain vigilant, so the interplay of the GDPR and IoT industry doesn’t also create bad news. For example: We need to consider the economics of the burgeoning IoT industry. Are existing divides being perpetuated? Apple’s more expensive devices collect less and protect better. So while wealthier consumers purchase and upgrade high-end devices, low-income consumers rely on devices with bare-minimum privacy protections, opening them up to heightened fraud, surveillance, and other ills. As GDPR enforcement unfolds, will it fix or exacerbate this problem?
May 25 will be a landmark day for the internet, and the IoT industry is hardly exempt. A realm that previously had few rules is now facing very real, very extensive regulations. Further, the impact will extend beyond the EU’s borders: the GDPR will influence companies oceans away, and will likely shape similar global policies, too. So as the GDPR and IoT industry mix, it’s crucial to ensure they do so in a way that promotes the good — individual privacy, competition — and fixes the bad, like digital exclusion.