Here’s an insight into the impact that IoT may have on laws relating to privacy and data security and the possible solutions in law and industry which will help enable the development of IoT.
IoT devices provide significant benefits to individual consumers across different aspects of their lives. Data and especially personal data (capable of identifying the individual), underpins and delivers most of these benefits. Consequently, the interaction of IoT devices with individuals and their almost unacknowledged but pervasive presence in the daily life and privacy of an individual, would pose ongoing and real-time privacy challenges as well as risks.
Before proceeding to explore the implications of the convergent points of the law on privacy and IoT, an understanding of the stakeholders in a personal information transaction would be helpful. One set of stakeholders in an IoT transaction comprise device manufacturers, data platforms, data aggregators or brokers, application developers, social platforms, etc. Their intervention involves extensive access, use and processing of data, resulting in the device operating in an unobtrusive and seamless manner for the user. Another category of stakeholders are the users. In data protection legal frameworks, such stakeholders possess different designations, based on their attributes. There is the ‘data subject’ (user of the IOT device) who provides the data for availing services and the ‘data controller’ (IOT device manufacturers/service providers) who controls the data and uses it for providing services/functions rendered through the IOT device. Further, the data may travel through multiple entities present between the data subject and the data controller, who process the data on behalf of the data controller (data processors).
The law on privacy and data security in India in today’s electronic age is still at a developmental stage. The Supreme Court has recently recognised the right to privacy in India as a fundamental right under the Constitution. This right also includes the right to informational privacy, which is the individual’s right to control the dissemination of his/her data including electronic data and data over the Internet. The Supreme Court has also set up a committee (the B.N. Srikrishna Committee) to frame a legislation on data protection. As a result, any new law on privacy that gets enacted should recognise and accommodate the unique nature of IoT. However, till an omnibus privacy and data protection legislation is put in place, the existing regulatory framework on data privacy and security in India under the Information Technology Act, 2000, merits discussion.
The Information Technology Act, through its Reasonable Security Practices and Procedure Rules in 2011 (Data Privacy Rules) specifies certain requirements for data controllers to follow, while collecting, storing, processing and transmitting personal or sensitive data over the Internet. Under the Data Privacy Rules, the data controller is required to give notice of the information collected and get the written (or electronically communicated) consent of the user or the data subject, before the data is collected. The data controller must give the user an option to withdraw consent, change the information in case of a mistake, etc. Further, the collection of information must be limited to the identified purpose for which it is collected, and must be used and disclosed only for the identified purpose (data minimisation). The flow chart below provides a better idea of the flow of information and the regulatory steps involved.