The Internet of Things From a Legal Perspective: The Concern About Personal Data

Introduction

Collecting information about surrounding environments is natural part of life of every living human or even animal as such information enables that human and animal to properly interact with the environments and their inhabitants. Accordingly, collecting information about people is an old habit or practice that is extended in the computer era (Rowland et al., 2012), where data or information is of the essence. Without doubt, the Internet of Things (IoT) is one of the waves of technology that expand collection of data through interconnecting countless objects and enabling them to process information about things that they are attached to and about their surrounding environments. This particular technology has penetrated in almost all sectors of modern life such as transport, smart grids, e-health, environmental monitoring, logistics (River Publishers Series in Communication, 2014). Not only that, IoT devices and applications become part of everyday lives of ordinary people. Moreover, IoT is capable of collecting pure personal data through a fitness tracker, wearable medical device, smartwatch, smart clothing, wearable camera (Mardonova & Choi, 2018) and so on. In this regard, Gartner (2017) proclaimed that consumer applications represented 63% of IoT applications (5.2 billion units) used in 2017. This means that the bulk of IoT data is likely to be data related to human beings. Protecting personal data in the IoT environment is a major worry for many data protection stakeholders because the nature of IoT as ever-connected objects is not in line with data protection principles which, inter alia, seek to minimise the process of personal data and process it for specific known purposes.

The existence of countless data flowing and residing in smart objects (Singh & Gandhi, 2014) necessitates ensuring security and protection of this data, especially data related to individuals. Securing and protecting data in the technological age are not an easy task. On one hand, technology is susceptible to security breach or vulnerabilities: “weaknesses in a system or its design that allow an intruder to execute commands, access unauthorized data, and/or conduct denial-of-service attacks” (Abomhara & Køien, 2015, p. 71). These general weaknesses are expected to sharply increase in the IoT era as statistics showed that attacks against IoT devices increased by 600% from 2016 to 2017 (Symantec, 2018). On the other one, data of all types has economic, (Ahmed & Mohamed, 2020) social and other values. Accordingly, it will always be targeted by criminals and other intruders. Needless to say, that personal data could be used by criminals and malicious people to harm the data subjects (Ahmed, 2019). As a result, protection of personal data in the IoT environment is necessary, not only for safeguarding interests related to this data, but also for development of the IoT industry.

As in the real world, security in cyberspace is a challenging matter. As an illustration, security of data in the IoT environment requires ensuring authenticity (to confirm that access only given to legitimate users), authorisation (to enable IoT device components or applications to only access to specific resources), as well as confidentiality, integrity and availability (Leloglu, 2017) and these requirements are not easy to be achieved in ever-connected systems and devices that have limited “computational capabilities, memory and battery power” (Abomhara & Køien, 2015, p. 65) Vulnerability of IoT devices and systems, the cause of such vulnerability and the challenges of IoT to privacy and data protection law have been pointed out and discussed by various researchers (Roman et al., 2013; Peppet, 2014; Wachter, 2018; Ahmed & Zulhuda, 2015). This chapter will discuss this matter in more details in the coming subsections.

Legally speaking, data protection law is considered as a branch of privacy and the digital revolution affects privacy in three dimensions namely, it Recommendation (1) eases the collection of data which in turn leads to accumulation of massive personal data, (2) flourishes the data market and (3) endangers data in that there is no sufficient means that can be relied on to surely protect data (DeVries, 2003). In response to the technological challenges, data protection law emerged as a new field of cyber or computer law. This law has been around for more than four decades and it aims to protect personal data and smooth its flow. To do so, this law came with several principles to be implemented in processing personal data and imposed heavy fines or even imprisonment on individuals or entities who contravene those principles. More details about data protection law in national, regional and international levels and about its principles will be provided in the coming sections of this chapter.