Cities collecting personally identifiable data, by the government or through any third party, are responsible to abide by the GDPR rules, just like any other organization collecting data.
The European Union’s General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is the most discussed piece of legislation in information technology. It is considered “the most important change in data privacy regulation in 20 years,” and will affect all products, organizations, and services that collect user data.
The regulation, which will be fully enforceable from May 25, 2018, was widely discussed in the last Mobile World Congress in Barcelona and is a recurring topic in many forums and at board level meetings of the largest US and European organizations.
Data protection by design & default
This is the title of Article 25 of the regulation. The legislators couldn’t have been more clear: Privacy and security should be implemented in any product or service by design. Organizations collecting data on individuals can no longer react to data breaches when they occur, they need to be proactive from the beginning when developing any product.
While service providers such as banks and retailers can use a mix of encryption, private clouds, and private key management to ensure the privacy and security of data, hardware vendors need to go further and incorporate security features within their devices. And, as most experts agree, “software cannot protect hardware.”
IoT devices are especially affected by the regulation. The data protection authorities will be able to leverage fines against vendors, OEMs, and data controllers who do not incorporate the necessary safeguards in their devices. For example, sending unencrypted personal data by WiFi will no longer be acceptable.
Obviously incorporating new security mechanisms in new IoT devices will make them more expensive.
“The vendor just wants to get their new model out there,” said Gareth Noyes of Wind Riverand during the IoT Solutions World Congress in Barcelona, and network security is their last concern. “Device manufacturers tend to be motivated by a business model that is volume driven, and therefore any penny that is shaved off the bill of materials is something those guys avoid paying for [security].”
However, companies need to realize that the potential cost of a data breach, reputation loss, and subsequent fines by regulators, could be disastrous and even more costly in the long run.
The GDPR asks for specific data protection best practises, including “application of the general data protection principles, in particular purpose limitation, data minimization, limited storage periods, data quality, data protection by design and by default, […] measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules.”
Data controllers — the ones collecting and storing data — should use all efforts to collect only the amount of data necessary to perform the services their product offers to consumers, and request explicit authorization to collect any additional data (opt-in).
Consumers cannot be denied a service or product because they refuse to allow collection of unnecessary data.
Transit is specially vulnerable
Public transportation services collecting data, such as the ones using smart cards, need to be aware of the limits of collecting and processing passenger trips, payment methods, and other information.
Any data used to analyze and optimize the use of services need to be completely anonymous, and encrypted. The regulation asks for pseudonymization (a term used 14 times in the law) before any processing of personal data can occur.
Ride-share companies such as Uber, Lyft, and Cabify should be especially prepared. They can no longer build detailed user profiles without explicit user authorization. And, if requested, they should be able to delete all the previous activity of any of their customers without delay.
Even if the user gives permission to process his or her personal data, the regulation only allows the use of information necessary to provide the service.
Cities are liable for sensor data
The amount of data collected by cities will increase tenfold in the next six years.
According to Jorge Ortega, a lawyer from Barcelona specializing in data protection, and president of the expert committee of ANF (Data Protection Certification Authority) in Spain, “City councils are responsible for all data collected by all IoT devices in public spaces, and the use of that data. If a light sensor detects the movement of cars entering or leaving a parking garage, and therefore the movement of its residents, their privacy needs to be protected by default.”
He goes further:
“Privacy by design is mandatory when collecting data [on smart cities services], and cities cannot waive responsibility, and expect others to pick it up. They need to make sure the IoT devices installed on the streets comply with the regulation.”
No grace period after May
The GDPR was approved by the European Parliament and Council in April 2016. It became effective on May 18, 2016. In fact, the regulation is already mandatory. A two-year post-adoption grace period was agreed, and the GDPR will become fully enforceable throughout the European Union on May 25, 2018.
Pay attention! It’s not just Europe
The GDPR requires products to incorporate data protection by design and for companies to disclose any data breach immediately, reporting it to European regulators regardless of the company’s location as long as the data collected is on European citizens or residents. Fines for noncompliance start at €20 million ($25 million) and can be up to 4% of the global revenue of a company.
While this is a European regulation, it has global impact. “It will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not,” according to the European Union website.
Industry says good regulation
Over the past two years, there has been a significant change in the industry’s approach to regulation. Most industry leaders, when asked three years ago about regulations and standards for IoT, argued in favor of self-regulation to boost development and services. Now they favor regulation to level the playing field.
In a special session about GDPR at last year’s Mobile World Congress, NXP Executive Vice President Steve Owen said that until then most companies have only worried about security after something happens, and legislation forces them to implement security in advance. “Most of the [NXP] technology that we have in government or banking space around the world, only moves forward when legislation exists,” he said. “Business takes place because legislation exists. Where it doesn’t, companies tend to act on their own, for their own self-interest, and IoT will fail without regulation. […] IoT will fail if regulation does not create a standard where we all work, and find a business model to work together.”