Research. “Before we too readily endorse smart devices and sensors that can send into the cloud information about many personal aspects of our daily lives, it is essential to have an informed discussion about the implications of the Internet of Things (IoT) and to plan the integration of privacy principles and safeguards into the conception and implementation of the many smart environment components.”
Such is a recommendation from The Office of the Privacy Commissioner of Canada, who is describing 5 areas within the IoT, where we need to be aware of the unavoidable privacy implications:
- app-enabled smart meters for energy
- smart tv and entertainment systems connected to the internet
- security systems with video cameras; night vision; door and window sensors; and movement, fire and temperature sensors.
- sensors in you refrigerator and others things in the home – still not mass market
- home monitoring systems of elder and disabled
In some instances, device tracking is said to involve aggregate, anonymized, or de-identified information. Broadly speaking, aggregate information can be thought of as “complied or statistical information that is not personally identifiable. But even aggregate information could lead to an identifiable individual.
Accountability is a key principle in privacy law. To be accountable, an organization needs to be able to demonstrate what it is doing, and what it has done, with personal information and explain why. This may be easier said than done in the Internet of Things environment when there is a multitude of stakeholders, such as device manufacturers, social platforms, third-party applications and other players. Mapping dynamic data flows and setting out the responsibilities and relationships between various actors could help clarify how information flows among the parties and can help inform the basis of an organization’s privacy management program.
Access and correction rights are challenged. How will an individual know to ask for their information and challenge its accuracy, if they never become aware that it was ever collected? Similarly, how will individuals determine what organization they should seek out to gain access to and, where necessary, correct their personal information?
According to the report, there are many interesting options to deal with the challenges of consent in the Internet of Things environment. Many of these, such as setting machine-based rules for proxy-decision making or having a device “learn” what actions are acceptable (or not) to users at certain times and places,will be considered in the data authority’s future work on consent.