SECTIONS

Legislative challenges on data privacy hinder IoT adoption

Internet of Things (IoT) services involve significantly more parties than traditional services, These include sensor manufacturers, hardware manufacturers, IoT operating systems and software vendors, mobile operators and third-party app developers.

This diversity means that IoT is subject to multiple laws since these providers are scattered across jurisdictions. Thus, enforcement of compliance requirements may not be fully achieved. 

If the current state of Kenya’s data protection is anything to go by, IoT will dig us deeper into the privacy issues that arise due to the sheer amount of data collected. There is need to have laws in place that will protect the IoT end user’s private data from misuse.

Although there is no direct mention of the Internet of Things in any laws or legal provisions in Kenya, other laws such as on privacy, competition and communication provide guidance on the breach of certain aspects introduced by IoT.

The Constitution of Kenya 2010 is the fundamental law that governs privacy in Kenya under Article 31 which protects the privacy of communications.

Further, Section 25 of the Data Protection Act (DPA) echoes Article 19 of the GDPR (General Data Protection Regulation) and provides for principles of data protection among which is to ensure that personal data is processed in accordance with the right to privacy of the data subject. Section 41 further requires technical and organisational measures designed to implement privacy by design and default.

In January 2018, the Communications Authority of Kenya (CA) said Kenya’s internet penetration stood at 112.7 per cent, meaning that there are more internet-connected devices in Kenya than there are people. Most of these are personal computing and communication devices such as tablets, mobile phones and personal computers.

However, there is an increasing number of sensors and everyday objects that were previously unconnected that are now connected to the internet.

Six in ten IoT devices don’t properly tell the end-user how their personal information is being used, or even when it is being collected. This leaves the user in the dark on what happens to this data, the privacy risk posed to the users whose personal data has been collected by IoT sensors.

There are several concerns identified by most scholars on IOT privacy. One is on location and tracking. This is the threat of determining and recording a person’s location through time and space, with the level of concern at 31.5 per cent.

Two is the identification threats that happen when sharing of un-anonymised data, where a person’s identifier such as a pseudonym or an address is used to identify and locate the person in real life. The level of concern is at 25.9 per cent.

The third is an analysis of individual data by use of data mining techniques for the purposed of profiling them, at 21.3 per cent.

Fourth is inventory attacks, where the IoT device is hit by a Denial of Service attack to render it incapable of normal function, at 8.3 per cent. Interaction and presentation threats come in fifth, which occur when a user’s private data is transmitted through a public medium such as the internet, and in the process disclosing it to unintended audiences. Level of concern is at 6.5 per cent.

Sixth is life cycle transitions, where an end-of-life IoT device is discarded with it still holding private data, at 3.7 per cent.
Finally, the linkage where previously autonomous systems are interconnected, such as the combination of data sources that creates new information that would have been impossible to create before. This threat is at three per cent.

It is emerging that users do not have the power to control what data is collected about them and how this data can be used or stored. The government and CA need to empower users through primary and secondary legislation to enable them to control quantity and types of data collected about them.

Best practices

A starting point would be putting in place IoT device manufacturing best practices to give control to the individual about what data is collected and how it is stored or transmitted. Devices that do not meet these criteria should not be imported into the country. 

The empowered user should be in a position to know when and what type of data about them is recorded and transmitted by an IoT device before purchasing or using it.

They should also be adequately informed about how the IoT device protects any collected data on the device and also during transmission of this data.

In addition, they should be able to configure and customise the privacy preferences on IoT devices to their level of comfort regarding security.

There is a push in the industry that manufacturers of IoT devices that collect personal data should be able to self-regulate and not wait for external and forced compliance to the privacy best practices.

To ensure maximum benefits of IoT technology, there are certain steps that can be taken to achieve privacy and enhance business strategies. These include the widespread adoption of a single, consistent set of international standards like in the US and Europe. This requires stakeholder engagement in the IoT ecosystem to develop sound legal solutions.

Regulation could be two-fold: by way of government policies giving the general direction in handling privacy and data protection, or self-regulation to ensure that industries adopt best practices in cybersecurity and data minimisation.

Recently, the Office of the Data Protection Commissioner issued a communique stating that the office is working on sector-specific guidelines in collaboration with data controllers and processors.

Businesses in the IoT space could leverage on such engagement to ensure practicable legislation is enacted. Practitioners and stakeholders ought to work with legislators to push for a regulatory environment that fosters the growth of IoT.

Laws that cover a global arena and cross border practice would be the preferred package that ensures an unparalleled global reach.

 The writer is the chairman of BTN, an ICT provider in East Africa. [[email protected]]