IoT613: Privacy by design

Megan Cornell

If there’s one thing on consumers’ minds today, it’s privacy. Questions about abuse and misuse of personal data aren’t reserved to platforms such as Facebook and Google – they’re inherent to wearables and other internet-connected devices as well.

In Canada, privacy standards are set out by the Personal Information Protection and Electronic Documents Act (PIPEDA). For global firms, however, new, stricter regulations devised in the European Union are bound to affect business models and product design when they’re implemented next month.

Ahead of her seminar at the IoT613 conference in Ottawa on April 18, Momentum Law founder and CEO Megan Cornell spoke to Techopia about the importance of designing with privacy in mind.

Why is privacy a concern when it comes to the Internet of Things?

The trade-off in harnessing any product that falls under the Internet of Things category is that you’re constantly providing data through your device. It’s obviously exciting and enabling: I have an Apple Watch on, we have a Nest thermostat and fire alarm at home, I am as connected as it gets to the Internet of Things.

An offshoot of that is the constant collection of data about us and our use, and that’s supposed to make the products better. But as we know, No. 1, they need to be secure, and No. 2, there can be other uses for all of that data.

From a fundamental consumer point of view, we come right up against our PIPEDA core requirements, which are consent and knowledge as to what you’re sharing and protection of the data.

More and more, this discussion around the removal of data, the portability of data and the right to be forgotten … PIPEDA is a little behind the EU rules on that front, but we’re fully expecting there will be a Canadian push to bring this more into line with these new EU rules.

Can you give us an idea of what those EU-like rules would be, if we were to adopt them, and what that would mean for companies developing in IoT?

For the Internet of Things, what I’ve been talking about for a few years now is the data portability piece because it has real build implications for the technology.

It goes to this fundamental idea that is out there in the privacy world; it’s called “privacy by design.” It’s this theory that from day one when you’re building a product, you’re thinking through the privacy implications – and data portability is a big one.

Data that’s being collected off my watch right now, for example, can I go and take that data away from Apple and download it in a fashion that can be uploaded into some other format or some other use? If I go and get a Fitbit, can I translate that data?

The short answer now is no, you can’t. The EU regulations very specifically say that you have to be able to.

That’s a fundamental design issue, right? It’s not like everybody’s using Excel spreadsheets. What’s the standard collection mechanism for these sorts of biometric data, just to use that example?

So that’s a really fundamental design question. Whenever we kind of push it back at especially new-stage companies, they look at you with, like, terror in their eyes.

How can startups stay ahead of the curve when it comes to privacy?

One of the requirements of both PIPEDA and then, in a much stronger way, the new EU regulations is having a privacy officer.

For the most part, that’s meant having somebody in your organization that’s responsible for the implementation of PIPEDA.

Now, when you’re talking Internet of Things, I would argue that the data protection officer needs to have technical capabilities. In the past, you know, when we thought about being able to respond to privacy requests, it could be someone that was sort of administrative, someone that had good training on the legislation, etc.

But I would argue that under the EU requirements, you need to have a technical person wearing that hat in your organization and someone that’s been advised on what it actually means.

We can say you – this individual – have responsibility for thinking about those problems and will take a bit of time to understand privacy by design. It’s not overly onerous to understand.

Do you think there’s a wake-up call right now, on the consumer side, as to how pervasive technologies and companies can be?

I think it is. It’s oddly, really helpful timing for the Facebook story to break because they were able to come out within a week with all of these planned changes that I’m pretty confident were in the works for May 25 for the EU legislation anyway. I’m sure they’ve been working on it for two years.

So good for them, but because there was this scandal, it’s waking everybody up to these requirements.

EU regulation on privacy, it just doesn’t sound like something that’s super compelling for a startup to consider, let alone a Canadian startup.

It’s not an everyday thought.

No, exactly. But the Internet of Things is such an interesting piece because as a Canadian startup, in that world, you’re never going to think Canada is your sole market in the world. It may be where you get some legs, but there’s no way, we’re just not big enough.

So from day one, you should be planning, I think, for Canadian regulations to very quickly catch up. We’ve got a federal government that is absolutely the kind of government that will back the privacy commissioner’s request for broader powers and a broader reach that’s in line with the EU.

It makes sense because commerce is global. It’s crazy from a product point of view to think, “Oh well, only these ones will meet EU compliance. We’ll make sure that we sell the ones with less protection, or we’ll have a different platform for people to use for managing the device.” It’s just not practical, right?

Biometric data, health data – any of the information that falls under the category of sensitive, personal information under the EU guidelines – that’s exactly the kind of thing that’s being collected through the Internet of Things.

It’s the most protected and consent levels are the highest: It must be explicit consent; it has to only be retained for the amount of time absolutely necessary to deliver the service; you need to be able to move that data; you need to be able to request it to be taken out.

If built into your product is the ability to sell it to third parties, you may have to rethink your entire business model as well as your product model.

Anything you want to add about privacy and IoT?

If you turn your mind to it from day one, it’s a lot easier to build a business model and a technical model that complies than go back and have to remake everything.

(This interview was edited and condensed.)