IoT: how much do you trust connected objects?

The 20.6 million connected objects in circulation by 2018 will contribute to the growing “datarisation” of the world. One of the major challenges is to ensure data management is transparent to users, whether that means its ownership, confidentiality, traceability or commercial use.

According to the 2017 Opinion Way survey, 91% of French respondents say they don’t really know which data is collected by connected objects. 42% say they distrust companies and their management of personal data. This mistrust mainly concerns sharing data with other companies: service personalisation, which has its advantages, must be contained to avoid it going off course.

What’s the legal framework for data use?

The first question to arise is: what is the process for protecting collected data? The approach varies from country to country: in North America for example, the focus is on controlling the security of objects and is left to the manufacturers. In Europe the priority is to guarantee individuals how their data is collected and used at all times.

In France, the “IT and Civil Liberties” law of 1978, reinforced by the 2016 Digital Republic law, defines these guarantees, including those for connected objects. Specifically, the company must, among other things, clearly inform its customers what their data will be used for: name, IP address, phone number, email and mailing address, but also health data, work patterns and most of all guarantee a limited lifetime for the data along with its security and accessibility to the customer.

At a European Level, the Data Protection Regulation (RGPD), which will come into force in May 2018, requires companies to make these rules of use more transparent and strengthen internal procedures so that they’re enforced. New regulation will include the right to delete data (the right to delete search engine results), and the right to create machine-readable data formats.

Towards greater transparency in Europe

Nowadays, protection authorities such as the French National Commission for IT and Civil Liberties (CNIL) regularly conducts audits within companies to verify how they use customer and employee data.

Tomorrow the RGPD will ensure data privacy is taken into account upstream when creating new applications. Connected object manufacturers will have to comply with technical and security standards such as “pseudonymisation” or data encryption: this “privacy by design” is closely linked to “security by design”.

In the context of traceability, these companies will also have to clarify their processes for collecting, integrating or publishing data. What’s more, they will have to justify the quantity and type of data collected. Manufacturers will also have to provide national and European data protection authorities and their partners with proof of their risk assessment inherent to the connected object along with an “acceptable” marketing plan. Connected objects will be placed on the market in “privacy by default” mode, offering the highest level of protection for consumers.

Finally, depending on the context, prior consent, and explaining to consumers how their data is collected and used, might be the only possible option in the future. There should be no automatic consent, for example just by reading the terms of use. Collection should always be proportionate. If location data is not necessary for all of the connected object’s functions, then it should not be automatically collected. This loyalty and transparency is essential to the success of connected objects as part of a trust pact between businesses and their customers.