Experts & Views
by Dhruv Somayajula*
In this second part of our two post series on the Internet of Things, Dhruv examines the policy framework in India to analyse its applicability to the Internet of Things.
In a previous post, we discussed the definition of the ‘Internet of Things’ (“IoT”), its uses and applications for smart cities and personal appliances as well as the security and privacy risks that it can come to pose. In light of the growing risks and security concerns this technology poses, it is essential to examine the existing legal framework to evaluate whether it can tackle the challenges emerging from the Internet of Things.
India’s Policy Framework on the Internet of Things
In recognition of the growing scope of the IoT-connected devices, the Ministry of Electronics and Information Technology released a Policy Document on the Internet of Things in October 2014. Following public comments, a revised draft policy(“Draft Policy”) was released in April 2015. The Draft Policy focuses in detail on the possible uses of IoT in India, which includes its use for infrastructure in creating smart cities, water and agriculture management, health and environment monitoring and traffic management. The Internet of Things, as conceived in India, is geared towards making life easier and ‘smarter’ for the consumer. The introduction of smart cities, smart energy, waste management, water management and other infrastructural development is part of the ambitious program that has been planned using the support of the Internet of Things. The Draft Policy also foresees major growth in the areas of providing wi-fi access, managing traffic, measuring CO2emissions, creating plans for a monitoring system of agriculture and healthcare. This post critically analyzes the existing legal and policy framework regarding the Internet of Things.
Lack of Uniform Global Standards
Paragraph 5.2 of the Draft Policy recognizes the necessity to stay on par with global standards for IoT devices. Further, it proposes the creation of a National Expert Committee to develop globally operable Internet of Things standards comprising of industry experts. However, the lack of a uniform global standard needs to be recognized by the Expert Committee, while framing India’s standards for IoT devices.
Data Security & Privacy
The Draft Policy fails to provide a governance framework for the Internet of Things. As discussed in our previous post, data security and privacy are critical concerns with respect to the Internet of Things. This is primarily on account of the extensive data being collected by these devices. India’s laws on data protection are codified in the Information Technology (Amendment) Act, 2011 (‘ITAA’). Section 43A obligates corporate entities to maintain reasonable security practices for safeguarding sensitive personal data. Accordingly, negligence in maintaining security measures invites liability to pay damages to the affected party. Further, Section 72A of the ITAA protects the right to confidentiality and privacy and makes disclosure of personal information without the consent of a person a punishable offence. The Information Technology (Reasonable Security Practices and Procedures) Rules, 2011 (“Rules”) have elaborated on the ITAA by defining key terms linked with data protection. The Rules define personal data, and elaborate on means to collect and retain such data. However, these Rules only protect data which can be used to identify a person, and don’t cover cases where other background data, such as location and activity, is collected. This loophole renders the Rules ineffective against a large portion of data collected by the IoT devices. Further, the data protection regime in India has also been criticized for the lack of a Data Protection Authority in India, and the low rate of action taken under these laws.
Another question of law that arise with the advent of the Internet of Things is the use of Standard Essential Patents (‘SEPs’) in India. When a company sets a market standard by way of an innovation and patents it, it may force the other players wishing to use the same standard in their devices to pay a huge royalty for a license to the patent. The other players in the market may restrict the standard-setting company from doing so. This is done by arguing that since the patent has set a market trend, the license to use that innovation must be given on fair, reasonable and non-discriminatory (‘FRAND’) terms. This practice is encouraged to avoid anti-competitive behavior by the company obtaining the SEP and to aid the consumer in having a wider choice in the market. The question of standard-setting is vital in the IoT sphere since the Internet of Things will rely on standardized technology, such as Wi-fi, Bluetooth, RFID chips. A large amount of IoT devices rely on data-sharing and interoperability of devices to create a smart sphere, and for doing so, a uniform standard is necessary to keep adding new devices on the common platform.The question of SEPs and their application to IoT devices will raise interesting questions in the coming days.
International Legal Frameworks
On October 2014, an Article 29 data Protection Working Paper analyzed Internet of Things and recommended that the laws on data protection be made stricter to prepare for this new technology. The solutions suggested included:
- Privacy Impact Assessment report to be made before a new application is integrated into the IoT sphere [Paragraph 7.1].
- Raw data collected from a device to be deletedonce the same is processed [Paragraph 7.1].
- Certified standards to be used by standard setting bodies to prevent security threats to the IoT platform [Paragraph 6.5].
- All actors who are a part of the Internet of Things, either as a device or a processor, to be accorded the status of ‘data controllers’, making them responsible for data protection [Paragraph 4.2].
- Additional suggestions such as purpose limitation, minimal retention of data, and transparency in use.
Based on the recommendations of the Working Paper, the European Union passed the General Data Protection Regulation(‘GDPR’) which was adopted on April 2016 and shall come into force in May 2018. The GDPR lays down law on how data is to be collected, processed, used and stored, and the limits on saving such data.
- Article 5 of the GDPR requires the collection of data to be fair, transparent, and lawful. It also provides for the data collected to be minimal and for a limited purpose, and that the data controller is accountable for the safety of the data.
- The GDPR also provides for safeguards on data processing such as pseudonymization (or encryption), as per Article 25, which enforces data protection by design and default.
- Article 26 is relevant in cases where two or more entities jointly determine the means and purposes of processing data If the recommendation to include all the people involved in the IoT chain as data controllers is accepted [Para 4.2 of the Working Paper], this Article would be very crucial in determining liability.
- Article 44 lays down general principles for data transfer to a third country- stating that data can be transferred to a third country when the data protection laws of that country areconsidered adequate.
Similarly, the United States Federal Trade Commission (FTC)has alsoprepared a report that dealt with the benefits and risks of the Internet of Things. The report contains several recommendations towards ensuring security and privacy of consumers, including- data security to be verified, notice and consent to be provided, and security upgrades in installation. The recent TRENDnet case acts as an example of the vulnerability of IoT devices in the market and serves as a reminder that internet security must remain a priority for devices using the Internet of Things.
Several other countries have passed laws relating to data protection which could be applied to the Internet of Things. Canada, for example, passed the Personal Information Protection and Electronic Documents Act (‘PIPEDA’) in 2004. There have been major developments since then, and the Privacy Commissioner of Canada has admitted the need to relook the consent model in force with the advent of the Internet of Things. Australia has the Information Privacy Act, 2014 which lays down rules of keeping consumer data confidential.
Way ahead in India
With an estimated 451.5 million internet users by the end of 2016, India promises to be a significant player in the $300 billion Internet of Things market. India is on the threshold of an internet boom, and has tremendous potential in the Internet of Things, with the present estimate being around $15 billion. It is necessary to evolve legal and policy frameworks tailored to this technology, given the number of substantial benefits the Internet of Things provides for us. The government needs to promptly upgrade its existing data protection regime to match the global standards of privacy and data protection, and needs to take special cognizance of the security and privacy risks associated with the Internet of Things while doing so.
*Dhruv is a third year student at NALSAR University of Law, Hyderabad. Dhruv interned with CCG during November 2016.