BIG DATA AND THE INTERNET OF THINGS

BIG DATA AND THE INTERNET OF THINGS 12 September 2013 Robert Bond Partner and Notary Public Janine Regan Solicitor Tughan Thuraisingam Paralegal

Our team Speechly Bircham is an ambitious, full-service law firm with over 200 lawyers, headquartered in London. We work with business and private clients across the UK and internationally and focus on the financial services, private wealth, technology, real estate and construction sectors We have offices in Luxembourg, Zurich and Geneva Our Data Protection & Information Law team provide a range of expertise on data privacy audit, compliance, risk management, information security and data breaches We are recommended in Chambers 2013 for our "good expertise" in data privacy compliance issues in Europe and have advised on this area of law since 1983 Robert Bond and his team have always provided comprehensive, practical advice on a timely basis. Their knowledge of the EU regulatory scene, including experience with specific agencies, as well as privacy issues globally has been instrumental in establishing our privacy policies and procedures. 2

Robert Bond A Certified Compliance & Ethics Professional, Robert has specialised in data protection since 1983 and is listed in the top 20 Best Privacy Advisers in a recent survey published in Computer World. He was recently appointed an Ambassador for Privacy by Design by Commissioner Ann Cavoukian of Ontario. He has advised many multinationals on trans border data flows and global data protection compliance since 1997, and co-authored the ICC BCR Report in 2006, the ICC Guidelines on Basel II and Data Protection in 2007and the ICC UK Cookies Guide in 2011. Robert is the author of many books, including most recently for Sweet & Maxwell who publish his book Negotiating International Software Licenses and Data Transfer Agreements. Robert is a Companion of the British Computer Society, a Fellow of the Society of Advanced Legal Study and in 1994 was a researcher in Information Security and Data Protection at the University of Leicester. Robert is listed in Legal Experts 2012 and The Who s Who of International Internet & E-Commerce Lawyers and is also recognised as a Legal Expert by Euromoney s Guide to the World s Leading Technology Telecommunications Lawyers. He is also a frequent speaker at industry events and conferences. Robert is listed as Tier 1 for Data Protection in Chambers UK 2013 to 2010 describing him as an esteemed figure in the field. He has an impressive reputation for his work on cross-border data compliance and cutting-edge IT data privacy issues within the digital, online and social media spheres. He is listed as a data protection expert in Chambers (2009) and in Chambers (2008) where clients describe him as a brilliant lecturer, a meticulous lawyer and responsive if you contact him, you know he ll get back to you within the hour and authoritative he really knows his stuff, and he has so many contacts within the EC he can predict trends and what s coming further down the line, which is very useful for forward planning. 3

Janine Regan CIPP / E Janine is a solicitor within the IP, tech and data protection group. Janine has advised on filings with relevant data protection authorities, processor / controller agreements, trans-border flows of personal data, data protection compliance measures and tools, compliance assessments and training. She is currently working on global data protection compliance for multinationals in sectors such as media, financial services, technology, construction and pharmaceutical. Janine also possess the Certified Information Privacy Professional (Europe) (CIPP/E) qualification. Janine graduated from Newcastle University with a degree in English Literature. She completed the Graduate Diploma in Law and the Legal Practice course at BPP Law School in Manchester. Janine.Regan@speechlys.com +44 (0)20 7427 6798 4

Tughan Thuraisingam Tughan is currently working as a Paralegal within the IP, tech and data protection group. Tughan graduated from the University of Southampton with an LLB (Hons) Bachelor of Laws in 2009 and LLM (Maritime Law) in 2010. He completed the Legal Practice Course at BPP Law School (London) in 2011. Since joining Speechly Bircham, Tughan has assisted the Data Protection team with global compliance projects, enforcing data subjects rights and interpreting Turkish privacy laws. Tughan.Thuraisingam@speechlys.com +44(0)20 7427 6502 5

Topics What is big data? What do we mean by the internet of things? What is so great about big data and the internet of things? The challenge of big data and the internet of things for data protection? The particular challenges in relation to personal location data Big data and the internet of things the future 6

What is big data? The ultimate buzz word the term coined to describe a massive volume of data that is so large it is difficult to process using typical database software tools - but can be very subjective - how big does a dataset need to be to be considered big data? - varies between sectors Data have become a torrent flowing into every area of the global economy McKinsey Global Institute 2011 Features of big data: 7

What do we mean by the internet of things? Put simply it s the connection of everyday objects to the internet Connected objects exchange, aggregate and process information on their physical environment. to provide value added services to end-users How? Radio-frequency Identification (RFID) Embedded sensors Miniturisation and nanotechnology A vision where the world develops a central nervous system 8

Polling questions 1. Does your organisation see a value in big data and the internet of things? A. Yes B. No 2. How concerned is your organisation about the data privacy issues surrounding the use of big data and the internet of things? A. Very concerned B. Somewhat concerned C. Moderately concerned D. Not at all concerned 9

Polling questions 3. Do you think that big data and the internet of things has the potential to infringe individuals privacy rights? A. No B. Possibly C. Yes 4. Do you always know when and how an organisation uses your personal data for profiling purposes? A. Yes all of the time B. Most of the time C. Sometimes D. Rarely 10

What is so great about big data and the internet of things? McKinsey Report 2011 If US Healthcare used Big Data effectively the sector would create $300 billion in value every year EU administration could save $100 billion per annum in efficiency savings let alone fraud prevention Big Data can unlock value by creating transparency, analysis of product quality and demand and need, turning volume into specifics The internet of things makes management of life and value of products and services better 11

What is so great about big data and the internet of things? 12 <

What is so great about big data and the internet of things? 13 <

What is so great about big data and the internet of things? 14

The challenge of big data for data protection?..for organisations, regulators and data subjects The sheer scale of data collection The security of data Transparency Perceived with suspicion Inaccuracy, discrimination, exclusion and economic imbalance Increased possibilities of government surveillance 15

The challenge of big data for data protection? What safeguards would make the use of big data compatible with data protection laws? When using big data to identify 'trends and correlations' ensure the confidentiality and security of data and take all necessary technical and organisational measures to ensure functional separation effective anonymisation and regularly assess the risk of re-identification ICO: Anonymisation: Managing Data Protection Risk Code of Practice When using big data to identify 'personal insights ensure that free, specific, informed and unambiguous opt-in consent is obtained for tracking and profiling for purposes of direct marketing, behavioural advertisement, databrokering, location-based advertising or tracking-based digital market research data subjects are given access to their profiles, including - the logic of the decision-making (algorithm) that led to the decisional criteria - the source of the data that led to the creation of the profile - the ability to correct or up-date their profiles - easy access to their profiles in a portable, user-friendly and machine-readable format 16

Key features of the internet of things Object to object and object to person communication Automatic communications Substantial increase of data collected Varying functionalities 17

The challenge of the internet of things for data protection Increase of personal data processed Identification of a specific object Combination of data from different sources Identity theft Data retention issues Data must not be kept longer than necessary Data to be kept adequate, relevant and not excessive Purposes in addition or other to those originally specified Data subjects rights: loss of control Informed consent 18

The challenge of the internet of things for data protection Security measures Appropriate technical and organisational measures to protect personal data Proportional to the risks represented by the processing Challenges: - Inadequate computing power of objects to implement security measures - TRENDnet privacy violation (4 September 2013): Federal Trade Commission s first action against a product from the internet of things 19

The particular challenges in relation to personal location data WP 203 Opinion 03/2013 Analyses principle of purpose limitation Personal data must be collected for specified, explicit and legitimate purposes Personal data must not be further processed in a way incompatible with those purposes Gives guidance and examples of how to assess compatibility Examples include profiling, apps, location data and big data 20 <footer> LOREM IPSUM DOLORES XXTH MMMM YYYY

The particular challenges in relation to personal location data Where I am in terms of location data usually involves processing of my personal data thus the data controller needs to be transparent and accountable I need to consent to the use of such location data Where I am also indicates where I am not in the wrong hands this may a problem A child may be indentified as home alone and a terrorist may be identified as home to drone! 21

Big data and the future The implications of the draft data protection regulation for big data Article 6(4) of the propose regulation re lawfulness of processing - Very broad exception which would be beneficial for the processing of big data, but - Criticised by the Article 29 Working Party and - Struck out by the LIBE Committee Article 7 re conditions for consent - LIBE Committee amendment: Consent loses its effectiveness as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected where there is a significant imbalance between the position of the data subject and the controller Article 20 re profiling - LIBE Committee amendment: Profiling that has the effect of discriminating against individuals on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, sexual orientation or gender identity, or that results in measures which have such effect, shall be prohibited - Measures based on profiling which produce legal effects concerning the data subject or significantly affect the data subject shall not be based solely on automated processing 22

the internet of things and the future The Internet of Things holds great promise for innovative consumer products and services. But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet How should it be regulated? FTC Chairwoman Edith Ramierz European Commission s report on the public consultation on IoT governance (16 January 2013) - Degree of public intervention required - IoT-specific DPIA guidelines Impact of the draft data protection regulation? Strengthened approach to consent Data processors are within scope of the regulation Article 5 1a producers, data controllers and data processors shall take technical and operational measures to ensure such compliance in the design, set-up, and operation of automatic data processing or filing systems 23

FURTHER INFORMATION For more information on our services, please contact: Robert Bond +44 (0)207 427 6660 Robert.Bond@speechlys.com Janine Regan +44 (0)207 427 6798 Janine.Regan@speechlys.com Tughan Thuraisingam +44 (0)207 427 6502 Tughan.Thuraisingam@speechlys.com 24