4. L E G A L I S S U E S
• Cybercrime
• Liability
• Security
• Intellectual property
(patents, database and data
mining)
• Standards
• Data protection / privacy
5. E X I S T I N G L E G A L F R A M E W O R K
• Mostly unregulated at the moment.
• IoT covered by traditional aspects of the law: Tort,
contract, Terms of Use, database rights.
• Hacking an IoT device is a criminal offence (Computer
Misuse Act).
• The most regulated area is data protection.
6. T H E U K 1 9 9 8 D ATA
P R O T E C T I O N A C T
• Principles for data
controllers, rights for data
subjects.
• Appropriate technical and
organisational measures
shall be taken against
unauthorised or unlawful
processing.
• Restriction on transferring
personal data to countries
that do not provide
adequate data protection.
7. D ATA S E C U R I T Y
E N F O R C E M E N T
• Crown Prosecution Service
fined £200,000 for data
security breach.
• Most enforcement orders
involve minor incidents
(sending email to wrong
recipient).
• Major incidents on the
increase (loss or theft of
unencrypted devices).
8. S A F E
H A R B O U R
• System enacted to allow
enterprises to send data to
the United States, which
does not provide as a
country adequate levels of
protection.
• Was working until…
9. M A X I M I L L I A N S C H R E M S V D ATA
P R O T E C T I O N C O M M I S S I O N E R ( C - 3 6 2 / 1 4 )
• Austrian law student and privacy advocate Maximilian Schrems
initiated legal proceedings against the Irish Data Protection
Commissioner (DPC) because he is a European Facebook user,
and as such he signed up to the terms of use set by Facebook
Ireland, the European subsidiary of the US company.
• He claimed that Snowden’s revelations of mass surveillance
mean that US does not adequately protect European citizen’s
personal data.
• Court agreed, and they declare safe harbour agreement
invalid.
10. P R I VA C Y
S H I E L D
• New system that replaces
safe harbour, just signed.
• “…effective supervision
mechanisms to ensure that
companies respect their
obligations including
sanctions or exclusion if they
do not comply”.
• Companies with bad security
could be excluded and/or
fined.
11. G E N E R A L D ATA P R O T E C T I O N
R E G U L AT I O N ( G D P R )
• Will come into effect later this year (July most probably).
• Overhauls the existing DP regime, bringing several
directives and rights under one roof (cookies, right to be
forgotten, etc).
• Creates a few new rights, principles and concepts that
could apply to IoT.
• Existing principles regarding export and security remain.
12. P R I VA C Y B Y
D E S I G N
• Art 23 enacts data
protection by design and
default.
• “The controller shall
implement appropriate
technical and organisational
measures for ensuring that,
by default, only personal
data which are necessary for
each specific purpose of the
processing are processed…”
13. F O R T H C O M I N G I O T E U A C T I O N
• Commission has agreed to consult industry on next steps.
Possible action includes:
• Open data
• Standardisation and interoperability
• Data protection
• Telecoms: roaming, spectrum, numbering, etc.
• Authentication of objects.