As the Internet of Things grows exponentially, so too do the threats and privacy concerns surrounding it. Anna Hayes explores the legal lie of the land for IoT.

The Internet of Things is like the rolling stone, gathering moss as it trundles along to a destination as yet unknown. A key component in smart home automation technology, you would probably struggle to find someone who doesn’t have some type of connected device in their home at this stage.

In 2019, approximately 14.2 billion connected devices were in use across the world, according to analyst Gartner. They estimate that by 2021, that number will grow to 25 billion. The question for manufacturers, integrators and users is: in this ever connected world, filled with device after device, seeking this permission and that permission, how secure can your system truly be?

And if it isn’t, whose fault is it?

Data and privacy laws came under serious scrutiny in the wake of the Facebook/Cambridge Analytica scandal. Hot off the back of this episode, the General Data Protection Regulations (GDPR) were implemented across Europe and have been considered by many working in this space as a benchmark for the rest of the world to aspire to.

Hamish Fraser, Partner at Bird & Bird law firm says that at the moment, in Australian law, there is no private right to privacy, so any action against a breaching entity would have to be brought by the Office of the Australian Information Commissioner (OAIC) or the Australian Competition and Consumer Commission (ACCC).

He says: “GDPR is the clear benchmark for new laws. Australia isn’t as strong yet but getting stronger by the day – Gartner research says most laws will be at, or close to, GDPR by 2022.”

He refers to the recently released draft voluntary code of practice, ‘Securing the Internet of Things for Consumers’, which he says is a straightforward approach to principles such as password protection, system upgrades, etc.

Also relevant is the ACCC’s Digital Platform Review which sought and received more than 200 public submissions on the topic.

“While it is probably more aimed at the bigger players, the regulatory tsunami that is likely to follow will pick up everyone – we can expect regulators to become more empowered and more vigilant.”

He adds that there are many recommendations coming from that report including: an individual right to privacy, dramatically increased fines for data misuse, a code for platforms, and a right to be forgotten.

Dr Kate Kate Mathews Hunt is a Hon. Adjunct Assistant Professor at Bond University, teaching postgraduate Information Technology and the Law. She says that IoT privacy is very contentious but there are few, if any Australian cases to date.

“The majority of cases are either research-evidenced or regulator-led from the EU, US and Norway. Australia’s
industry is perhaps newer and our uptake is commensurately lower than the United States.”

She points to children’s toys, such as dolls which record kids’ voices and ask privacy-intrusive, often marketing-based questions, as well as the US baby monitor cases where images of babies were streamed on the internet.

“These really illustrate how cheap, insecure devices or those designed without privacy and security-by-design approaches, can threaten privacy and human rights within the home, in a way which most consumers find to be alarming. It’s no way to engender consumer confidence and trust.”

Kate believes that, internationally, privacy law is on the way up, pointing out that Australia has had decent privacy
principles-based legislation for many years but said that somehow privacy issues failed to capture the legal or consumer imagination.

“It is only more recently, after numerous high-profile data breach cases, that privacy is starting to emerge as a basis for concern across a wide range of online/connected issues, from poor device design and security to excessive data collection and misuse.”

Kate feels that the OAIC has had a difficult time playing regulator in this area due to government underfunding, but
she does think that the mandatory data breach regime is a positive move.

“It has shown that significant data breach is far more common in Australia than the previous voluntary regime revealed.”

In the context of the connected world, such breaches happen through manufacturing defects such as security or password practices, product performance or failure, etc. Privacy issues are generally a matter for the manufacturer as they are the data collector and make relevant product representations. They are responsible for product quality and performance unless integration intervenes.

“Where installers recommend the wrong device(s), install them poorly or in such a manner that a system does not
work, or does not work safely, or allows data breach, then the usual Australian consumer law provisions as to services warranties and other liabilities will apply.

“There may well be circumstances where an installer has liability for privacy breach if they have recommended a product and represented it offers certain levels of privacy which it does not. If an installer integrates products which
are not manufacturer-recommended to integrate or which otherwise work badly together or which cause damage
or security or privacy issues, then the installer is really on the front line.”

Installers, she said, should opt for privacy by default in settings, especially if consumers are consulted on their privacy preferences.

For the installer, it is a question of knowing the products and recommending the right one for the client, and not making false or overinflated representations.

“So long as installers make sensible recommendations, which do not exceed manufacturer promises, and do not install anything that (due to their failure) exposes a home to security or privacy issues, then the installer is liable for his or her work only.”

Coming back to the overarching issue of the law, Kate says she is a big fan of the GDPR law that organisations across
Europe have been getting to grips with over the past few years.

“I think it has finally pushed the United States to take privacy far more seriously, and Australia will likewise improve its privacy practices and regulation based upon EU experience.”

She points out that, quite simply, it has been open season on people’s data up to recently, with information collected off the back of so-called ‘terms’, that few ever read, and subsequently traded, combined and repurposed by any number of parties around the world, for purposes often unrelated to the original collection purpose.

“And with the rapid emergence of AI and inferential profiling, consumer data gathering is exposing all of us to potential privacy breach, identity theft, manipulative advertising and fake news, discrimination, DDOS attacks and so on.”

Consumers, she says, do not want to be tracked, profiled, recorded, manipulated and fooled, and she feels that the
GDPR has helped a lot to improve the granularity of consumer consent and to improve allowable data collection and
storage.

“The way I see it, the companies which will best succeed in the connected future are those who support a trusted IoT, which is respectful of consumer privacy and security.”

For now, however, there is work to be done to ensure that Australian privacy principles are properly complied with, and that breaches are actively pursued by the OAIC.

“I think the regulatory push for this will come from the ACCC’s digital platform inquiry which, quite rightly, identified many areas of the privacy act which need review and, in all probability, sharpening up.”