A new era of privacy by designIt seems we are well on the path towards ‘privacy by design’ in some areas of technology. Take smartphone and other connected device companies that exist within a complex and competitive ecosystem. Companies at all levels of the value chain, from OEMs to downstream suppliers into the ecosystem such as chipset and software vendors, struggle to obtain and collect data on the use and implementation of their technologies in a live environment. It is technically possible to obtain information remotely about device activation. This type of data can help deliver critical competitive advantages and inform market strategies for companies such as their return on marketing investments and time to market information. However, if this type of data is harvested in a manner that is not legally compliant then the methods can backfire. It is worth examining some of the legal issues around this type of data collection activity by technology companies and how an end-user’s rights might be infringed. As an example let’s take a downstream supplier to a connected device OEM (‘X’) who wishes to collect information on device activation and the use of its materials. The extent of X’s privacy obligations under current English law will depend on whether X is able to use the data it collects to identify the end-users of the devices or any other living individual. Personal data is defined under the Data Protection Act 1998 as ‘data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…’ The DPA will not apply to X if it cannot identify a living person from the data collected. However, if X holds such data then the DPA will apply and with it the various obligations it imposes on data controllers – plus the spectre of fines and adverse publicity risk for X’s non-compliance.
Location, location, location-basedWhat about location-based privacy issues? Regulation 14 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) states that the processing of location data is permitted only if the user cannot be identified from that data; or the processing is necessary for the provision of a value-added service, with the consent of the user.
The LG caseThis issue of how we consent to sharing our personal data, choices and tastes has been highlighted in the recent faux pas committed by electronics company LG. One customer revealed that his smart TV was feeding data back to LG every time he changed the channel. The connected TV was also scanning all shared files on the user’s home network and sending a running total of those back to the company as well. LG allegedly offered an opt-out of ‘Collection of watching info’ in its options menu, but apparently toggling the opt-out didn’t do anything. Furthermore, it seems that all the data was unencrypted, so anyone with access to the network could openly view the information. This incident begs the question of whether companies in this tech space should be doing more than merely providing the option of opting out if consumers are not generally aware of the data collecting functions of the devices they purchase. Interestingly the proposed Data Protection Regulation provides that a company’s ability to automatically profile users of its services will be limited and that such companies will require the prior explicit consent of the individual whose data it intends to process. So perhaps LG would be compelled under the new proposed regulation to have explicitly sought consent of its consumers prior to engaging in profiling.
Data democracy for the peopleWhat if LG chose not to explicitly seek consent or has already undertaken the profiling: how does this additional right benefit the user of their services? The purchase by Google of connected home device maker Nest for $3.2bn will mean ‘infinitely more intelligent’ devices according to Google’s Executive Chairman Eric Schmidt, but at the same time it raises ever more complex questions around data use. Do we simply accept the fact that data is fast becoming a priceless commodity that cannot be regulated? The proposed new Data Protection Regulation seeks to introduce many new areas of control, although in a spasmodic fashion. Ultimately is the EU ever going to be able to legislate to safeguard the way individuals have chosen to live their lives under the scrutiny of technology, its providers and governments? We wonder whether any type of legislation that has to continually catch up with the pace of global technology is ever going to perfectly address the question of privacy. All this strikes us as more of a moral debate than a legal one. We live in free countries: have the people spoken by virtue of their choices? This article first appeared in the Society for Computers and Law magazine. Lillian Pang is legal director at Rackspace®, the global leader in hybrid cloud and founder of OpenStack®, the open-source operating system for the cloud. Peter Lee is senior associate in Taylor Vinters’ LLP’s commercial and technology team.
Share this story