Go to our Contact page for our office details.
This reports aims to take a global stocktake of key markets in how they deal with IoT privacy and security issues.
The IoT Alliance Australia (IoTAA) has released Good Data Practice: A Guide for Business to Consumer Internet of Things Services for Australia (Guide). The Guide offers providers of Internet of Things (IoT) services and devices a principles-driven framework for managing the data and information that flows through their products, and sets out to encourages the relationship of trust required for Business to Consumer (B2C) IoT to be accepted and ultimately succeed in Australia. The Guide arrives alongside the IoTAA’s updated version of their Internet of Things Security Guideline, which provides top-level guidance concerning the security and privacy of IoT.
Who is this update relevant to?
Providers of IoT services and devices (IoT Providers) and businesses that partner with IoT Providers or may or expect to be a participant in an IoT supply chain (for example, developers of software utilised by IoT providers).
With IoT applications and services growing at exponential rates, smart homes, connected cars, wearable technology and connected health, drone delivery services, Siri, Alexa, Google Home and other consumer IoT applications are today’s new buzzwords.
Certainly, in the business-to-business (B2B) sector, IoT is generating measurable value and many businesses are already investing in IoT technology across many industries to increase productivity, improve quality and increase decision making as well as reduce labour and production costs. By 2020, Gartner forecasts business spending on IoT hardware alone will reach $1.43 trillion.
However, it remains to be seen whether IoT in the business-to-consumer (B2C) sector has reached a tipping point and moved beyond being a “cool” factor to something that is being systematically adopted by consumers. The current reality is that many businesses remain in the early stages of determining their B2C value proposition, developing and experimenting with building end-user loyalty and data mining opportunities for suppliers. Meanwhile, on the consumer side, individuals are still asking whether self-parking and AI-driven service bookings are essential features when purchasing a new car, and if a washing machine that orders detergent is really something they want, or need.
The Aim and Scope of the Guide
Set against the need to build greater awareness and trust in IoT service and device adoption amongst consumers, IoTAA (the peak industry body for the IoT in Australia) released the Guide on 8 November 2017. The Guide aims to promote consumer and industry awareness of good business practice in the provision of IoT services and devices, with a view to anticipating and addressing possible concerns before they occur.
Notably, the Guide does not limit itself to consideration of only personal information within the IoT realm, nor does it limit its reach to IoT Providers and their direct customers. Rather, the Guide provides for:
The Guide’s intended audience is IoT Providers and focuses on measures that they can take to build consumer trust and understanding on the safe use of IoT products and services. This includes bringing fair and appropriate considerations and recommendations to the forefront in IoT suppliers’ design of IoT products and services, collection and use data in the course of operating IoT devices and providing IoT services and protection of privacy, and the secure installation and operation of IoT devices.
Promotion of Good Data Practice Principles
The Guide takes a principles-driven approach to achieving its objectives, and in doing so offers IoT providers flexibility as to the exact design and implementation of good data practice within their businesses. The following is a brief summary of the principles only, and clients are advised to read the Guide in full to appreciate the IoTAA’s recommended approach, and take full advantage of their practical advice.
Customer Data Control Principle: IoT Providers should inform consumers as to the rights of access to Relevant Information, not only by customers but also other parties, such as law enforcement agencies and regulators. Further, IoT Providers are to inform the customer as to the portability of their Relevant Information (including any limitations), and ensure that any allocation of rights (for example, concerning confidentiality and intellectual property) specified in customer terms of service comply with the Customer Empowerment Principle, particularly with respect to ensuring the customer receives plain-English explanations of their rights of access.
The Guide’s interaction with other laws/standards
The Guide is subject to the applicable privacy and consumer laws of Australia, and is intended as a supplement to those laws only. The Guide clearly indicates that it does not seek to create new legally binding commitments on IoT Providers.
Importantly, the Guide does not apply to Relevant Information that has been ‘reliably and verifiably de-identified’ through practices that are accepted as good industry practice (provided, among other things, that such information remains de-identified and is not provided to an entity that may be able to re-identify an individual). We note this as important because the successful growth of IoT services and devices will necessarily involve the creation of and interaction with inconceivable amounts of Relevant Information that will fall under this exception, and were the principles to apply in these cases there may have been a chilling effect on the growth of IoT services and devices in Australia.
The Guide acknowledges that IoT is a fluid area of development, and the IoTAA indicates that the Guide will be updated to accommodate new developments and concerns. Notwithstanding the pace of IoT’s evolution, the Guide stands as a sound foundation for IoT Providers in managing the data and information that they receive and use.
We recommend that Australian IoT Providers read the Guide closely and contrast it against their current approach to data and information management. Equally, businesses that are using, or are considering implementing, IoT services and devices should also pay close attention to the Guide, applying all due weight to the type of data and information they will provide through the relevant service or device.