Will European Commission avert IoT privacy risks?

IoT privacy and cybersecurity risks are real, from IoT cars running wild to hackers bringing havoc to a dissident’s home. Aphaia’s Vasiliki and Bostjan explore how proposed European Commission IoT regulation will affect your IoT business.

Internet of Things (IoT) inaugurates new possibilities for the manufacturing industry, enabling the machines to become smarter by interacting with each other via internet connection. This may include devices that pose due to their speed, weight and other characteristics high security risk, notably connected cars. Other devices such as those comprising a smart home may pose lower safety and security risk yet equally high or higher IoT privacy risk, transmitting crucial information about their owners’ private lives.

data protection officer IoT privacy

European Commission and IoT

European Commission has set up a platform with members from various industries, such as energy, healthcare and car manufacturing industry, in order to promote the IoT. The next step on its agenda is the proposal for rules on cybersecurity, intended to build up the trust of the industry to the powerful internet.

These rules come as a response to the distrust of the internet and its potential hacking perils. As Thibault Kleiner, Commissioner Oettinger’s deputy head of cabinet articulated, “That’s really a problem in the internet of things. It’s not enough to just look at one component. You need to look at the network, the cloud. You need a governance framework to get certification.” 

According to the proposal, European law is going to impose strict security standards on companies who will undergo various certification processes ensuring IoT privacy and security. A labelling system, similar to the one used to rate the devices’ energy consumption, could be suitable to cybersecurity ratings, says Kleiner.  

Industry sceptical of IoT regulation

Such scheme, which requires certification for the different components of an internet connected device, does not look ideal to all interested parties. In fact, as are real IoT privacy risks, so are the fears of over-regulation that could stifle innovation.

Specifically, some hardware manufacturers suggest that SIM cards, which can easily be incorporated in the machines, suffice as security guarantees. 

Is the Commission’s IoT privacy approach a correct one?

We can fully agree SIM cards have proven to be reliable from security and privacy points of view, from omni-present smartphones to Commission’s own smart car initiative eCall. Moreover, too much standardisation or even mandatory certification at an early stage may stifle innovation, especially from small innovative startups. It is only the large players that can afford expensive compliance procedures, and such procedures ultimately come at the expense of the end-user.

Furthermore, it is less than clear that device or company certification can avert all the IoT privacy and security risks. As distributed cloud architectures are likely to dominate future IoT, cloud privacy and security will be a key issue.

Whereas cybersecurity solutions will largely depend on technologies such as encryption or firewalls, IoT privacy will equally depend on organisational solutions such as IoT devices pseudonymisation or anonymisation. If you manufacture IoT devices or use them in the course of your business, Aphaia’s outsourced Data Protection Officer can help you address all actual and potential IoT privacy issues.