How safe is your personal data collected by your smart devices?

THESE days, just about every business in town is touting the interlinkage of multiple devices to produce smart homes, smart lights, smart locks, smart TVs, smart cars, smart everything.

And consumers are buying into all the connectivity and convenience of the so-called Internet of Things (IoT) without really understanding how their personal confidential information is being collected and used, while companies, keen to offer technologically innovative solutions, are tapping IoT opportunities without fully appreciating the challenges they present under the Personal Data Protection Act (PDPA).

In an IoT ecosystem, multiple devices "speak" to one another, resulting in a seamless movement of large volumes of data, often including personal data and often flowing across borders.

For example, the data amassed by a smart refrigerator is able to paint a profile of a family's eating habits and health quotient by monitoring their consumption patterns. Supermarkets would love to get hold of such data to help them better maintain stocks, while health insurers could use the data to design or deny products to specific individuals, or to analyse the population's health trends.

A smart door lock is able to document one's daily ins and outs, putting the person at risk to unwelcome intruders. And then there is the smart television, which, unknown to many, is able to monitor viewing habits as well as record conversations of viewers.

Outside of the home, Big Brother is becoming as pervasive. Retailers can now tap into shoppers' mobile devices to track their activities from the moment they walk into a mall since many users leave their devices' Wi-Fi or Bluetooth features on. The data harvested can inform on shopping patterns such as the average time spent in the shop, ratio of shoppers that convert browsing into purchases, as well as pinpoint which particular sections of the store aren't doing as well.

So how is anyone to protect himself or herself from having voluminous personal data collected and used without his knowledge or permission? What are the obligations of businesses to protect the privacy of customers?

There are, of course, means for customers to shut off such prying activities on their devices but many are either not technologically-savvy enough to figure it out, or are simply oblivious to the privacy concerns.

The PDPA requires that an organisation obtains the consent of an individual before his or her personal data is collected, used or disclosed, unless an exception applies. The individual must also be notified of the purpose for collecting and usage of the data.

Organisations providing IoT-enabled solutions have to comply with the PDPA's consent and purpose principles. This is by no means straightforward - in a typical IoT ecosystem, there are multiple stakeholders, each collecting and sharing an individual's personal data. The personal data may also be transmitted across multiple connected devices, and across geographical borders.

The IoT stakeholders of a smart home may include the telecoms companies that provide the Internet connectivity; the smart device or equipment manufacturers and retailers, the systems integrator of the smart home that puts in place the connectivity of each of the devices or equipment, the vendors of the mobile apps that allow the house occupant to communicate and control the devices through his mobile phone, and the operators/owners of data centres where the data is stored.

Several traits of an IoT ecosystem need to be borne in mind by organisations in their zeal to commercialise IOT solutions, lest they run foul of data protection law. These include the fact that the stakeholders in an IOT ecosystem are typically sited in various jurisdictions; personal information of individuals in the ecosystem will flow between the stakeholders; the stakeholders are typically sited in multiple countries around the world; the data subject whose personal information is collected likely interacts (if at all) with only one stakeholder and not all of them in the ecosystem; each stakeholder would want to get his hands on the personal information collected through the ecosystem and to commercially exploit the same.

But which stakeholder within the web of stakeholders has the primary responsibility to obtain the necessary consent under the PDPA?

A public Consultation Paper issued in July 2017 seeks to tackle some of these issues. A proposed change envisages that an organisation may collect, use and disclose an individual's personal data without the need for consent by relying on alternative bases of processing of (a) notification of purposes; or (b) legal or business purpose, subject to certain conditions being met.

These alternative bases for processing conveniently plug the situation where the IoT device or equipment in question does not permit for a human interface. However, it is important for an organisation seeking to rely on such alternative bases to ensure it does meet the conditions required, some of which could be amorphous and uncertain (depending on how such conditions are eventually drafted in the amendment Bill).

For any organisation to provide an "IoT enable" solution to consumers, it needs to identify all the stakeholders that participate in the IOT ecosystem, consider how personal data flows between the stakeholders and the purposes for which each stakeholder would be processing such personal data. It must also consider how to go about obtaining consent, and thereafter work it into an interface with the customer where the customer's consent can be obtained.

Most organisations wrongly assume that they have fulfilled the consent and purpose principles simply by posting a privacy policy on their website. Much more needs to be done in order to obtain an operative and compliant consent from the individual for use of his personal information.

This is no small task. And much thought needs to go into considering how it can actually be effected. Organisations will be expected to account to the data protection regulator on whether they have appropriately considered all data protection obligations imposed by the PDPA in their deployment of their IOT solutions - essentially showing to the regulator that such organisations practise privacy by design.