Legal Ramifications with Internet of Things

Articles > Technology

Legal Ramifications with Internet of Things

January 8, 2021         Phillip Salakas

Put simply the Internet of Things or ‘IoT’ refers to electronic devices connected to the internet, which actively transport and collect data.

Australia has been quick to embrace the IoT industry and its devices in both a personal and commercial setting. The industry is important because an IoT device allows data to flow over a wireless network without human interaction. 

However there are still a number of legal ramifications which affect the IoT space. Regulators are particularly concerned with how IoT companies use, store and secure users personal information.

Cyber Security and Privacy Concerns 

Web enabled devices IoT devices can sometimes act as gateways for online criminals to gain personal information. Thus, in recent times questions surrounding security and privacy concerns for IoT industry have come up.

Cybersecurity is therefore a key point of concern for IoT service providers and device manufacturers. All IoT companies whether operating commercially or in a consumer setting have an obligation to keep their consumers data and personal information safe. 

The Australian Code of Practice: Securing the Internet of Things for consumers has set a minimum standard for the IoT industry. These codes of practice apply to service providers, device manufacturers and mobile application developers. The code dictates how individual data should be stored, when it can be collected and how it is to be secured. It also ensures all IoT service providers are in line with the Australian Privacy Act 1988.

Below are a few guide-lining principles taken from the Australian code of practice. Showing how to ensure your IoT device has the correct cybersecurity features.

No Duplicated Default or Weak Passwords

Device manufacturers in particular need to ensure that user passwords are unique and unfeasible to guess. They must also ensure that associated web services use Multi-Factor Authentication. As well as not provide any unnecessary user information prior to authentication. 

Also any password reset process should appropriately authenticate the user in order to prevent any instances of hacking. 

Securely Store Credentials

It is important for device manufacturers, IoT service providers and mobile application developers that any credentials are secure. Device manufacturers have a legal responsibility to ensure that a users personal information is safe from online criminals. 

Ensure that Personal Data is Safe 

It is vital for all IoT companies who handle data that they provide consumers with clear information on what is being done with their data. This transparency is what the industry has lacked in the past and has seen government regulation intervene.  

Where devices and/or service providers process personal data, they must do so in accordance with the data protection law e.g. the Privacy Act 1988 and Australian Privacy principles.

Therefore personal data should only be collected if necessary for the operation of the device. There also needs to be adequate industry standard encryption, as set out in the Australian Government information Security Manual. An encryption should be applied to personal data in transit and data at rest in order to properly secure it.

Deleting Personal Data

Devices should be set up so that it is easy and accessible for a user to remove their data. This option should be available when a device transfers ownership, when a consumer wishes to delete it and/or dispose of the device. 

Legal Ownership of Data

Data ownership issues arise when consumer data is by manufacturers without the purchasers knowledge.

Recently there has been much debate over data ownership within the IoT industry. Generally it is that whoever owns the device owns the data that is on it. However, in relation to consumer IoT devices users sometimes agree to handing over their data back to manufactures.

For manufacturers, this is a breach of privacy when a users data can be traced back to them. In other words data needs to be anonymised before it can be collected and/or stored.

If you would like to speak with our technology lawyers, just contact us via 1300 337 997 or by filling out the contact form.

About Phillip Salakas

Phillip is completing his law degree at the University of Technology (Sydney). He worked previously with Lawpath, and Justice Action. His interests are with construction and technology law.