Sigfox, a French Internet of Things (IoT) operator, is one of the unexpected respondents to a consultation on data protection by the Telecom Regulatory Authority of India (TRAI). An open house meeting in this regard will be held on January 31 in New Delhi.
Sigfox captures ambient data in the form of personally-identifiable information. Its participation is unexpected because India does not have spectrum allocated specifically for IoT. However, given the potential for IoT in India, and the fact that IoT has been a key part of the discussions on privacy, their submission is worth looking into. Here are the broad points that Sigfox makes around privacy.
Definition of personal data and data classification
Sigfox is of the view that beyond technological innovation, the definition of personal data in non-obvious context (e.g. identifiers, names, etc.) will vary in some cases and thus, a flexible approach is needed, to allow stakeholders and consumers to negotiate the right level of data control and liability between each other. It says:
- An overall framework of data protection should differentiate Personal Data, as the data identifying individuals and requiring a specific protection for end-users, and other non-personal data that would help to grow such data market by offering new data-based services to users and end-users.
- Particularly in the IoT ecosystem, non-personal data is likely to be the sole kind of data processed. So a more flexible approach to data protection could help encourage the creation of new data based businesses.
- Sigfox points out that although there is no universal privacy or data protection law that applies across the Internet, a number of international and national privacy frameworks have largely converged to form a set of core, baseline privacy principles like the principles derived from the Organisation for Economic Cooperation and Development 2013 privacy guidelines.
Sigfox believes that there could be several economic, societal and business benefits derived from the collection and use of anonymised data. A data sandbox framework should consider data sets that can be managed by one or several regulated companies, providing hence for a more open-innovation environment that fosters technical-development.
Regulation should focus on outcomes
In this context, Sigfox supports the development of a strong technology-neutral regulation to ensure a high level of compliance complemented by effective enforcement practices. These regulations should focus on desired privacy outcomes, rather than specifying technological means to direct privacy practices.
With this regard, when mechanisms such as systematic anonymization or privacy-by-design principles are implemented to guarantee the right level of data privacy and appropriate information are provided to end-users, it should be made possible to avoid user’s consent before sharing the data for valuation purposes.
Sigfox encourages the development of global and harmonized privacy standards, both technical and regulatory. It says that initiatives towards a self-audit based mechanism run by the industry can support privacy-enhancing solutions while providing visibility to authorities and users and prevent harmful incidents.
Vidyut adds: Self-regulation does not necessarily work well in India. Customer perspective remains unrepresented and a collective of similar interests monopolizes control. A case in point being self-regulation in a largely corporate-owned media. Another could be the “Aadhaar ecosystem” where UIDAI is the only entity empowered to regulate itself and most of the businesses and key cast flourishing around Aadhaar seem to be ex-volunteers and officials in the UIDAI, which has resulted in a mushrooming cloud of serious problems.
Rights and responsibilities of data controllers
Sigfox points out that “over-regulating can create problems” It suggests:
- A multi-stakeholder framework involving designers, manufacturers, network operators, service and application providers, regulators and end users.
- The Responsibilities of the Data Controller should encompass the definition of the purpose(s) of the processing of the personal data and the information of the end user for such purposes.
- The responsibility of other stakeholders, according to Sigfox, is limited to security measures in processing personal data and the anonymization of such personal data.
- The Rights of the Data Controller may not supersede the Rights of the Data Subjects on their personal data, however, the Data Controller shall remain in capacity to provide the best service to the Data Subjects and thus be recognized to some extent a legitimate interest to process the data.
- An inclusive approach in regulating data controllers. These bodies could oversee the development of ethical practices while ensuring users are able to negotiate on an equal footing with data collectors.
Cross-border flow of information
In its reply to a question on challenges from cross-border flow of information, Sigfox points to reports which conclude that data localisation mandates do not increase commercial privacy nor data security. For example, it says, the International Trade Commission study estimated that removing foreign digital trade barriers would increase USA’s gross domestic product by $16.7 billion to $41.4 billion (0.1 to 0.3 percent) and wages by 0.7% to 1.4% in the seven digitally intensive sectors.
For India, Sigfox says that an open framework will aid in offering data-based services to multiple other countries. For instance, data hosting and data mining services could be offered from India to service providers abroad, similarly to what the software development and customer services worldwide industries are implementing by off-shoring these services.
However, Sigfox has not discussed how cybersecurity can be ensured or cyber attacks prevented in an open-access world.
Exceptions in data protection
Sigfox points to some exceptions in regulation for data protection imposed on telecommunications service providers (TSPs).
- It suggests graded regulations, with authorities having the flexibility to develop tailored decisions based on clear criterion such as data and applications’ sensitivity, the scope of the services and market maturity are appropriate tools to foster economic developments and to allow for ease of innovation.
- One exception, according to Sigfox, could be in the interest of the Data Controller of Personal Data, and other stakeholders in processing personal and non-personal data, to process such data. For instance, the need to provide the service subscribed by the data subjects or the need for technical intervention on the network to ensure the quality of the service provided to data subjects could be such a case.
- The checks and balances to be considered pertaining to law surveillance and enforcement contexts should focus on the proportionality made between the necessary protection of public order and the fundamental protection of individuals’ privacy, it suggests.
- It also points out that legal requirements should also ensure not placing an excessive burden on the stakeholders of the digital ecosystem, especially considering machine-to-machine communications which may have relative relevance for national authorities when compared to person-to-person communications.
Approach to securing digital ecosystem
Sigfox agrees with the Internet Society opinion on security requirements for the IoT in that a bottom-up approach is needed, where security issues can be addressed close to where they occur, instead of centralizing responsibility among a few.
The IoT company has advocated for “different levels of security should be implemented considering both, risk-based approaches that take into account the criticality and type of application, as well as the cost of implementation to allow for ease of innovation”.
However, Sigfox has not suggested any measure to check or monitor security in new applications and use-cases.
Adaptation of regulatory mechanisms
Sigfox points to the need for protection mechanisms of various kinds in data collection and use. It mentions protection of three kinds depending on: firstly, the kind of data protected, i.e. Personal Data or non-personal data, second, the context of the processing, like the provision of a subscribed electronic communication service; and third, the effective control of the stakeholder on such data.
On the question of compliance monitoring as well, Sigfox emphasises on multi-stakeholder collaboration, which would “protect consumers, operators, service providers, and the economy in general”.
Sigfox is of the view that centralised and mandatory monitoring solution should be avoided as much as possible, as there is a wide range of applications and new use-cases offered by internet ecosystem. It suggests monitoring to rely on “strong compliance principles enforced by efficient ex-post control policies”.
Our take: While engaging stakeholders is key in forming all-serving policies, interests of profit-driven enterprises may come in conflict with those of the consumers. Further, if monitoring solutions are not mandatory, as Sigfox suggests, enforcing them may be difficult, as non-compliance will have no legal consequences.