Consumer privacy threatened by smart devices
Smart devices at home and outdoors collecting more data than most people realise
These days, just about every business in town is touting the interlinkage of multiple devices to produce smart homes, smart lights, smart locks, smart TVs, smart cars, smart everything.
And consumers are buying into all the connectivity and convenience of the so-called Internet of Things (IoT) without really understanding how their personal confidential information is being collected and used.
Companies, keen to offer technologically innovative solutions, are tapping IoT opportunities without fully appreciating the challenges they present under the Personal Data Protection Act (PDPA).
In an IoT ecosystem, multiple devices "speak" to one another, resulting in a seamless movement of large volumes of data, often including personal data flowing across borders.
For example, the data amassed by a smart refrigerator is able to paint a profile of a family's eating habits and health quotient by monitoring their consumption patterns.
Supermarkets would love to get hold of such data to help them better maintain stock, while health insurers could use the data to design or deny products to specific individuals, or to analyse the population's health trends.
A smart door lock is able to document one's daily ins and outs, putting the person at risk to unwelcome intruders.
And then there is the smart television, which, unknown to many, is able to monitor viewing habits as well as record conversations of viewers.
Outside of the home, Big Brother is becoming pervasive.
Retailers can now tap into shoppers' mobile devices to track their activities from the moment they walk into a mall since many users leave their devices' Wi-Fi or Bluetooth features on.
So how is anyone to protect himself or herself from having voluminous personal data collected and used without his knowledge or permission?
What are the obligations of businesses to protect the privacy of customers?
There are, of course, means for customers to shut off such prying activities on their devices but many are either not technologically savvy enough to figure it out, or are simply oblivious to the privacy concerns.
The PDPA requires that an organisation obtains the consent of an individual before his or her personal data is collected, used or disclosed, unless an exception applies.
The individual must also be notified of the purpose for collecting and usage of the data.
Organisations providing IoT-enabled solutions have to comply with the PDPA's consent and purpose principles.
This is by no means straightforward - in a typical IoT ecosystem, there are multiple stakeholders, each collecting and sharing an individual's personal data. The personal data may also be transmitted across multiple connected devices, and across geographical borders.
Most organisations wrongly assume that they have fulfilled the consent and purpose principles simply by posting a privacy policy on their website.
Much more needs to be done in order to obtain an operative and compliant consent from the individual for use of his personal information.
The writer is Partner and Deputy Head, Technology, Media & Telecommunications, at Rajah and Tann Singapore.
This article, which appeared in The Business Times on Tuesday, has been edited for length.
Get The New Paper on your phone with the free TNP app. Download from the Apple App Store or Google Play Store now
