Upload
abdullah-mutawi
View
214
Download
0
Embed Size (px)
Citation preview
BAKER BOTTS CONFIDENTIAL © Copyright Baker Botts 2016. All Rights Reserved.
IoT data protection and data security: What are the risks? Abdullah Mutawi Partner, Baker Botts LLP 17 October 2016
BAKER BOTTS BAKER BOTTS 2
"You take the blue pill, the story ends. You wake up in your bed and believe whatever you want to believe. You take the red pill, you stay in Wonderland, and I show you how deep the rabbit hole goes” Morpheus – The Matrix
Copyright: Warner Bros
BAKER BOTTS
3
IOT Overview
§ The term IoT was first coined in 1999, in the context of standardizing approaches to RFID tags
§ Radio-frequency identification (RFID) uses electromagnetic fields to automatically identify and track tags attached to objects. These tags contain electronically stored information.
§ Sensors, microcontrollers, sensor hubs, mobile devices and more hubs take in and compute data remotely, in the cloud, to relieve processing required on the sensor’s application processor or the microcontroller
§ The ability for everyday devices to connect with each other and with people
BAKER BOTTS BAKER BOTTS
§ An estimated 6.4 billion connected “things” in 20161 § Expected to be between 30 and 50 billion by 2020 § Estimated 6 billion sensors shipped in 2015
§ At present, most smart products are fragmented and do not work together. Data is siloed in each product’s separate app. That will change in the future as devices grow more inter-connected
§ Passive sensors collect and distribute information without the need for a person to activate the sensor each time data are processed
§ Leading sectors: comms, healthcare, pharma, energy, automotive
IOT - Overview
1. Gartner
BAKER BOTTS BAKER BOTTS
“Things” and collected data
Data Volume
Geolocation devices Automotive
Industrial monitoring
tech Domestic
appliances
Wearable Tech Medical Devices
Cloud infrastructure optimised for
Telemetry Big Data Analytics Machine Learning
Bandwidth Evolution
BAKER BOTTS BAKER BOTTS
So what is the issue?
6
Transmitted
Processed
The “THING” collects personal / private Data
Cloud
Analysed Utiised
Vast and exponentially
increasing volumes
Risk of abuse - Privacy
Device and data vulnerability
What relevance do international boundaries and
national laws still have?
BAKER BOTTS
7
§ What does “open” mean?
§ “Open means anyone can freely access, use, modify, and share for any purpose (subject, at most, to requirements that preserve provenance and openness).”1
§ What is “open data”? § Open data is data that can be freely used, re-used and redistributed by
anyone - subject only, at most, to the requirement to attribute and sharealike. 2
Open Data
1. opendefinition.org 2. opendatahandbook.org
BAKER BOTTS
8
Open Data Laws § Generally in response to advocacy for government
§ Transparency § accountability § Efficiency
§ Making datasets available to the public and other governmental institutions
§ National legislation, EU directives
§ UAE Data Law 2015
Global Open Data Index Index.okfn.org
1. Taiwan 2. United Kingdom 3. Denmark 4. Colombia 5. Finland 6. Australia 7. Uruguay 8. USA 9. Netherlands 10. Norway
Open Data Laws - Snapshot
IOT will generate huge volumes of data – but how will IOT “Open Data” be defined, regulated and policed?
BAKER BOTTS
9
1. Ubiquitous data collection “many, if not most, aspects of our everyday lives will leave a digital trail… a wealth of revealing information that, when patched together, will present a deeply personal and startlingly complete
picture of each of us..”
2. Potential for unexpected uses of consumer data that could have adverse consequences “… will information flowing from [things] just swell the ocean of “big data” which could allow
information to be used in ways that are inconsistent with consumers’ expectations…?”
3. Heightened Security Risks “Any device that is connected to the Internet is at risk of being hijacked.”
Privacy, Data Protection and IOT
1. Federal Trade Commission Chairwoman, Edith Ramirez : Privacy and IOT: Navigating Policy Issues – address to International Consumer Electronics Show January 2015
The 3 Key Challenges1
BAKER BOTTS
10
Privacy & Data Protection in the UAE
UAE Constitution 1971
Penal Code 1987
Telecom Law 2003
Cyber Crimes Law 2012
Labour Law 1980
Electronic Transactions and Commerce Law
2006
Medical Liability Law 2008
Data Protection Law 2007 (amended 2012)
Data Protection Regulations
Commissioner of Data Protection
DHC Data Protection Regulation 2013
Central Governance Board
• Varying approaches to definition of 'Personal Data'
• No national data protection authority
• General approach is to look at the concept of 'privacy' and 'secrets' as per the Constitution
• Different entities are responsible for oversight and regulation
• Consent required (under Arts. 378, 379 Penal Code) in most cases for:
• collection • processing • transfer
• Also: • Cyber Crime Law (data
obtained through the Internet) • Telecoms Law • TRA Consumer Protection
Regulations
'Onshore' - Federal Laws DIFC
DHC
BAKER BOTTS
11
EU General Data Protection Regulation
§ A significant expansion on the Data Protection Directive § Coming into effect in May 2018 § GDPR is a Regulation and not a Directive
§ directly effective in EU Member States without the need for implementing legislation
§ Provides for fines of as much as €20 million or 4% of global turnover (whichever is higher) in cases of certain violations.
§ Goal of GDPR fines is that they should be "proportionate, effective and dissuasive"
§ Expansion of territorial reach is a major development: § GDPR will apply to data controllers and processers outside the EU
whose processing activities (in relation to EU data subjects) relate to: § Offering of good or services; § Monitoring behaviour
BAKER BOTTS
Panel Discussion
BAKER BOTTS
AUSTIN
BEIJING
BRUSSELS
DALLAS
DUBAI
HONG KONG
HOUSTON
LONDON
MOSCOW
NEW YORK
PALO ALTO
RIYADH
SAN FRANCISCO
WASHINGTON
bakerbotts.com
©Baker Botts L.L.P., 2016. Unauthorized use and/or duplication of this material without express and written permission from Baker Botts L.L.P. is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given with appropriate and specific direction to the original content.