Much of the data that companies hold about their customers has to date been information they have explicitly and voluntarily provided – their name, data of birth and contact details.
But the increasing use of data collection and transmission technologies in objects means that businesses are harvesting data that goes beyond personally identifying information, and instead describes their behaviour and movements.
Nevertheless, the principle – enshrined in the European Commission’s Data Protection Directive – that data subjects have some rights in determining how data about them is used still applies. This means that many industries are now wrestling with abstract questions about who ‘owns’ the data produced by their products and services.
The classic example is smart metering. From a utility provider’s perspective, the information produced by a home smart meter is telemetry data produced by a device that it owns, which helps it analyse how its service is being used.
From the customer’s perspective, the data produced by a smart meter represents a record of their activity at home.
Furthermore, the data from the smart meter is of considerable value to the customer, potentially allowing them to analyse how they are consuming energy and possibly identifying opportunities for savings.
For Chris King, chief policy officer at eMeter, a smart meter software company recently acquired by Siemens, much of the privacy concern surrounding the devices amounts to “an abundance of caution”.
“I think there’s less risk with energy data than banking data or even cell phone usage data,” he says. “But it’s appropriate to be cautious.”
Nevertheless, he says, the energy industry is reaching a consensus that customers have the right to a degree of control over the data produced by smart meters in their homes.
Earlier this year, the UK government opened a consultation on smart meter data practices, and eMeter proposed that consumers should be able to access their data in three ways: real-time access from the meter; online access from the supplier; and the ability to authorise a third party to receive the data on their behalf – but only with their authorisation.
In the US, the government has established a standard for smart meter data access called the ‘Green Button’. This proposes that utility companies allow customers to download the data produced by the smart meter in a standard format from their websites.
The customer can use this data with various applications, King explains, including apps that calculate potential savings if they were to switch supplier or install solar panels, for example. “There’s even a Facebook game that uses Green Button data.”
King says the energy industry acknowledges the need for customers to have control. “They want to use the data, but everyone I’ve spoken to has said ‘we’re not doing anything without the customer’s explicit permission’.”
Bill of rights
The data privacy conundrum becomes even more complex when devices that collect information are connected to the Internet.
The so-called ‘Internet of things’ – in which sensors and other data-generating devices are connected to the Internet and are potentially publicly accessible – promises to test the standard definitions of, for example, data subject and data controller.
“If I have a security camera on my house that happens to be filming something that is in public space, does that data belong to the owner of the camera?” asks Usman Haque, CEO and founder of IoT data platform Cosm (formerly Pachube). “Or if somebody walks by and happens to be in the footage, do they have a right to access that data?
“The Internet of things has the capacity to blur the physical and virtual worlds,” he says. Haque and other IoT luminaries debated questions such as privacy in the Internet of things at a recent event in London. The purpose was to compile a ‘Bill of Rights for the Internet of things’, a set of agreed principles that its authors hope will influence the development and adoption of the technology.
“We all agreed that stakeholders in the data collection, who might not be the data subjects themselves, should have a role in the decision making and governance around that data,” Haque says.
This principle, he adds, is not currently upheld by existing data protection laws.
The draft document produced at the event proposed the following privacy principles: “Data subjects should have the rights: to know what data is being collected about them, by whom, and for what stated purpose; to consent to that collection; and to take such measures as are necessary to prevent the collection attempt if they do not consent to it.”
The European Commission is in the process of developing a new data protection regime that emphasises the rights of the data subject to control data held about them. But if Haque and his peers are correct in saying that Internet-connecting sensors require new, as-yet unexpressed rights for individuals, its proposed regime may already be out of date.