Navigating An Internet of Things Legal Minefield

The Internet of Things (IoT) has shifted to a center stage topic over the past year, delivering tangible benefits that are impacting both personal and business lives. IoT ruled the agenda at the International Consumer Electronic Show (CES) in January, and was a focal point at the recent Word Economic Forum (WEF) and  I fully expect it to dominate the technology landscape for the rest of 2015 and beyond.

The related interest in big data is understandable as businesses find new ways to leverage data for improved operating efficiencies and revenue uplift. However, we’ve only begun to scratch the surface, as there are infinite possibilities to harness data for competitive advantage, improved productivity and value creation. With a myriad of devices interconnected through the Internet, and the right analytics framework in place, IoT has the potential to change the way we live our lives, both personally and professionally, at the speed of light. There are many challenges, however, that need to be overcome before the full potential of this technology is realized.  

The explosion in connected devices is driving a big data boom, with countless sensors feeding a constant stream of data around the world. This tsunami of data will not only enable the devices themselves to become smarter, but it will create unlimited opportunities for organizations to make more intelligent decisions. There are a number of considerations, however, that should be taken into account before organizations begin to process, transfer and analyze this type of data.

Internet of Things and Data Privacy

Data privacy is one such concern. Conceptually, the Internet of Things should reach its theoretical limits when it encroaches on the data privacy rights of individual data subjects. While data privacy has long been a focal point for discussions here, many organizations fail to appreciate its legal implications. Assembling random information that may appear innocuous at first glance, can, for example, violate the privacy rights of individuals under the laws of various countries, most prominently the EU Data Protection Directive (95/46/EC). 

This article explores how big data and the rights of data subjects can coexist. With the help of Amor Esteban, an attorney who helps companies navigate these murky and often dangerous waters, we explore the balance that may be struck between a company’s legitimate business interests and respect for the individual’s right to data privacy. About seven years ago, Esteban helped to start The Sedona Conference Working Group 6 focusing on data privacy and the cross-border exchange of data. He currently chairs that group and is editor in chief of its The Sedona Conference International Principles on Discovery, Disclosure & Data Protection: Best Practices, Recommendations & Principles for Addressing the Preservation & Discovery of Protected Data in U.S. Litigation. Together we will delve a little deeper into the development of IoT, the role of analytics in a complex IoT environment and what companies should be considering before embarking on a project.

Tapping Into the IoT Data Boom

As big data transitions from hype to reality, the Internet of Things has taken its place as the new kid on the block, promising to revolutionize the world. However, both are still very new technologies and we are only just scratching the surface of what they can deliver. The next big frontier will be when we effectively combine the two; by enriching analytics with sensor information to gain an even more fine-grained view of business processes, giving enterprises greater insight into their organizations than ever before.

However, monetization is still a challenge, a problem we saw previously with the dot-com boom. In the early 2000s many Internet sites had huge followers, but companies did not know how to convert that traffic into revenue. Until, that is, Google and Yahoo promoted the pay-per-click advertising model, helping the Internet business to create a successful business model. Currently, we are seeing a similar issue with big data and IoT. We know that IoT has the potential to deliver significant value, but monetization challenges exist due to lack of standards, security and privacy concerns, and the need to invest in technologies that deliver new capabilities.

Another challenge companies face is to understand how they can treat and use the collected analytics in ways to benefit the company. The data regulation landscape is continuously evolving, with regulations varying from country to country. Public emotions are running high around how their personal data is being used by companies -- and international companies are aware of the reputational damage that could result from a misjudged use of personal data. For example, Target’s use of analytics to identify new mothers resulted in the retailer notifying a teenager’s parents of an unplanned pregnancy -- and triggered a PR nightmare. As a result, organizations are cautious about pushing the boundaries too far. IoT complicates this environment further.

Two key questions: What are the legal implications of using data across international boundaries and what value can analytics deliver in this complex environment? 

Leveraging Analytics As Data Privacy Lines Get Blurred 

With the rise of IoT comes a labyrinth of networks that allow for data to be collected in one country, transported by a network operator from another country, and possibly processed and stored in a data center in yet third country. IoT data, which originates from machines and sensors, can quickly translate into personal data that is subject to data protection laws, like those that protect data privacy and trade secrets. 

Consider these examples from the agriculture industry: Tractors have telemetry devices to report engine health and location, the seeders report the seed type and seeding pattern, and soil sensors report moisture content.  This IoT data allows the farmer to maximize crop yield, minimize environmental impact and reduce operating costs. When analyzed another way however, that IoT data provides a very human and specific picture of the farmer, including his/her land specifications, tractor models, fuel consumption, the times in which the seeds are planted, what strain of seed is used, and the moisture content level of the fields in comparison to adjacent fields. The insights are valuable because the data can be used to enable a more precise agriculture farming practices and highly personalized applications. The data can also be used to identify a farmer’s unique trade secrets and routine. 

Thus, as businesses move towards a more complex IoT environment, it will be critical to put the right analytics framework in place while having an expert understanding of the potential conflict between International and US data processing and cross-border transfer laws. 

The Legal Landscape: Transferring and Processing Data

Speaking with legal expert Amor Esteban, it is clear that organizations have a big challenge ahead of them when it comes to sharing and analyzing data on a global scale: “The major challenge in harnessing Big Data globally are the obstacles faced when seeking to comply with data protection laws. My approach is the development of a methodology by which to map out the conflicting elements and to harmonize them as best as possible. This process starts by understanding what the client is seeking to achieve (e.g., compliance with US discovery requirements, merger and acquisition due diligence document review, or internal analytical use). Next is the identification of potentially applicable data protection laws. I take into consideration the recognized exceptions to those laws (i.e., the derogations in the EU Data Privacy Directive) and we identify judicial or regulator opinions that provide context to the data protection laws under consideration. The development of the “legitimization plan” comes from these and similar factors. The legitimization plan implements processes, procedures and guidelines within the corporation intended to demonstrate compliance with the data protection laws while, simultaneously, creating avenues by which the company’s objectives can be satisfied.  ”

My philosophy is that, by the legitimization plan approach, we can demonstrate to regulators and data protection authorities that the company has made honest and good faith efforts to comply with the data protection laws and should not be penalized for having to comply with other requirements (e.g., US discovery) that cannot always be completely harmonized.

The legitimization process should consider the data protection laws of each country where the company plans to collect the information for analytics. In the UK for example, the courts have expressed a narrow interpretation as to what constitutes personal information and the circumstances in which personal data will be protected.[1]  Other member states, like Spain, take a broad view of the scope of personal information. Accordingly, steps that a party must take to legitimize the process and transfer of personal data under Spanish authority may not have to be taken to legitimize the process and transfer of personal data in the UK. 

Similarly, data protection laws in those countries outside of the EU can be significantly different.  For example, in Canada, an employee's name, title, business address or telephone number is not protected information nor is employee information in the possession of the employer.[2]  On the other hand, Canada has blocking statutes that severely restricts US extraterritorial discovery for purposes of litigation.[3]  A Canada-specific legitimization plan is the most likely means to avoid violating Canada’s data privacy law and blocking statutes while that plan may will not work in, say, Japan, which has entirely different data protection laws.  

It would be prudent, accordingly, to have a different approach to data and document sharing in Canada than the approach in the EU; and it would be equally prudent to have differing legitimization plans as between EU member states. There is no silver bullet here. 


There is a potential lock up in the data set to be created by IoT, but those looking to tap into it will need to take a very considered and informed approach. This will mean not only putting in systems to handle the immense task of crunching all the data and harnessing the valuable insights within it; companies will need to make sure that they are able to use the data in such a way that it does not infringe on global legislation. In the next 12 months, the industry has a big task ahead of it -- as it works to make data usable, but legal in a fast, seamless and effective way. Importantly, as discussed by Amor, wherever data is harvested, however it is processed and to which country it is sent all require and understanding of and compliance with the data protection laws of the affected countries. 

[1] Durant v Financial Services Authority [2003] (commonly seen as restricting the definition of ‘‘personal data’’ to the benefit of data controllers, leading to criticism from EU data protection authorities that the law in the UK does not comply with the EU Data Protection Directive).

[2] Office of the Privacy Commissioner of Canada at

[3] (1980); (1977).


For reprint and licensing requests for this article, click here.