The Internet of Things: Implications for Consumer Privacy under Canadian Law
Much recent attention has focused on the development of what is coming to be known as the Internet of Things (IoT). New digital products and services ranging from “smart” kitchen appliances, home heating/lighting/security systems and children’s’ toys to “wearable” personal health devices are promising to bring the benefits of real time network connectivity to a range of everyday activities. In providing consumers with devices that can communicate directly with each other, end-users are promised the benefits of efficient information data collection which can result in lower energy costs, improved health monitoring, enhanced safety and a variety of other claimed benefits.
At the same time, the ability of advanced information systems to collect, store, evaluate, transmit and reuse vast amounts of data linked to the personal activities of individuals has very serious implications for security and privacy. As the range of connected consumer products
expands to include more aspects of daily life, the tension between the practical social and economic benefits of the IoT with the security and privacy related risks and problems continues to widen. And as the amount of personal information that is being collected, stored and re-used continues to grow, new questions are arising about the continued adequacy of our current laws that are intended to protect the privacy, integrity and security of personal information.
In addition to the growing threat of unauthorized intruders breaking into data systems, the ability of the legitimate custodians of that data to reuse and share personal information has serious implications for personal privacy. The types of information gathered by the emerging Internet of Things are potentially very valuable from a marketing perspective, especially with the growing ability to link and analyze vast stores of data.
This paper examines these developments through the lens of Canadian privacy law, and asks how well emerging Internet of Things fits with these laws and their underlying policies. The statutory framework for Canadian privacy laws pre-date the emergence of the Internet of Things and many settled principles are no longer well equipped to deal effectively with the quick pace of technological change. So it is important to ask not only whether current IoT practices comply with the law as it now stands, but also what changes are needed in order to better reflect the purposes and policy goals underlying PIPEDA in light of technological developments.
In order to make this assessment, the general literature on privacy and its Canadian legal framework was reviewed as were specific terms in the privacy policies and terms of service agreements that consumers are given
Our general conclusion is that Canadian privacy law is not keeping pace with the rapid changes accompanying the spread of the network technologies and the Internet of Things. Significant policy changes are therefore needed to adequately protect the privacy and security interests of Canadian consumers.