BAKER BOTTS CONFIDENTIAL  ©  Copyright  Baker  Botts  2016.  All  Rights  Reserved.    

IoT data protection and data security: What are the risks? Abdullah Mutawi Partner, Baker Botts LLP 17 October 2016

BAKER BOTTS BAKER BOTTS 2

"You take the blue pill, the story ends. You wake up in your bed and believe whatever you want to believe. You take the red pill, you stay in Wonderland, and I show you how deep the rabbit hole goes” Morpheus – The Matrix

Copyright: Warner Bros

BAKER BOTTS

3

IOT Overview

§  The term IoT was first coined in 1999, in the context of standardizing approaches to RFID tags

§  Radio-frequency identification (RFID) uses electromagnetic fields to automatically identify and track tags attached to objects. These tags contain electronically stored information.

§  Sensors, microcontrollers, sensor hubs, mobile devices and more hubs take in and compute data remotely, in the cloud, to relieve processing required on the sensor’s application processor or the microcontroller

§  The ability for everyday devices to connect with each other and with people

BAKER BOTTS BAKER BOTTS

§  An estimated 6.4 billion connected “things” in 20161 §  Expected to be between 30 and 50 billion by 2020 §  Estimated 6 billion sensors shipped in 2015

§  At present, most smart products are fragmented and do not work together. Data is siloed in each product’s separate app. That will change in the future as devices grow more inter-connected

§  Passive sensors collect and distribute information without the need for a person to activate the sensor each time data are processed

§  Leading sectors: comms, healthcare, pharma, energy, automotive

IOT - Overview

1.  Gartner

BAKER BOTTS BAKER BOTTS

“Things” and collected data

Data Volume

Geolocation devices Automotive

Industrial monitoring

tech Domestic

appliances

Wearable Tech Medical Devices

Cloud infrastructure optimised for

Telemetry Big Data Analytics Machine Learning

Bandwidth Evolution

BAKER BOTTS BAKER BOTTS

So what is the issue?

6

Transmitted

Processed

The “THING” collects personal / private Data

Cloud

Analysed Utiised

Vast and exponentially

increasing volumes

Risk of abuse - Privacy

Device and data vulnerability

What relevance do international boundaries and

national laws still have?

BAKER BOTTS

7

§  What does “open” mean?

§  “Open means anyone can freely access, use, modify, and share for any purpose (subject, at most, to requirements that preserve provenance and openness).”1

§  What is “open data”? §  Open data is data that can be freely used, re-used and redistributed by

anyone - subject only, at most, to the requirement to attribute and sharealike. 2

Open Data

1.  opendefinition.org 2.  opendatahandbook.org

BAKER BOTTS

8

Open Data Laws §  Generally in response to advocacy for government

§  Transparency §  accountability §  Efficiency

§  Making datasets available to the public and other governmental institutions

§  National legislation, EU directives

§  UAE Data Law 2015

Global Open Data Index Index.okfn.org

1.  Taiwan 2.  United Kingdom 3.  Denmark 4.  Colombia 5.  Finland 6.  Australia 7.  Uruguay 8.  USA 9.  Netherlands 10.  Norway

Open Data Laws - Snapshot

IOT will generate huge volumes of data – but how will IOT “Open Data” be defined, regulated and policed?

BAKER BOTTS

9

1.  Ubiquitous data collection “many, if not most, aspects of our everyday lives will leave a digital trail… a wealth of revealing information that, when patched together, will present a deeply personal and startlingly complete

picture of each of us..”

2.  Potential for unexpected uses of consumer data that could have adverse consequences “… will information flowing from [things] just swell the ocean of “big data” which could allow

information to be used in ways that are inconsistent with consumers’ expectations…?”

3.  Heightened Security Risks “Any device that is connected to the Internet is at risk of being hijacked.”

Privacy, Data Protection and IOT

1.  Federal Trade Commission Chairwoman, Edith Ramirez : Privacy and IOT: Navigating Policy Issues – address to International Consumer Electronics Show January 2015

The 3 Key Challenges1

BAKER BOTTS

10

Privacy & Data Protection in the UAE

UAE Constitution 1971

Penal Code 1987

Telecom Law 2003

Cyber Crimes Law 2012

Labour Law 1980

Electronic Transactions and Commerce Law

2006

Medical Liability Law 2008

Data Protection Law 2007 (amended 2012)

Data Protection Regulations

Commissioner of Data Protection

DHC Data Protection Regulation 2013

Central Governance Board

•  Varying approaches to definition of 'Personal Data'

•  No national data protection authority

•  General approach is to look at the concept of 'privacy' and 'secrets' as per the Constitution

•  Different entities are responsible for oversight and regulation

•  Consent required (under Arts. 378, 379 Penal Code) in most cases for:

•  collection •  processing •  transfer

•  Also: •  Cyber Crime Law (data

obtained through the Internet) •  Telecoms Law •  TRA Consumer Protection

Regulations

'Onshore' - Federal Laws DIFC

DHC

BAKER BOTTS

11

EU General Data Protection Regulation

§  A significant expansion on the Data Protection Directive §  Coming into effect in May 2018 §  GDPR is a Regulation and not a Directive

§  directly effective in EU Member States without the need for implementing legislation

§  Provides for fines of as much as €20 million or 4% of global turnover (whichever is higher) in cases of certain violations.

§  Goal of GDPR fines is that they should be "proportionate, effective and dissuasive"

§  Expansion of territorial reach is a major development: §  GDPR will apply to data controllers and processers outside the EU

whose processing activities (in relation to EU data subjects) relate to: §  Offering of good or services; §  Monitoring behaviour

BAKER BOTTS

Panel Discussion

BAKER BOTTS

AUSTIN

BEIJING

BRUSSELS

DALLAS

DUBAI

HONG KONG

HOUSTON

LONDON

MOSCOW

NEW YORK

PALO ALTO

RIYADH

SAN FRANCISCO

WASHINGTON

bakerbotts.com

©Baker Botts L.L.P., 2016. Unauthorized use and/or duplication of this material without express and written permission from Baker Botts L.L.P. is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given with appropriate and specific direction to the original content.