Sometimes Europe follows the lead of the U.S. but, in matters of privacy and cybersecurity, it’s usually the other way around. Following pronouncements during the summer by Federal trade Commission Chairwoman (“FTC”) Edith Ramirez on security and privacy concerns as devices connected to the Internet (including cars, microwave ovens, thermostats and baby monitors) proliferate, the Federal Trade Commission has issued a Staff Report that raises many of the same concerns voiced months ago by the European Commission Article 29 Working Party of Data Protection. Those concerns are data security and privacy, data minimization, notice of privacy and security protections and consumer choice with regard to those protections.
Casting the Staff Report, which may be seen as a precursor to enhanced enforcement of existing regulations or issuance of new regulations as a marketing benefit for the industry Chairwoman Ramirez said, in a statement reported by The New York Times, “Many of us are using these devices,” but “if consumers feel that their information isn’t being protected, they won’t have the confidence level to embrace them.”
The Staff Report (available here) on connected devices, often called the “Internet of Things” or (“IoT”), states that the Commission, at least for the moment, “encourages companies” to “build security into their devices, rather than as an afterthought,” by such processes as risk assessments, testing data retained and collected and taking steps to minimize that data.
The FTC has exercised enforcement jurisdiction in the IoT and this Report indicates that it may be prepared to expand such activity. In 2014, the FTC settled a complaint involving a child monitor whose security settings permitted anyone with the camera’s Internet address to view the house in which it was operating and any children inside (available here).
The Report echoes some of the European Commission’s concerns by encouraging IoT manufacturers to provide notice to consumers as to how data from the devices as collected, stored and disclosed, and to provide consumers choices as to how their data is managed.
As proposals for new legislation by Congress in the areas of privacy and cybersecurity are stalled, the FTC seeks to fill the vacuum by enforcement of existing regulations (deceptive trade practices proceedings where privacy and security practices don’t live up to published policies) and reports that may be the forerunner of new regulations.
If you have questions regarding security and privacy for connected devices, or best practices for the IoT industry, please contact Kenneth N. Rashbaum.