7. Legal Aspects of IoT

April 22, 2022 lectured by Işıl Selen DENEMEÇ, LL.M. and written by Dr. Merve Ayyüce KIZRAK
In our lecture, while discussing legal aspects of IoT technology, we hosted lawyer Işıl Selen Denemeç, who works as the Head of Legal Department at the Digital Transformation Office of the Presidency of Türkiye.
“If everything is connected, everything can be hacked” — Ursula von der Leyen
Given the rapid growth of connected devices and systems, data processing, and advanced analytics; they are important components of the digitization of economies, societies, and the environment. Internet of Things (IoT) as connected devices become increasingly smart at collecting, processing, and transmitting data and triggering actions in real-time; It is at the heart of this digital transformation by integrating devices, data, computing power, and connectivity.
IoT technology can be used in many sectors, but the feasibility of the projects still awaits confirmation. Despite this, we actively use “smart things” that monitor our physical activities in our homes, cars, work environments, etc. We can say that there is a growing market for this technology. However, besides its expected benefits, it also brings security and privacy problems.
More than 41 billion IoT devices are expected to be launched by 2025 (International Data Corporation). This will lead to the exponential growth of data and take computing operations and data analytics to the edge.*

What is Internet of Things (IoT)?

Internet of Things is basically the general name of the internet and the technology that work in conjunction with each other. IoT has the ability to collect data in real-time, share it with other devices or parties via the internet and process it in environments such as the cloud. We can think of it as a data flow network that includes objects and people, from wearable technologies to home appliances, to some add-ons in our vehicles.
The IoT is closely linked to the concepts of “pervasive” and “ubiquitous” computing, as it is based on the principle of comprehensive data processing through these sensors designed to communicate discreetly and exchange data seamlessly.*
There is a way of working that is based on the fact that devices and objects with many different sensors offer results by utilizing data processing methods such as advanced analytics and artificial intelligence through a platform that integrates data from different devices. It is a highly preferred technology, especially for advice and warning systems in smart home applications. In addition, it is highly preferred to monitor the health status of yourself and your children instantly through wearable devices and to create a more effective sports program. Smart city applications also come into our lives by providing time and cost savings. Take a look at the video below, it will give you a very quick idea of ​​how the IoT works and where we come across it.

Ethical Controversies About IoT

There are many risks that stakeholders in IoT, their products, and services need to address. The main ones are; data loss, malware infection, as well as unauthorized access to personal data, unauthorized use of wearable devices, or illegal surveillance.
Although legal and technical compliance is important, the impact and consequences on society are just as important. Observing data protection, privacy, and other ethical concerns, starting from the design phase is necessary to prevent social problems.
We use many IoT applications such as wearable technologies, smart cities, and smart homes in our daily lives. We can list the main challenges regarding data privacy and data protection as follows:
  • Lack of control and information asymmetry
  • Quality of user approval
  • Inferences derived from the data and re-purpose of the original processing
  • Intervention and profiling of behavioral patterns
  • Limitations on the possibility of remaining anonymous when using the Services
  • Security risks: security and efficiency
The EU has carried out a legal framework study in this context. This study is a guide to data protection risks that are at the core of the IoT ecosystem. The working group, created under the auspices of the EU, aims to ensure that individual users have full control over their personal data throughout the product lifecycle, at the center of the projects by the relevant stakeholders. In addition, when consent is required as a basis for data processing, users must be fully informed. To help them achieve this goal, the Working Group offers a comprehensive set of practical recommendations to help the different stakeholders (device manufacturers, application developers, social platforms, other data buyers, data platforms, and standardization bodies) implement privacy and data.
Indeed, it is argued that empowering individuals by keeping them informed, free and safe is the key to promoting trust and innovation and thus to success in these markets.
This Working Group firmly believes that stakeholders who meet the expectations to mitigate risks will have an extremely strong competitive advantage over other players based on their ignorance of the extent to which data is processed, shared, and locked into their ecosystems. To this end, the EU is open to cooperation with other national or international regulators and legislators on IoT.
In this context, the EU held meetings in April 2021, where they discussed the challenges and opportunities of the NGIoT & Edge Computing Strategy Forum, organized by the Commission in partnership with the EU-IoT project, based on the discussions held at the Fireside Chat event. The Forum also led to a shared strategic vision for next-generation IoT and edge computing in Europe.
It is recommended to manage all these risks and to benefit from IoT technology for the benefit of the public and the environment. It is not hard to say that in the coming years, IoT and Edge Computing will revolutionize the way products and processes are organized and monitored across strategic value chains. Along with artificial intelligence and big data, the IoT is at the center of the digitization of the world economy.

The topics that need to be examined regarding the applicability of EU laws to the processing of personal data in IoT are presented as follows:

  • Applicable laws
  • Understanding the concept of personal data
  • Identifying IoT stakeholders
    • Device manufacturers
    • Social platforms
    • Third-party app developers
  • IoT data platforms Individuals as data subjects: subscribers, users, non-users
  • Disclosure of data owners' rights
In our country (Türkiye), there are principles for processing personal data enshrined in Law No. 6698 on the Protection of Personal Data. The procedures and principles regarding the processing of personal data in Article 4 of the Law are regulated in parallel with the European Convention on the Protection of Individuals against Automatic Processing of Personal Data No. 108 and the European Union Data Protection Directive No. 95/46/EC. According to this; the general principles listed in the Law regarding the processing of personal data are as follows: *
  • Lawfulness and fairness
  • Being accurate and kept up to date where necessary.
  • Being processed for specified, explicit and legitimate purposes.
  • Being relevant, limited and proportionate to the purposes for which they are processed.
  • Being stored for the period laid down by relevant legislation or required for the purpose for which the personal data are processed.
  • The principles regarding the processing of personal data should be at the core of all personal data processing activities and all personal data processing activities must be carried out in accordance with these principles.
Principles regarding the processing of personal data should be at the core of all personal data processing activities and all personal data processing activities should be carried out in accordance with these principles.
At the end of the lecture, we discussed the benefits of IoT applications and many hacking incidents. One of them involved the capture of casino information from the aquarium sensor in Las Vegas, USA. We emphasized the importance of managing the risks posed by this controversial technology and free data flows. When we finally asked ourselves what should be done, the conclusion we made was this: A cost-benefit analysis should be done correctly!
We will try to cover all these risks and hacking cases from a global cyber security perspective in next week's lecture.

References: