Internet of Things – start-ups may need to ‘smart up’ when it comes to privacy compliance
The Office of the Australian Information Commissioner is encouraging businesses to adopt a ‘privacy-by-design’ approach
With the emergence of the ‘internet connected world’, increasing attention is now being paid to the potential privacy concerns associated with the Internet of Things (IoT).
On Friday, 23 September 2016, the Office of the Australian Information Commissioner released some of the results of its investigation into the IoT, which was undertaken in collaboration with 25 privacy enforcement authorities from around the world.
In Australia, the OAIC examined 45 different IoT devices, including for example, fitness and health monitors, ‘smart’ travel locks and thermostats. The suppliers of these devices ranged from large multinational corporations to start-up business. The results of the OAIC’s investigation showed that for 71% of those devices, there was no privacy policy that adequately explained how personal information was managed in the course of an individual’s interactions with the device.
The OAIC is now encouraging all businesses, including start-ups, to adopt a ‘privacy-by-design’ approach. This goes to the need to consider potential privacy issues from the outset of the ideas/design process. Failing to do so may result in costly and/or inconvenient privacy compliance related issues later on in the development lifecycle.
The OAIC has also specifically drawn the attention of start-up business owners to the fact that ‘they may be subject to the Privacy Act if they trade in personal information or deal with health information, and will definitely be covered once they reach an annual turnover of more than $3 million, and will then be required to build in privacy procedures’.
In developing an IoT privacy framework, businesses should be aware of, and carefully consider, the unique characteristics of their IoT product offering. That is, there is no ‘one-size fits all’ approach, and whilst issues pertaining to privacy are by no means insurmountable, it pays to give such issues the attention they deserve from the outset.
The OAIC has also indicated that they will be developing a number of resources for start-up businesses to assist them to implement best privacy practice.
Given the results of the OAIC’s investigation, we also anticipate that further regulatory attention is likely to be paid to suppliers of IoT products and solutions in the near future.
By Jack Evans
Recent articles
Reform to Australia’s merger clearance regime
By Ron Smooker, Shaun Temby, Jacqueline Picone, and Oliver Wahlstrom
A new mandatory, suspensory merger review system conducted by the ACCC comes into effect in Australia on 1 January 2026.
Important changes to the Workplace Injury Rehabilitation and Compensation Act 2013 concerning workers’ compensation in Victoria
By Catherine Dunlop, Jessica Mourney
From 31 March 2024, amendments to the Victorian workers’ compensation scheme took effect
A step closer to mandatory climate-related disclosure
By Ron Smooker, Rosamond Sayer, Samantha Murphy, and Joseph Fox
The Treasurer introduced the Treasury Laws Amendment (Financial Market Infrastructure and Other Measures) Bill 2024.
Gomeroi v Santos: New guidance on good faith negotiation, and the relevance of climate change
By Susanne Rakoczy, and Larissa Svetlov
We explore Gomeroi People v Santos NSW Pty Ltd and Santos NSW (Narrabri Gas) Pty Ltd [2024] FCAFC 26 (Gomeroi Appeal).
Consultant
Sydney