Data PrivacyData Privacy in the Era of Internet of Things

August 31, 20220


The recent past has witnessed great changes in terms of technology and digital platforms. The easy accessibility of the Internet resulted in efficient connectivity and reach, but the widespread penetration of the Internet has also posed greater concerns pertaining to the misuse of the data because of the intended free flow of data.

Countries across the world have been struggling to protect the data of their citizens from unprecedented misuse and exploitation and have drafted legislation to curb the misuse of data, thereby ensuring to implementation of data privacy measures. Through this article, we intend to provide a brief touch on the implications of data privacy in light of the data giant called the Internet of Things (hereinafter referred to as “IoT”).


The term IoT refers to a broad category of devices that are linked to the Internet and that gather, share, or use data. Personal wearables like watches and glasses, home appliances like televisions and sound systems, building amenities like lifts and lighting, supply chain and industrial equipment like forklifts and sprinklers, urban infrastructure like traffic signals, are all a part of IoT.

IoT devices are increasingly being used by customers, Governments, and companies worldwide, and it is widely anticipated that this trend will continue. However, solely increasing the dependency on IoT devices, without ensuring a robust data privacy mechanisms, can have negative and unanticipated effects. Subsequently, the amount of data that the IoT creates, will inevitably rise as well. These vast data sets may often include sensitive, private, and personal information, posing numerous privacy issues.


As the usage of IoT devices has become more widespread, consumers demand better security and privacy protections that don’t leave them vulnerable to corporate surveillance and data breaches. Before consumers can demand change, they must be informed — which requires companies to be more transparent.

Consumers are surrendering their privacy gradually, while being a part of the IoT ecosystem, even without realizing it because they are unaware of what data is being collected and how it is being used. Given the present circumstances, consumers are always looking forward to upgrading their appliances, and it does not occur to them that those new and updated devices will also be monitoring them.

Despite the growing concerns pertaining to data privacy, the majority of consumers do not read privacy policies for every device they buy or every application that they download on their personal devices. Such lack of awareness among the consumers makes the personal data of such consumers susceptible to breach and exposure.

In the backdrop of the foregoing, it is pivotal to implement increased corporate transparency, which shall be the foundation of minimizing privacy risks in IoT. This transparency could be accomplished either by industry self-regulation or Governmental regulations requiring companies to receive informed and meaningful consent from consumers before collecting data.

Businesses can self-regulate by developing and adopting industry-wide best practices on cybersecurity and data minimization. When companies collect user data, they must take responsibility for protecting their users. The benefit of industry self-regulation is that each industry can create standards specific to the needs of their customers and the sensitivity of the data that they collect.

To ensure easy comprehension of the privacy policies, layered privacy policies should be one of the best practices adopted by many industries, and for the same, Creative Commons licenses could serve as useful models. Such licenses have a three-layer design: the “legal code” layer, the “human-readable” layer, and the “machine-readable” layer.

The “legal code” layer would be the actual policy, drafted by legal experts. The “human-readable” layer would be a concise and simplified summary of the privacy policy in plain language that a consumer could understand. The “machine-readable” layer would be the code that software, search engines, and other kinds of technology can understand, and would only allow the technology to have access to information permitted by the consumer.

These best practices would help make tremendous progress in protecting the privacy of consumers, however, they are not enough. Companies must be legally bound to the promises they make to their customers. Similarly, consumers must be aware as to what data is collected and how it is used.

The Government should also introduce enforcement actions for deceptive practices against companies that do not comply with their own privacy policies, holding them accountable to their customers.


Binding security standards could allay the data protection concerns currently hampering the market, contribute to wider acceptance of IoT technologies, and give the IoT market a boost. Most companies, for instance, are not yet fully leveraging the possibilities that IoT already offers and they merely focus on optimizing existing processes and products to reduce costs. Developing new business models or services has been much less of a focus so far. The uncertainty due to a lack of IoT applications that operate reliably in compliance with data protection regulations probably plays a big role in that.

All stakeholders have the responsibility to define binding rules that can be adapted to keep pace with this rapid evolution. Without the appropriate efforts of the developers of IoT applications, a feasible and legally sound solution cannot be expected for companies. This is absolutely essential, though, for building a foundation of trust for the future.

We will have to wait till this technology reaches a more dependable stage that is driven by the entire industry because it is still in its infancy. It is important to analyse the features of the existing proprietary ecosystems to determine which ones best meet the demands of one’s company. These capabilities include their scalability and the capacity to isolate these devices on a different network (using virtual local area networks) secured by firewalls or at the very least by screening routers.


It is anticipated that the IoT will expand quickly, linking more elements of our life and obfuscating the boundaries between online and offline spaces. In the end, it’s a tool that could be advantageous to everyone. However, the development of the IoT will open up new opportunities for the collection of personal data and increase the volume of data acquired overall.

The IoT is already a significant economic factor and will be even more so in the future. For companies, investing in IoT based projects pays off because processes can be made more efficient and customer needs can be met in a more targeted way, which in turn saves costs. Not only do the tech producers and client companies have a vested interest in promoting the IoT even further, but so do individual countries, since they also benefit from the economic potential of the use of IoT applications.

The benefits of IoT based devices will largely depend on how this data is used. IoT devices are largely incompatible with or lack enough support for traditional methods used to preserve privacy and inform people about how their personal information is gathered, processed, and transferred.

It may be necessary to find fresh and efficient solutions that can be used with the tools and services that make up the infrastructure. To profit from the IoT, strong governance and transparency are pivotal. In today’s digital era, interoperability of IoT and data privacy is the need of the hour, and the same needs to be consciously incorporated by corporate entities and other players of the IoT ecosystem.

– Team AMLEGALS assisted by Mr. Rishav Kumar (Intern)

For any queries or feedback, please feel free to get in touch with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.