May 6, 2018

Who is setting the IoT agenda?

Several weeks ago, I was in a briefing call with a panelist who was preparing for an event on privacy and security challenges in the IoT market. This was in the context of possible guidelines emanating from the US government.

There was the usual discussion about the pros and cons of light-touch and self-regulatory approaches, in keeping with the conditions that fostered innovation and investment in the Internet.

However, the world has moved on since the late-90s; it is worth spending time to reflect on today's conditions and what new approaches are warranted. And, to what extent will US agencies set the future direction?

The Internet is deeply integrated in our everyday lives. And, the proliferation of IoT sensors and devices will only increase this level of integration and dependency. The security guru, Bruce Schneier, has pointed out that IoT security is too important an issue to be left to market forces and that the necessary precautions will only be met by a regulatory approach [1]. His might not be a lone voice. In the case of the much younger Bitcoin technology, for example, it is interesting to note the desire for private-sector players to call for regulation as a necessary condition for establishing a nascent market [2].

Going down the regulatory path, the issue then becomes one of who sets the regulatory rules. With the IoT being a global phenomenon, there is no guarantee of US leadership. Discussions in Washington D.C. might placate local firms. They risk missing the bigger picture of what is happening on the international playing field. Consider how the market for personal data is changing as firms adjust to the EU's GDPR initiative. GDPR (the General Data Protection Regulation) gives individuals significant new rights over how their personal data is collected.

In an innovative twist, GDPR applies to individuals (data-subjects) in the EU; it applies to any service provider and not just those domiciled in the EU. In the industry, it is not uncommon to hear of it referred to as the Global Data Protection Regulation. For evidence of GDPR's global impact, take a look at PayPal's recent disclosure of how it shares personal data with its network of 600 business partners [3]. Here is the same data in a more easily digestible format [4].

Having in effect set the global agenda for personal data, the EU's next step will most likely progress to rules for IoT and mixed-data assets.

In another example and at a local level, Uber is succumbing to regulatory pressure in the UK. In order to demonstrate its fitness to operate, Uber is offering to release proprietary data to help with transportation infrastructure planning. Through this gesture, Uber wants to show that it can be a better partner to the City of London [5].

These developments show that regulatory institutions can and will play a greater part in the IoT and new Internet-enabled service sectors. Innovators and investors in emerging sectors such as autonomous vehicles and data brokering, to pick two examples, should factor a pro-regulatory element into their strategies. This means engaging with the appropriate institutions and designing products/services with suitable monitoring and audit-reporting capabilities.

Strategically, it is no longer tenable to tell government, for example, to get out of the way and stop interfering with innovation.

[1] Security and the Internet of Things -

[2] Winklevoss twins pitch plan to regulate digital money

[3] List of Third Parties (other than PayPal Customers) with Whom Personal Information May be Shared

[4] How PayPal shares your data -

[5] Uber offers to share journey data with London city planners -

IMAGE CREDITS: Victoria Heath via 


  1. 15 May 2018 update

    ETSI Summit round up on Data Protection and Privacy - see links for presentations.

  2. 29 June 2018

    "Unless America steps up with its own rules, GDPR will become the global norm", says Suzan Delbene, Democratic member of the US House of Representatives

  3. 29 July 2018 update

    Standardisation of blockchain technologies and distributed ledger technologies.

  4. 3 Sep 2018 update

    UK media and telco industries demand more red tape for social media content

  5. 24 October 2018 update

    Apple and Facebook call for EU-style privacy laws in US

    One interesting question is whether it will be a copy-and-paste approach.