May 6, 2018

Who is setting the IoT agenda?

Several weeks ago, I was in a briefing call with a panelist who was preparing for an event on privacy and security challenges in the IoT market. This was in the context of possible guidelines emanating from the US government.

There was the usual discussion about the pros and cons of light-touch and self-regulatory approaches, in keeping with the conditions that fostered innovation and investment in the Internet.

However, the world has moved on since the late-90s; it is worth spending time to reflect on today's conditions and what new approaches are warranted. And, to what extent will US agencies set the future direction?

The Internet is deeply integrated in our everyday lives. And, the proliferation of IoT sensors and devices will only increase this level of integration and dependency. The security guru, Bruce Schneier, has pointed out that IoT security is too important an issue to be left to market forces and that the necessary precautions will only be met by a regulatory approach [1]. His might not be a lone voice. In the case of the much younger Bitcoin technology, for example, it is interesting to note the desire for private-sector players to call for regulation as a necessary condition for establishing a nascent market [2].

Going down the regulatory path, the issue then becomes one of who sets the regulatory rules. With the IoT being a global phenomenon, there is no guarantee of US leadership. Discussions in Washington D.C. might placate local firms. They risk missing the bigger picture of what is happening on the international playing field. Consider how the market for personal data is changing as firms adjust to the EU's GDPR initiative. GDPR (the General Data Protection Regulation) gives individuals significant new rights over how their personal data is collected.

In an innovative twist, GDPR applies to individuals (data-subjects) in the EU; it applies to any service provider and not just those domiciled in the EU. In the industry, it is not uncommon to hear of it referred to as the Global Data Protection Regulation. For evidence of GDPR's global impact, take a look at PayPal's recent disclosure of how it shares personal data with its network of 600 business partners [3]. Here is the same data in a more easily digestible format [4].

Having in effect set the global agenda for personal data, the EU's next step will most likely progress to rules for IoT and mixed-data assets.

In another example and at a local level, Uber is succumbing to regulatory pressure in the UK. In order to demonstrate its fitness to operate, Uber is offering to release proprietary data to help with transportation infrastructure planning. Through this gesture, Uber wants to show that it can be a better partner to the City of London [5].

These developments show that regulatory institutions can and will play a greater part in the IoT and new Internet-enabled service sectors. Innovators and investors in emerging sectors such as autonomous vehicles and data brokering, to pick two examples, should factor a pro-regulatory element into their strategies. This means engaging with the appropriate institutions and designing products/services with suitable monitoring and audit-reporting capabilities.

Strategically, it is no longer tenable to tell government, for example, to get out of the way and stop interfering with innovation.

[1] Security and the Internet of Things -

[2] Winklevoss twins pitch plan to regulate digital money

[3] List of Third Parties (other than PayPal Customers) with Whom Personal Information May be Shared

[4] How PayPal shares your data -

[5] Uber offers to share journey data with London city planners -

IMAGE CREDITS: Victoria Heath via 


  1. 15 May 2018 update

    ETSI Summit round up on Data Protection and Privacy - see links for presentations.

  2. 29 June 2018

    "Unless America steps up with its own rules, GDPR will become the global norm", says Suzan Delbene, Democratic member of the US House of Representatives

  3. 29 July 2018 update

    Standardisation of blockchain technologies and distributed ledger technologies.

  4. 3 Sep 2018 update

    UK media and telco industries demand more red tape for social media content

  5. 24 October 2018 update

    Apple and Facebook call for EU-style privacy laws in US

    One interesting question is whether it will be a copy-and-paste approach.

  6. 20 Nov 2018 update

    Food companies fail to agree on new nutrition label in Europe

    Please use the sharing tools found via the share button at the top or side of articles. Copying articles to share with others is a breach of T&Cs and Copyright Policy. Email to buy additional rights. Subscribers may share up to 10 or 20 articles per month using the gift article service. More information can be found at

    But after trials in several countries and consultation with academics and consumer groups, the companies could not gain consensus around the new portion-based, colour-based scheme, said Bart Vandewaetere, a Nestlé government affairs executive.

    “Colour coding of food labels is very controversial in continental Europe,” said Mr Vandewaetere. “We need leadership from the European Commission to come up with a common approach.”

  7. 31 Dec 2018 update

    The data economy is global, and EU legislation should provide a regulatory environment that enables European operators to harness the full potential of data to compete globally.

  8. 1 April 2019 update, not an April's Fool joke

    Facebook founder and CEO Mark Zuckerberg has governments and regulators to play a more active role in developing new rules for the internet.

  9. 2 April 2019 update

    The extract below illustrates the importance of an open governance framework.

    In selecting James, Google is making clear that its version of “ethics” values proximity to power over the wellbeing of trans people, other LGBTQ people, and immigrants. Such a position directly contravenes Google’s stated values.

  10. 24 April 2019 update

    Speaking at an event organised by Time magazine, Cook said “We all have to be intellectually honest, and we have to admit that what we’re doing isn’t working. Technology needs to be regulated. There are now too many examples where the no rails have resulted in a great damage to society.”

  11. 25 September 2019 update

    via Benedict Evans

    "there is a tendency to frame this conversation in terms of the Chinese government and the US constitution. But no-one outside the USA knows or cares what the US constitution says, and Megvii already provides its ‘smart city IoT’ products to customers in 15 countries outside China. The really interesting question here, which I think goes far beyond face recognition to many other parts of the internet, is the degree to which on one hand what one might call the ‘EU Model’ of privacy and regulation of tech spreads, and indeed (as with GDPR) is imposed on US companies, and on the other the degree to which the Chinese model spreads to places that find it more appealing than either the EU or the US models."

  12. 13 Aug 2020 update

    Internet of Things: How the U.K.’s Regulatory Plans Could Raise Compliance Standards

    The U.K. government is concerned that despite the introduction of a self-regulatory Code of Practice in October 2018 (COP), there are still significant security flaws in many products on the market. The U.K. proposals seek to expand on the COP, which covers 13 areas (or outcome-focused guidelines) that are widely considered good practice, including requirements that all IOT device passwords are unique, all software is securely updatable, and users have clear transparency and control over the use of their data. The code is expected to be revised by the U.K. government at least every two years.

  13. 24 March 2021 update

    Regulators are your friend

    Lopokoiyit wants fintech companies and innovative start-ups to embrace engagement with regulators in their jurisdictions. “We work with them every single time. There is no product and service that we launch without the regulator. We actually have discovered it is better to, even on a concept stage, to engage the regulator.

  14. 11 June 2021 update

    Public consultation on the draft OECD Recommendation on Agile Regulatory Governance to Harness Innovation

    The COVID-19 crisis has magnified the above-mentioned challenges and forced governments to rethink their approach to rulemaking. The social and economic disruption that the pandemic has wrought further highlights the strategic importance of developing more agile and co-ordinated regulatory approaches to increase responsiveness and resilience in changing environments, harness the opportunities provided by innovation and protect the public interest. As governments rebuild afresh, they must ensure that the innovation that will power economic growth and solve the world’s most pressing social and environmental challenges is not held back by regulations designed for the past.

  15. 8 March 2023 update

    What Washington Gets Wrong About China and Technical Standards

    Over the past four years, Washington’s foreign policy establishment has stumbled on a new arena for competition with China: international technical standards. During that time, standards have been the focus of news stories, think tank reports, and even several pieces of federal legislation. Across these, the master narrative is largely the same: technical standards are a key part of technology competition, China is taking over international standards bodies, and it is successfully manipulating those standards as part of its quest for global tech domination.

    Parts of that narrative ring true. Technical standards are a critical part of the global technology ecosystem because they facilitate trade, can give first-movers a competitive advantage, and can generate significant revenue for companies with large patent portfolios. The Chinese government has a track record of trying to manipulate international organizations, and Chinese participation at international standards bodies is increasing.

    But Washington’s master narrative around technical standards is wrong. It’s not wrong because the Chinese Communist Party is a trustworthy actor in these arenas—it isn’t. The narrative is wrong because it fundamentally misunderstands what international technical standards do and how standards development organizations (SDOs) operate. There are real concerns when it comes to China and technical standards, and those concerns require targeted actions. But to make the right prescription, the U.S. policy community must first correctly diagnose the problem.