Watch out for regional data privacy rules

Dec. 7, 2015
Beware legal implications that vary based on type of data as well as where it was collected, analyzed and stored
“It’s important to understand what type of data you have and how it is being handled. Is it being integrated with some type of personal data?” Adam Schlosser of the U.S. Dept. of Commerce (foreground) together with Chris Hamilton of Grantek discussed the range of regional differences in data privacy law applicable to IIoT technology.

A vast amount of data already is generated and transmitted by Internet-connected sensors and machines, and that volume continues to grow rapidly. Industrial enterprises that collect and process that data need to be aware of the shifting landscape of legal and regulatory obligations attached to the various types of data they collect, and how those regulations vary depending on what the data contains, where it was collected and how it is stored.

“It’s less about data ownership, since those issues are resolved through contractual agreements,” noted Adam Schlosser, director of the Center for Global Regulatory Cooperation, U.S. Chamber of Commerce, to panel session attendees at October’s Smart Industry 2015 conference in Chicago. “It’s more about what rules apply to your data, what rules apply to your company wherever you do business—where it is collected, where it is processed and where your partners are located.”

Schlosser was joined on the panel by Chris Hamilton, senior technical consultant, manufacturing IT/OT at Grantek Systems Integration, and Mitesh Patel, head Internet of Things manufacturing for Tata Consultancy Services’ Innovation and Transformation Group (ITG).

No safe harbor?

The Smart Industry panel discussion turned out to be particularly timely, coming just one day after the European Court of Justice invalidated the 15-year-old Safe Harbor agreement that effectively allowed American companies to handle Europeans’ data.

“A good example of the growing extraterritorial reach of government happened yesterday,” said Schlosser of the Safe Harbor ruling. “This was a method by which companies of all sizes doing business in Europe could transfer data legally back to the United States. Now the European Court of Justice, which is essentially their Supreme Court, said that this legal mechanism is now gone. These are the trends we have to follow.”

“You need to have a system in place based on the region you want to serve,” added Tata’s Mitesh Patel. “This increasingly makes things more complex, especially in the type of environment we are in right now where business is changing and transforming at a much faster pace. Basically, you need to have a target audience in mind and a legal team running in parallel who understands the complications.”

Failure to do so may result in a product delivered quickly to market but that violates applicable laws, Patel cautioned. “A better method is to think about what laws and regulations you may need to comply with based on your geographical area and the type of data you are collecting, and plan how to handle that during the development process,” Patel said. 

Privacy vs. security

With regard to laws and regulations, two data aspects need to be considered, said Adam Schlosser. “One is privacy, and the second is security.” Data privacy is associated with the personal information of individuals, such as recent high-profile breaches at Target, T-Mobile and Experian. Data security describes personal as well as impersonal data, but also extends to incidents such as the Jeep vehicle hack this past summer, and the resulting recall of 1.4 million vehicles containing the Chrysler Uconnect dashboard computers.

“This goes back to the issue of what type of data you have,” said Grantek’s Chris Hamilton. “Machines don’t have privacy issues. So, if it’s not attached to a person, then security is really the strong issue. The question is, how will this data be enriched once it is collected? The two pieces go hand in hand. You need to have a firm grasp of what the data flow looks like.”

These data flows can change over time, noted Schlosser, and compliance must be verified on an ongoing basis. “The data could be purely operational, say ‘machine A operated at 87% capacity for 6 hours today.’ Well, all of a sudden you’re able to add one piece of data that says, ‘and employee B operated the machine’—now that data has become a liability from a privacy perspective. So it’s important to understand first of all, what type of data you have and how it is being handled. Is it being integrated with some type of personal data?”

There are actions that you can take to get a handle on the data requirements pertaining to your industry and the locations in which your company operates. “Do a risk assessment and figure out what your risk is and what it can potentially mean,” advised Chris Hamilton. “That is a lot harder to visualize than is, say, upgrading the electronics on a machine. It is easy for a plant to justify an upgrade—those are much harder, more factual numbers. But when we are talking about security and data privacy, those numbers are much bigger and potentially much more far-reaching.”