Insight Vector: Ensuring Free Flows of Data for the Internet of Things

Innovation and market perspectives from leading IoT thought leaders

Damir Filipovic’s background at the Digital Europe trade association, Samsung and the Ministry of Communications of Croatia gives him a broad perspective on the pending General Data Protection Regulations in the European Union, set to take effect in 2018.   Our conversation explored the complex dynamics involved in harmonizing the interests of the many EU countries to achieve a reasonable standard.  The different approaches to law and data privacy differ significantly between Europe and the US, and Connected Industry businesses, particularly those involving cross border commerce and transportation, will need to balance new requirements with business objectives and customer needs.

Damir is a seasoned public affairs and governmental practitioner with 10y. in Brussels and 10y. at national level, both in the public and private sectors, with extensive knowledge and network in the digital and telecom worlds. Damir worked for big corporates like Samsung, Deutsche Telekom as well as for the biggest digital association in Europe, DIGITALEUROPE. Damir is now Managing Director of FDA3.

Q&A

Can you share what shaped your views of IoT?

In my view, there has been an IoT in various forms since the invention of wireless communications.  What has changed is the enormous hyper connectivity of the Internet and mobile network that enables us to link and connect various objects to be tracked, traced and managed remotely. The Internet is like a road which paves the way for cars, buses and businesses relying on the infrastructure to evolve. 

What are some of the critical regulatory issues in connected industry?

Privacy and security are the biggest concerns. In the US, there are privacy regulations for consumer protection, and there are the courts for redress.  In Europe, there are three different philosophical approaches to the law: in the UK there is common law, in German law, if it’s not regulated, it’s not allowed, and French Law is based on precautionary principles.  The government needs to predict potential outcomes and regulate to protect the citizens.   Europe feels that it’s not properly playing in the digital economy, so they want to show their power through regulations around the data economy.

Can you explain GDPR – for those not familiar?

It’s the General Data Protection Regulations in the European Union, which define under which conditions and criteria personal data of individual EU citizens can be collected, stored, processed and exchanged, as well as what to do in case of any breach in such handling.  The biggest benefit is harmonization, which will protect business. The key issue is data ownership.   What you have until May 2018 is the Data Protection Directive, which EU members agree to apply but there are degrees of freedom. There’s a baseline of controls and each country has its own way of applying them.   With GDPR – once the requirements are agreed upon at the EU level its directly implementable.  There are 40 “carve outs” the 27 member states can choose how to implement which can be applied differently.

The EU is trying to work with data protection authorities to minimize the differences – either a lowest common denominator, or more stringent rules.  The key is how to avoid fragmentation so when you have complaints across border, they need to be able to solve complaints across borders.  This becomes very complicated.  In the future it should be that one country will take the lead in a complaint, others will join, and then the data protection authorities will define the fines.

How do data privacy practices and rules differ between the US and Europe?

In Europe they believe that that privacy is a fundamental right, and the big internet giants are not handling these issues well. They will need to take these considerations more seriously.  Another key difference in Europe is that the government knows everything about people versus the US, where it’s companies that know everything about people. 

Both approaches allow for a high level of protection of personal data, the key difference is how to get there. While in the US a lot of protection relies on the effectiveness of the judiciary, in Europe there is a more ex-ante approach, defining a set of high level personal data protection criteria that needs to be fulfilled from the beginning, then ex-post controls and high fines.

How do you define “free data flows” - data ownership and access?

Free flow of data means that data may be stored and processed outside of the geographic area where data is initially generated.  Ownership is about defining who can monetize the data. Access is also about monetizing, but is a bit blurred in the way that it collides between personal and non-personal data.  If you think about companies that collect data in return for providing free services – there are data flows that sit on top and glue everything together. 

In principle, there should be a golden standard of privacy for all EU citizens with GDPR and it won’t matter where data is stored as long as authorities have access with appropriate security levels.  There is competition between EU member states in terms of their claims on the data from their citizens (data sovereignty).  The big Internets make claims to all the data.   

As an example of how complex it can be, the Swedish government’s Transport Administration data included plans related to the military.  They outsourced to IBM to handle this data, then stored the data in Serbia, which is considered close to Russia.  This was done by public servants – the question becomes what is stored, who has access and what happens with a leak? Government wants to regulate, but there are complex issues like this. 

Some countries are looking to protect their industries - in Germany and France, they want to protect facilities.  When you want to have connected or autonomous vehicles, there’s a big question how it can work if there are not free flows of data if you are registered in Belgium and driving in Netherlands.    The car industries in each country also want to keep the data for themselves- they don’t want the data to go to Google. 

How does GDPR impact businesses of different sizes, and in different industries?

The biggest companies will add GDPR compliance to their various roster of compliance obligations. Smaller companies and startups often do not have time or resources for heavy compliance obligations. It does not mean they do not care to comply, it just means they lack proper resources, knowledge and training on how to ensure full compliance which exposes them to significant risks.  There is also a big challenge for smaller businesses just to know if they are in compliance.  The GDPR authorities are very closed either because of resources or because they think in terms of dealing with large companies

To learn more about how IoT can unlock value within your industry, contact us at Momenta.