The beginning of 2018 has brought a lot of expectations that Brazil will, finally, have a national policy plan on the Internet of Things. The Ministry of Science, Technology, Innovation and Communication and the Brazilian National Development Bank have recently released several reports, one of them deals with the regulatory challenges of IoT. This is undoubtedly a strategic subject for the national development of any country, since it will impact all sectors of the economy, such as health, urban mobility, agriculture, energy and retail. The core idea is that the objects surrounding us will become sensors that will monitor all aspects of our life in order to optimize it.
For instance, a pacemaker could record the patient’s heart rate along every second or moment of the day, for more precise diagnostics and prognostics. Another example are automobiles, which could provide their geospatial data in real-time and throughout every second of the trip, for the purpose of enhancing traffic routes. In short, useful information could be mined from big amounts of data, such as these, in order to drive the economy and society, as in the concept of the data-driven-society.
However, IoT also raises negative aspects, in particular related to privacy issues. George Orwell, the pseudonym of Eric Arthur Blair, created the character Big Brother, who observed citizens through telescreens in the book “1984”. IoT takes this two steps further. In the current scenario, instead of the telescreen and the State, we have the fridge, toaster, table, watch, shoes and, consequently, the suppliers of these “things” – acting as Little Brothers – who could spy on and analyze our movements.
For such reasons, privacy and personal data protection are inseparable and strategic issues for any IoT national plan. In this sense, the Brazilian Congress should approve a comprehensive personal data protection law. Without that, the proposed IoT Brazilian national plan may fail. This could happen for at least two reasons.
Firstly, only this law will provide the key concepts for the development of the IoT agenda in Brazil. For instance, it can adress the questions what should be considered personal data and how technology, for example, coding for anonymization techniques, should be applied for mitigating the privacy risks at stake. Such regulation would reduce the asymmetry of information and legal uncertainty not only for individuals, but also for the private and public sector, with regards to what data should be collected, processed and shared, and how.
Secondly, such a bill would be comprehensive and in juxtaposition to the fragmented normative framework existent in Brazil. The regulatory issues of IoT are heterogeneous. From the automotive to the health sector, there would always be a normative vacuum left by the sectoral Brazilian legislation. Only a general personal data protection law would have the necessary amplitude to cover the multifaceted regulatory aspects of IoT.
Beyond the aforementioned strategic role, how could privacy be an orienting element in order for Brazil to design an innovative national IoT Plan?
Currently, a punitive regulatory mindset prevails worldwide. As evidence, see three different random cases from three different legal cultures:
a) In Brazil, the telecom company “Oi” was fined R$ 3,5 million. In that case, the Consumer Protection Bureau at the Ministry of Justice decided that consumers had not been properly informed about how their personal data was being collected and processed.
b) When Google consolidated about 70 privacy policies into one single, all-encompassing policy, European Data Protection Authorities (DPAs) took action. On the one hand, Spanish and French DPAs imposed fines of about 900.000 and 150.000 Euro, respectively. On the other hand, the DPAs of Italy, United Kingdom and the Netherlands all settled on giving Google time to rewrite its privacy policies, before the search engine would be subject to penalties;
c) In the United States of America, the Federal Trade Commision (FTC) has implemented a program called “Enforcing Privacy Promises”. As the program terminology suggests, the FTC has brought legal actions against organizations that have not carried out the promises, which had been established in their privacy policies. In fact, the former chairman of the FTC can be quoted as saying that the companies should “keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place”.
In all of those cases, the State has applied a top-down and punitive regulatory mentality. However, the IoT national plan could be an opportunity for Brazil to implement a new regulatory strategy. Why not combine incentive measures with regards to desirable behaviors, instead of only penalizing bad attitudes? Would this be able to foster a bottom-up style of regulation?
The environmental law, worldwide, has already internalized such a regulatory strategy, in the sense that companies are rewarded if they implement positive environmental policies (e.g., tax exemptions and breaks for low-polluting technologies). As Noberto Bobbio, an Italian legal scholar, has advocated, the law should not only punish certain undesirable behaviors, but also encourage desirable actions.
The same strategy could be adopted regarding technologies that embed privacy into their design, which is the well known concept of privacy by design. Why not also grant tax advantages for the IoT sensors, which are designed with privacy taken into account as their core value? Privacy by design could also be a requirement of financing granted by the Brazilian Bank for National Development.
Such regulatory strategy could trigger a scenario in which personal data protection and privacy would be seen as competitive and economic elements. The regulated players would be induced to cooperate with regulators and, therefore, the regulatory effects would voluntarily come from the “factory floors”. And, mostly important, Brazil might be disruptive, since the Brazilian start-ups could grow, nationally and internationally, having privacy as their market advantage.
Bruno Ricardo Bioni is a PhD candidate in Commercial Law at the University of São Paulo, where he also earned his Masters Degree in Private Law. Currently, he is a legal advisor at the Brazilian Network Information Center/NIC.br and member of the Latin America Network of Surveillance, Technology and Society Studies.