As fridges, vacuum cleaners and washing machines get smarter and more connected to the internet, they collect more and more information about their owners: they store it and process it, and can use it for targeted ads or, even more sinisterly, to modify the way we think or behave.
In an example of data privacy threat cited in a new report by the Israel Democracy Institute, a robotic vacuum cleaner can, while doing its job, learn how big the house is, learn how many people are in the family by who gives it its instructions; and learn when people are away based on when it is programmed to work or when they’re at home, based on when it gets manual commands.
What happens to this information — where is it stored and who has access to it, the IDI report on privacy asks.
The existing privacy law in Israel, called the Privacy Protection Law set out some 40 years ago, “is outdated,” said Rachel Aridor-Hershkovitz, an attorney researcher at IDI who specializes in law and technology. Its regulations do not cover the needs of today, in which personal information is processed and sold for commercial purposes.
“No one then foresaw a time when companies and others would teach algorithms to collect and process data autonomously, build platforms based on users’ ability to share information with other users, and employ a business model that relies on processing information shared by users and its sale to other commercial entities, inter alia to permit targeted advertising,” the report says.
Privacy and data security, says the report, should be incorporated “systematically” into products, services and technologies, from the initial stages of development. The IDI is thus compiling a new law proposal that brings the Israeli privacy legislation closer to the privacy and data security laws recently set out by the European Union.
The new EU rules, enshrined in the General Data Protection Regulation (GDPR), which were adopted by the EU in April 2016 and went into force in 2018, aim to strengthen and protect individual fundamental rights in data protection. The regulation was designed to put people back in control of their personal data by allowing them greater rights, including the right to access the data and the right to be forgotten.
In addition, organizations will not be able to collect more data than necessary to accomplish their original, legitimate goals, and they must also prove that they are doing their utmost to protect the data they have collected.
“Today, the Israel Privacy Protection Authority tries to enforce privacy, but it is not enough,” said Aridor-Hershkovitz. The fines it gives organizations and companies that are in breach are not high enough and thus do not serve as a deterrent, she said.
The proposal the IDI is working on will not just rely on the consent of customers to enable data controllers to use the data, as is required today, but also make sure privacy is inherent to products and services. This means products and services will have to have data security as an essential component and not as an add-on; they will have to have end-to-end security and transparency about how the data is used.
Firms and organizations will also have to employ data protection officers in charge of making sure the entities are compliant with the law, the proposed law will say.