September 11, 2020
Last week, the Office of the Privacy Commissioner of Canada (the “OPC”) published a new guidance document: Privacy guidance for manufacturers of Internet of Things devices (the “IoT Guidance”). The IoT Guidance provides overdue clarity on how the Personal Information and Protection of Electronic Documents Act (“PIPEDA”) applies to Internet of Things (“IoT”) devices, and guidance to manufacturers of those devices on specific security and other measures they should consider.
The Internet of Things: Context and the regulatory environment
The OPC defines the IoT as “the networking of physical objects through the Internet.” IoT devices include so-called “smart” appliances for use in the home such as lighting systems, smoke alarms, TVs, doorbells, locks, speakers, security cameras, thermostats, and air quality monitors; as well as connected cars, toys, watches, and health trackers.
We have previously discussed the myriad forms of jeopardy that may arise for manufacturers of IoT devices, including liability based on privacy and data security issues. This is because IoT devices invariably collect, use, and disclose personal information by way of embedded sensors, including, heart rate, body temperature and movement; temperature or energy usage in a home; voice and facial recordings; geolocation data; and behavioural patterns.
To date, the OPC has only issued a single decision dealing with connected devices, dealing with a data breach affecting the systems of a manufacturer of children’s e-readers and laptops. The IoT Guidance is therefore welcome, as it begins to provide at least some clarity as to how the OPC thinks Canada’s privacy regime applies to IoT devices.