One of the debates in privacy is the continuing feasibility of Collection Limitation as a data protection principle. Historically, there was some basic tension with data retention pressures, as Steve Wilson noted: “Collection Limitation … can contradict the security or legal instinct to always retain as much data as possible, in case it comes in handy one day.” The IoT, broadly construed, adds a new pressure: the increasing ubiquity of sensor information.
Mobile phones with all their sensors have been a challenge to Collection Limitation for years. Consider the legions of apps that access all of the sensor data because they can. But that was one device – now multiply that by… choose your number du jour. The point is that the IoT/ubiquitous computing/pervasive computing/contextual computing are typified by enhanced monitoring. Collection Limitation is, simply put, the principle of only gathering the data you need for a particular application. The US, enormous market that it is, does not really enforce this principle. That’s unsurprising, as it mainly appears in ‘soft law,’ i.e., there are no sanctions to enforce it in the commercial world. It nominally exists in Europe, but there are very limited ways of enforcing it. How can this principle withstand the emergence of billions of all-seeing, all-hearing devices in the human environment?
In November of last year, two automotive trade bodies released a set of Vehicle Privacy Principles, written in conjunction with the law firm Hogan Lovells with some assistance from the Future of Privacy Forum. I’ve written on these Principles before for O’Reilly Radar – I don’t like them because of their very weak consent principles. Further, the Principles never mention the ability to kill all non-essential, non-driving-related sensors in the car, nor the ability to shut off location tracking. HERE is where I would like to see the Collection Limitation principle reassert itself, in combination with an improved consent posture. If a driver declines whatever shiny, amazing application in-car sensors would enable, and doesn’t want the car manufacturer, the dealership, and any partners to know where she or he is driving, the data should not be collected. Collection Limitation is meaningful here because the car is unique in its function and context – driving. And while the same data could likely be gathered from the driver’s phone, the phone could be off, location services disabled, what have you; it’s a separate consideration. If the car is a locus of sensors, a privacy-positive orientation would have the driver able to kill all non-essential sensing. This is also an argument in support of the continued existence of Collection Limitation.