Skip to Main Content

Strategic Business Insights (SBI) logo

Internet of Things August 2019 Viewpoints

Technology Analyst: Guy Garrud

Data Protection Shows Its Claws

Why is this topic significant?

Companies are facing fines on the order of hundreds of millions of pounds for data-privacy breaches.

Description

One of the important aspects of the European Union's General Data Protection Regulation (GDPR) is that it permits sanctions for data breaches up to a maximum of 4% of a company's annual worldwide turnover for the most serious data breaches.

In July 2019, the United Kingdom's Information Commissioner's Office (ICO) fined the Marriott hotel group a proposed £99.2 million (about $125 million). The fine was in response to a data breach in which hackers stole personal data including customers' credit-card details. In the same month, the ICO also fined British Airways £183 million (about $230 million) for a breach that also compromised personal data including credit-card details, addresses, and travel details.

The British Airways fine highlights the difference in regulation under GDPR. Under the United Kingdom's previous data-protection laws, fines could not exceed £500,000 (about $625,000), whereas under GDPR, fines can reflect the size of the company. For example, in 2018, the ICO fined Facebook £500,000 for the Cambridge Analytica scandal that affected millions of people. By contrast, in July 2019, Facebook reportedly reached an agreement with the US Federal Trade Commission (FTC) to pay a $5 billion fine following an investigation that the Cambridge Analytica scandal also triggered. The FTC fine amounts to about one month's worth of revenue for the company.

Implications

An important caveat for some of these cases is that the reported figures have not yet had confirmation and may be subject to appeal and other reductions. Nevertheless, in Europe, at least, data protection appears to have gained some teeth. One of the key features of the GDPR is that it enables much larger fines than preceding legislation enabled, and, in the case of the United Kingdom's ICO, at least, regulators appear to be willing to exercise some of this power. Both the UK cases are dwarfed by the settlement between Facebook and the FTC, which represents a fine of roughly double the permitted maximum under GDPR.

The threat of substantial fines for data breaches could radically alter the decision-making process for many companies. I expect spending on cybersecurity and data-handling activities to scale roughly in proportion to the likely level of fine should a data breach occur. Indeed, a key aspect of the British Airways case is not necessarily that the data breach occurred but rather whether the company had taken "appropriate technical and organizational measures" to protect users, as the GDPR repeatedly states.

Impacts/Disruptions

The threat of financial penalties for data breaches could discourage companies from unnecessary data collection. Instead, organizations will have to balance the potential financial gain from gathering, storing, and processing certain forms of data against the potential risks associated with storing potentially sensitive user data.

Early cases are likely to set (either formally or informally) precedents that will dictate the likely outcome for future data-protection cases. At the extreme end, some companies could pivot back to older analytics techniques that focused on gathering limited but well-curated data sets rather than focus solely on big data.

Scale of Impact

  • Low
  • Medium
  • High
The scale of impact for this topic is: High

Time of Impact

  • Now
  • 5 Years
  • 10 Years
  • 15 Years
The time of impact for this topic is: Now to 5 Years

Opportunities in the following industry areas:

Insurance, data gathering and processing, cybersecurity, legal services

Relevant to the following Explorer Technology Areas:

Federated Machine Learning

By David Strachan-Olson
Strachan-Olson is a consultant with Strategic Business Insights.

Why is this topic significant?

Researchers are developing federated-machine-learning techniques, in which data never leave individual devices. Such techniques could dramatically change the way organizations train and implement machine-learning models.

Description

Machine-learning techniques are enabling companies to develop a wide variety of new capabilities—such as computer vision and predictive maintenance—for IoT devices. To develop such capabilities, companies must collect a significant amount of data to train machine-learning models. Typically, a cloud system aggregates data from many devices and then uses those data for training. Researchers are exploring new techniques for distributed machine learning, such as federated learning, in which data never leave individual devices.

Google researchers have been developing federated-learning techniques (that is, applying machine learning to data from a device without collecting those data centrally) for mobile devices for a number of years. Google researchers recently published a paper outlining how they scaled their federated-learning system and deployed it to millions of Android devices for mobile keyboard predictions and on-device security. Google's federated-learning technique involves individual devices' downloading a current global model, training the model locally using stored user data, and uploading the resulting new model weights to the cloud. A cloud system aggregates the weight changes from many devices to update the global model. The server then deploys the new global model to devices for local use.

Google made its federated-learning technique publicly available through TensorFlow Federated, which is an open-source framework that enables developers to experiment with and build products that use federated-learning techniques. Other researchers are bringing federated learning to PyTorch—another common machine-learning framework.

Implications

Although Google's research focuses on mobile devices, developers could apply federated-learning techniques to IoT applications. The primary benefit of federated learning is improved data security and privacy, because data never leave the device. Many IoT applications that leverage machine learning today rely on a system in the cloud to store data from devices and sensors, train models using the data, and implement machine-learning models. When deployed, devices send data to the cloud where the machine-learning model analyzes the data and provides a response. Although this process works today, future individuals and organizations might have increased privacy and security demands not to transfer data off premise. Federated learning in combination with improvements in edge-computing resources could mean that devices not only implement machine-learning models but also could become vital for training machine-learning models through federated learning.

However, uncertainty remains about how broadly engineers can apply federated learning. Currently Google researchers have used federated learning in only applications for which users label or choose the correct result. This restriction potentially leaves out many machine-learning applications.

Impacts/Disruptions

Digital privacy often refers to individuals' data, but privacy is also import for organizations. Data of all types are becoming more valuable, so organizations have an incentive to prevent other organizations from accessing their data. This prevention can create a tension between a device's manufacturer and a device's operator. Device manufacturers may want to access device data to improve features and develop machine-learning models, but a device's operator may not want data about its specific operations to leave the company. Potentially, federated learning and other federated techniques could enable device manufacturers to access device data to improve features without compromising the data privacy of operator organizations.

Scale of Impact

  • Low
  • Medium
  • High
The scale of impact for this topic is: High

Time of Impact

  • Now
  • 5 Years
  • 10 Years
  • 15 Years
The time of impact for this topic is: 5 Years to 10 Years

Opportunities in the following industry areas:

Sensor networks, intelligent infrastructure, AI systems, machine learning, software services, user data, smartphones

Relevant to the following Explorer Technology Areas: