I’m a big fan of Scandinavian TV shows. The Swedish sci-fi drama ‘Real Humans’ is one of my favourites. It was released a few years ago and it’s based on a near future world, where human robots (hubots) have become an everyday phenomenon. In a world where technology is so advanced, the boundaries between human and machine become blurry. New questions arise; should these human robots be paid for the work they do? Who is responsible for their actions in case things go wrong? Should hubots get a legal status of their own, and legal rights to go with that?
These thoughts are not new. In the 90’s we saw a similar dilemma with ‘The Doctor’ in ‘Star Trek: Voyager’. This holographic character gets smarter and develops human emotions through experience and his interaction with humans. Here too, we see the wish for a legal status and equal rights.
What both scenarios have in common is that they talk about a future world. But as technology is advancing, these issues might be closer than we think.
Last week I attended EEMA’s annual conference about Identity and Privacy. One of the sessions focused on the Internet of Things (IoT). Dr. Eleanna Kafeza, attached to an Arabian University, spoke about smart toys for children and a smart doll named ‘Cayla’ in particular. This artificially intelligent doll can be linked to a smart device. It responds to children through this connection by accessing the internet. It also records (and ‘remembers’) personal data, either by adding it in the app, or by voice recordings.
So Cayla, through its connections, can store and process a lot of personal data. Who is the responsible identity behind this? Who is liable in case of privacy violations, misuse of data, or algorithmic decisions? Is it the manufacturer? Is it the doll? Is it the child? Is it the parents? Legally this is not yet covered. According to Eleanna Kafeza there are different schools of thought about the status IoT devices should have:
Besides the toy’s legal status, the child’s privacy is a concern. Parents are shown a non-retrievable display of terms upon opening the app, which is very questionable as a solid ground for a contract. Besides, even if there was a contract, can parents contract away their child’s privacy?
Consent, GDPR and IoT
From an iWelcome point of view this is a complicated case where technology is ahead of legislation. GDPR, the European privacy legislation that will come into force in May 2018, covers parts of it but many organisations still don’t realise the impact the GDPR will have, let alone GDPR and IoT. One of the major issues that companies need to solve in order to be compliant, is a valid consent mechanism and registration of the consent flows. In the case of Cayla there are at least three different possible consent flows:
Consent Lifecycle Management
Registration of the consent flows can be part of a Consent Lifecycle Management system, which can be integrated into an Identity platform that gives the user (and in the case of a child the parents) control over the use of their personal data. This doesn’t solve all the issues at the intersection of new technology, ethics, and legislation but it will help your organisation to take the first steps towards being GDPR compliant and to start building a trusted relationship with your customers.
Field Marketing Specialist at iWelcome
Esther worked as a marketer in tourism for many years and only started working in IT a few months ago. Although traveling is still a big passion, she lets the world of IT surprise her now.
Feel free to repost this blog on your website or social channels! But when you do so, please be so kind to mention the source and give us a notice via firstname.lastname@example.org.