GDPR and IoT: Technology ahead of legislation

IoT and GDPRI’m a big fan of Scandinavian TV shows. The Swedish sci-fi drama ‘Real Humans’ is one of my favourites. It was released a few years ago and it’s based on a near future world, where human robots (hubots) have become an everyday phenomenon. In a world where technology is so advanced, the boundaries between human and machine become blurry. New questions arise; should these human robots be paid for the work they do? Who is responsible for their actions in case things go wrong? Should hubots get a legal status of their own, and legal rights to go with that?

These thoughts are not new. In the 90’s we saw a similar dilemma with ‘The Doctor’ in ‘Star Trek: Voyager’. This holographic character gets smarter and develops human emotions through experience and his interaction with humans. Here too, we see the wish for a legal status and equal rights.

What both scenarios have in common is that they talk about a future world. But as technology is advancing, these issues might be closer than we think. 

IoT and GDPRLast week I attended EEMA’s annual conference about Identity and Privacy. One of the sessions focused on the Internet of Things (IoT). Dr. Eleanna Kafeza, attached to an Arabian University, spoke about smart toys for children and a smart doll named ‘Cayla’ in particular. This artificially intelligent doll can be linked to a smart device. It responds to children through this connection by accessing the internet. It also records (and ‘remembers’) personal data, either by adding it in the app, or by voice recordings. 

So Cayla, through its connections, can store and process a lot of personal data. Who is the responsible identity behind this? Who is liable in case of privacy violations, misuse of data, or algorithmic decisions? Is it the manufacturer? Is it the doll? Is it the child? Is it the parents? Legally this is not yet covered. According to Eleanna Kafeza there are different schools of thought about the status IoT devices should have:

  • Smart toys as legal persons: the law gives legal personality to entities;
  • Smart toys as robots (The EU is considering giving electronic personality to robots);
  • Smart toys as identity-agents: there is a principal who is responsible and liable;
  • Smart toys as animals: animals don’t have personhood – they’re viewed as property.

Besides the toy’s legal status, the child’s privacy is a concern. Parents are shown a non-retrievable display of terms upon opening the app, which is very questionable as a solid ground for a contract. Besides, even if there was a contract, can parents contract away their child’s privacy?

Consent, GDPR and IoT

From an iWelcome point of view this is a complicated case where technology is ahead of legislation. GDPR, the European privacy legislation that will come into force in May 2018, covers parts of it but many organisations still don’t realise the impact the GDPR will have, let alone GDPR and IoT. One of the major issues that companies need to solve in order to be compliant, is a valid consent mechanism and registration of the consent flows. In the case of Cayla there are at least three different possible consent flows:

  • consent of the user towards the distributor of the IoT device;
  • parental consent (because in this case the child is too young to give consent);
  • consent concerning other services on the internet that are connected to the IoT device and process the users data (can be many, depending on how many legal entities will process that data, and therefore need consent).

Consent Lifecycle Management

Registration of the consent flows can be part of a Consent Lifecycle Management system, which can be integrated into an Identity platform that gives the user (and in the case of a child the parents) control over the use of their personal data. This doesn’t solve all the issues at the intersection of new technology, ethics, and legislation but it will help your organisation to take the first steps towards being GDPR compliant and to start building a trusted relationship with your customers.

The EEMA presentation on smart toys can be found here.

 

Esther HoeksemaEsther Hoeksema

Field Marketing Specialist at iWelcome

Esther worked as a marketer in tourism for many years and only started working in IT a few months ago. Although traveling is still a big passion, she lets the world of IT surprise her now.

Feel free to repost this blog on your website or social channels! But when you do so, please be so kind to mention the source and give us a notice via pr@iwelcome.com.

Go back