<img alt="" src="https://secure.norm0care.com/164647.png" style="display:none;">

Solutions

Accelerate your digital business with frictionless, secure and privacy protected identity management for consumers, business customers and employees.

Full Solutions

Industries

Many organisations across various industries rely on iWelcome for serving their users with secure authentication and identity lifecycle management.

About us

Founded in 2011, Welcome is Europe's 'green' leader in IAM solutions, with an innovative approach to Consent Lifecycle Management and top-class private cloud technology.

Resources

We love to share knowledge and news on digital identities and iWelcome’s products. There is food for thought for everybody, from geeks to rookies. We appreciate your feedback!

GDPR and IoT: Technology ahead of legislation

Esther Hoeksema
July 19, 2017 at 10:12 AM

I’m a big fan of Scandinavian TV shows. The Swedish sci-fi drama ‘Real Humans’ is one of my favourites. It was released a few years ago and it’s based on a near future world, where human robots (hubots) have become an everyday phenomenon. In a world where technology is so advanced, the boundaries between human and machine become blurry. New questions arise - should these human robots be paid for the work they do? Who is responsible for their actions in case things go wrong? Should hubots get a legal status of their own, and legal rights to go with that?

These thoughts are not new. In the 90’s we saw a similar dilemma with ‘The Doctor’ in ‘Star Trek: Voyager’. This holographic character gets smarter and develops human emotions through experience and his interaction with humans. Here too, we see the wish for a legal status and equal rights.

What both scenarios have in common is that they talk about a future world. But as technology is advancing, these issues might be closer than we think. 

Last week I attended EEMA’s annual conference about Identity and Privacy. One of the sessions focused on the Internet of Things (IoT). Dr. Eleanna Kafeza, attached to an Arabian University, spoke about smart toys for children and a smart doll named ‘Cayla’ in particular. This artificially intelligent doll can be linked to a smart device. It responds to children through this connection by accessing the internet. It also records (and ‘remembers’) personal data, either by adding it in the app, or by voice recordings. 

So Cayla, through its connections, can store and process a lot of personal data. Who is the responsible identity behind this? Who is liable in case of privacy violations, misuse of data, or algorithmic decisions? Is it the manufacturer? Is it the doll? Is it the child? Is it the parents? Legally this is not yet covered. According to Eleanna Kafeza there are different schools of thought about the status IoT devices should have:

  • Smart toys as legal persons: the law gives legal personality to entities;
  • Smart toys as robots (The EU is considering giving electronic personality to robots);
  • Smart toys as identity-agents: there is a principal who is responsible and liable;
  • Smart toys as animals: animals don’t have personhood – they’re viewed as property.

Besides the toy’s legal status, the child’s privacy is a concern. Parents are shown a non-retrievable display of terms upon opening the app, which is very questionable as a solid ground for a contract. Besides, even if there was a contract, can parents contract away their child’s privacy?

Consent, GDPR and IoT

From an iWelcome point of view this is a complicated case where technology is ahead of legislation. GDPR, the European privacy legislation that will come into force in May 2018, covers parts of it but many organisations still don’t realise the impact the GDPR will have, let alone GDPR and IoT. One of the major issues that companies need to solve in order to be compliant, is a valid consent mechanism and registration of the consent flows. In the case of Cayla there are at least three different possible consent flows:

  • consent of the user towards the distributor of the IoT device;
  • parental consent (because in this case the child is too young to give consent);
  • consent concerning other services on the internet that are connected to the IoT device and process the users data (can be many, depending on how many legal entities will process that data, and therefore need consent).

Consent Lifecycle Management

Registration of the consent flows can be part of a Consent Lifecycle Management system, which can be integrated into an Identity platform that gives the user (and in the case of a child the parents) control over the use of their personal data. This doesn’t solve all the issues at the intersection of new technology, ethics, and legislation but it will help your organisation to take the first steps towards being GDPR compliant and to start building a trusted relationship with your customers.

The EEMA presentation on smart toys can be found here.

Feel free to repost this blog on your website or social channels! But when you do so, please be so kind to mention the source and give us a notice via marketing@iwelcome.com.

You May Also Like

These Stories on IoT

Subscribe by Email