Chapter III of the GDPR provides for a set of rights that the data subjects can exercise to safeguard their personal data. Although each right has specific details and issues that could affect and be affected by ICT research and development (see the section “Processing for scientific research” in “Main Tools and Actions”, Part II of these Guidelines) they all share some general features concerning their transparent information, communication and modalities of exercise (Article 12 GDPR). In this section, we analyze each specific right in the light of an IoT system development. We have already analyzed the right to information (see the Transparency section of this part of the Guidelines) and the right not to be subject to automated decision-making has been extensively addressed in the “Human Agency” section of this part of the Guidelines.
In general, most of these rights are hard to implement in the case of IoT, due to the pure nature of the technology, which is based in the high-speed of data provided by different systems and devices. Continued aggregation and profiling techniques, together with the continued creation of inferred data contribute to hinder rights such as access, portability o erasure. Furthermore, in the IoT framework it is quite common to find different controllers and processors processing aggregated datasets that are stored through cloud computing led by a supervisor, who takes the role of joint controllers or processors.
The contracts that rule such interactions are complex and multi-layered. Consequently, the distribution of roles and responsibilities becomes difficult in practice. Even though in theory contracts should clarify all these issues, “in reality, the processors are the ones who draft standard contractual terms and processing instructions because they process data on behalf of many controllers and do not have separate processing instructions for each controller. This makes it difficult for the controllers to comply with the contractual requirements and the accountability principle under GDPR, as they are not fully aware of all of the processors and subprocessors involved. Furthermore, the complex multi-layered contractual relationships between IoT stakeholders make it more difficult to claim the responsibility for a damage caused to data subjects by IoT devices or analytical algorithms.”[1]In addition, some parties may draft contracts positioning themselves in a different role than what really applies to them (see “Define the data protection roles played by all agents involved in the processing: determination of controllers and processors” section in this part on IoT)
Different tools have been proposed to face these issues and the ‘personal information management system’ (‘PIMS’) approach has been promoted by the European Data Protection Supervisor.[2] The use of blockchain techniques to design GDPR-based smart contracts that are privacy aware to improve the accountability of IoT devices, which are data controllers or processors of user data might be an adequate alternative, since they do not need general supervisor or ―data controller. However, blockchain might provoke disadvantages in terms of data subjects’ rights and freedoms, since their being node owners would make them “controllers” and consequently they would have obligations and liabilities according to the GDPR.[3]
Even though there are no definitive technical solutions to these complex issues, IoT developers should do their best to ensure that the systems are able to respect data subjects’ rights and freedoms. Domains of IT design like privacy-enhancing technologies (PETS), privacy engineering, usable privacy and human data interaction all have methodologies and frameworks to offer.[4]
References
1El-Gazzar, R., & Stendal, K. (2020). Examining How GDPR Challenges Emerging Technologies. Journal of Information Policy, 10, 237-275. doi:10.5325/jinfopoli.10.2020.0237. ↑
2European Data Protection Supervisor (2016) Opinion on personal information management systems towards more user empowerment in managing and processing personal data. Brussels. At: https://edps.europa.eu/sites/default/files/publication/16-10-20_pims_opinion_en.pdf ↑
3Nicola Fabiano, Internet of Things and the Legal Issues related to the Data Protection Law, Athens Journal of Law – Volume 3, Issue 3, 2018, Pages 201-214 https://doi.org/10.30958/ajl.3-3-2 doi=10.30958/ajl.3-3-2 according to the new European General Data Protection Regulation By ↑
4Urquhart, L., Sailaja, N. & McAuley, D. Realising the right to data portability for the domestic Internet of things. Pers Ubiquit Comput 22, 317–332 (2018). ↑