Fairness is an essential principle in the GDPR. Arguably, all of data protection and thus the GDPR is about fairness towards data subjects. The GDPR can be seen in spelling out what fair actually concretely means. In the case of ICT, it mainly relates to the need to avoid that no one is left out of the chance to benefit from the tools, that is, that all people are entitled to the same fundamental rights and opportunities to profit on the technological advances. Also, that there should be no discrimination on the basis of the fundamental aspects of our identity which are inalienable, such as gender, race, age, sexual orientation, national origin, religion, health and disability, etc. In other words, in terms of IoT, fairness is mainly related to the need to make the tools easy to use for those who are not especially skilled in digital technologies and to avoid that the system created discrimination by introducing unfair biases (see subsection “Fairness” within “Lawfulness, fairness and Transparency” in “Main Concepts”, Part II of these Guidelines).
Transparency, on the other hand, is key to help data subjects develop trust in IoT systems and devices. Indeed, the requirements of transparency are clearly related to the fairness principle, since the harder it is for the user to understand the IoT system, the greater the difference between different types of users becomes. Transparency shows the controller is acting with accountability. On the other hand, lack of overall transparency (and information rights specifically) is in breach of GDPR obligations and may amount to high fines for the controller. It is applicable to all elements relevant to an IoT system: the data, the system and the processes by which it is designed and operated, the interaction with other IoT systems, the use (or not) of AI tools, the performance of profiling or automatic decision making, etc. In addition, it amounts to the who: who is the controller, to whom the data are disclosed, who is the DPO (if there is one), etc.
Transparency is spelled out in the GDPR as detailed requirements of information that has to be provided by the controller to both, data subjects and supervisory authorities. The focus of transparency is to inform data subjects up-front of the existence of the processing and its main characteristics, according to arts. 12-14. Other information (such as the data about the data subject) is available on request (upon exercise of a right to access or right to data portability, for instance). Data subjects also have to be informed of certain events, most notably data breaches (in the case where the data subject is exposed to high risk). Evidently, transparency is a pre-requisite for detecting and intervening in case of non-compliance (see “Transparency” in the “Lawfulness, fairness and Transparency” within “Main Concepts”, Part II of these Guidelines).
In the case of IoT, controllers must keep in mind that transparency is hard to be ensured to data subjects, due to a number of factors that hinder such objective. First, one must consider that an IoT system usually interacts with some others, processing a lot of personal data. Indeed, “as the IoT relies on the principle of the extensive processing of data through these sensors that are designed to communicate unobtrusively and exchange data in a seamless way, it is closely linked to the notions of “pervasive” and “ubiquitous” computing.”[1] Indeed, in the case of IoT, sensors are actually designed to be non-obtrusive, i.e. as invisible as possible. Consequently, in many cases, the data subject is not aware of data processing due to a lack of available information. In other cases, available information does not equal transparency and awareness for data subjects. In these cases, together with informative wording, transparency can mean using icons when data such as location is being collected, and switching off such icons when data is not being collected. Controllers must assess what transparency means in their specific development and device.
Furthermore, “once the data is remotely stored, it may be shared with other parties, sometimes without the individual concerned being aware of it. In these cases, the further transmission of their data is thus imposed on the user who cannot prevent it without disabling most of the functionalities of the device.”[2] This can be enhanced by the ever-more-common data stored inside the device. In these, data do not leave the device, enhancing all transparency, data subjects control over their data, and, depending on the case, security.
Additionally, IoT systems often use AI tools. As extensively exposed in the corresponding section, these tools often suffer from diverse types of opacity, hindering an adequate fulfilment of transparency requirements (see “Transparency”, within Part IV (AI) of these Guidelines).
Finally yet importantly, IoT developers shall guarantee transparency by using a number of complementary tools. Naming a DPO, who then serves as a single point of contact for queries from data subjects, is an excellent option. Preparing adequate records of processing for the supervisory authorities, or performing DPIAs, are also highly recommended measures to promote transparency. Undertaking analysis that evaluate the effectiveness and accessibility of the information provided to the data subjects helps to ensure the efficient implementation of this principle. Or providing for interoperability among different systems so data subjects are able to exercise portability or providing for easy ways to download one’s data and self-exercise a right to access.
References
1Art 29 Data Protection Working Party (2014) Opinion 8/2014 on the on Recent Developments on the Internet of Things (SEP 16, 2014) https://www.dataprotection.ro/servlet/ViewDocument?id=1088 ↑
2Art 29 Data Protection Working Party (2014) Opinion 8/2014 on the on Recent Developments on the Internet of Things (SEP 16, 2014) https://www.dataprotection.ro/servlet/ViewDocument?id=1088 ↑