IoT systems are usually complex tools that process many personal data in connection with other IoT systems or by tools incorporated to the device. This creates a complex scenario, since, as the Article 29 WP stated, “interaction between objects, between objects and individuals’ devices, between individuals and other objects, and between objects and back-end systems will result in the generation of data flows that can hardly be managed with the classical tools used to ensure the adequate protection of the data subjects’ interests and rights.”
Controllers must be aware that, even though it might be hard to reach, data subjects must be able to understand how, and for what purpose, the IoT system uses their personal data to function and come to its decisions. In general, this means that IoT developers should incorporate in the system features able to provide such knowledge in the easiest possible way. Explainability –that is, the ability to explain the technical processes of an IoT system and the logics of the decision it makes- is key in the case of IoT, especially if it incorporates an AI tool (see the section “Transparency” in the “AI Requirement for Innovators and Developers”, Part IV of these Guidelines”).
In general, IoT systems should be able to provide a panoramic overview of “what personal data have been disclosed to what data controller under which policies; provide online access to the personal data and how they have been processed; and provide counter profiling capabilities helping the user to anticipate how their data match relevant group profiles, which may affect future opportunities or risks”. If the controller “plans” to carry out a processing for purposes other than those for which the data were collected, they must inform users or data subjects beforehand of such further processing, providing information and comply with all other requirements, such as having a legal basis for this new purpose or carrying out a compatibility assessment. Based on the above obligations, and applying them specifically to IoT, a first layer of information must be provided to users before they start using the device. Additionally, information requirements state that full information must be provided before the processing starts, so users must have a way to access it before register or access the IoT device.
According to the GDPR, the information that an IoT system must provide to the data subjects varies depending on whether this information has been obtained from them or inferred by the system.
- If the data is obtained directly from the data subject (Art. 13 GDPR)
The IoT system controller must inform the user, prior to the processing, about the identity of the controller, the DPO´s contact information, the specific processing purposes; the legal basis for the processing and, if applicable, which are the legitimate interests on which the processing is based on, which legal basis apply to each purpose; the recipients or categories of recipients of the data; the existence of international transfers; where applicable, the time limits for storing the data or the criteria used to determine those time limits; how to exercise data subjects’ rights and the right to lodge a complaint to the Supervisory Authority; and in the case of automated decisions, including profiling, the controller must provide relevant information about the logic involved and the expected consequences of such processing for the data subject.
- If the personal data is not obtained from the user (Art. 14 GDPR)
In this case, if the personal data are obtained from a third party, the controller of IoT system must inform the user of the provisions of Art. 13 of the GDPR, and communicate the information regarding the origin or source of the data, specifically if they come from publicly accessible sources. In this regard, controllers must bear in mind the concept of “public accessible sources” is not an extensive list but a rather close one, and it does not include social media or the Internet. The information shall be provided within a month ‘at the latest’ to the IoT user.
|Checklist: fairness and transparency
☐ The controllers have implemented functionalities or easy-to-use control interfaces that allow the management of technical and privacy settings
☐ The IoT systems have been designed in a way that facilitates that preferences and needs of the users are translated to the tool in a distributed, cooperative manner so that appropriate decisions about the resources being controlled are made
☐ The controllers have implemented adequate measures to avoid biases provoked by the use of AI tools.
☐ The controllers have implemented measures to avoid collecting biased datasets
☐ The IoT systems provide:
☐ If the personal data were directly provided by the data subject, the controllers provided all the information enlisted in Article 13 GDPR.
☐ If the personal data were not provided by the data subject, the controllers provided all the information enlisted in Article 14 GDPR.
☐ If the personal data is directly provided by the data subject, the information is provided before the processing and, at the latest, at the time it is collected from the data subject.
☐ If the personal data is not provided by the data subject, the information is provided:
☐ The information is provided concisely, transparently, intelligibly, and in an easily accessible way. It is clear and redacted in plain language.
☐ The controllers have documented all the information regarding these issues.
1Art 29 Data Protection Working Party (2014) Opinion 8/2014 on the on Recent Developments on the Internet of Things (SEP 16, 2014) https://www.dataprotection.ro/servlet/ViewDocument?id=1088 ↑
2Weber, Rolf H., ‘Internet of Things: Privacy Issues Revisited’ (2015) 31 Computer Law & Security Review 618, 625; similarly, Tene and Polonetsky (n 18). ↑
3Bear in mind that, according to recent case law from the Spanish Data Protection Authority, APED, the interests that serve as the ground for the legal basis of art. 6.1.f GDPR would not be the same as the purposes of the processing. ↑
4Not all these requirements are legal requirements strictu sensu, but they can all be considered as ethical requirements. ↑