One of the issues inherent to IoT is that this technology can hardly avoid promoting profiling and automated data processing. This creates important issues in terms of data protection. As the Article 29 Working Party stated, “unlike other types of content, IoT pushed data may not be adequately reviewable by the data subject prior to publication, which undeniably generates a risk of lack of control and excessive self-exposure for the user. In addition, communication between objects can be triggered automatically as well as by default, without the individual being aware of it. In the absence of the possibility to effectively control how objects interact or to be able to define virtual boundaries by defining active or non-active zones for specific things, it will become extraordinarily difficult to control the generated flow of data. It will be even more difficult to control its subsequent use, and thereby prevent potential function creep. This issue of lack of control, which also concerns other technical developments like cloud computing or big data, is even more challenging when one thinks that these different emerging technologies can be used in combination.” Indeed, we must keep in mind that IoT often needs linking datasets from different devices to obtain detailed insight about users’ private lives, and to make assumptions and predictions of their behavior. These practices are not contrary to data protection, provided that they strictly comply with the applicable regulations. However, it is often hard to ensure that fulfilment.
Furthermore, this scenario enables the combination of multiple data that, on its own, may provide little information about the data subject. Some of the data may even be anonymized. However, their combination often ends up creating a new scenario, in which personal data and particularly special categories of personal data. These are usually called inferred data, that is, “any personal data which have been created by the data controller as part of the data processing, e.g. by a personalization or recommendation process, by user categorization or profiling made on the basis of the personal data provided by the data subject (observed or raw data). They are also personal data, which means that they are subject to the GDPR and the applicable data protection regulation.
1Art 29 Data Protection Working Party (2014) Opinion 8/2014 on the on Recent Developments on the Internet of Things (SEP 16, 2014) https://www.dataprotection.ro/servlet/ViewDocument?id=1088 ↑
2A29WP, Guidelines on the right to data portability, at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/right-data-portability_en ↑