Before starting the development of an IoT system, the developers should have its primary objectives and possible secondary goals and uses clear in mind. It might happen that such goal is not compatible with the ethical and legal standards of the EU (such as, for instance, the Charter of Fundamental Rights of the European Union). If the system deprives or reduces data subjects’ capacity to make free decisions about their lives, if it makes decisions about fundamental freedoms and freedoms without any form of human oversight or possibilities for redress, if the system is based on the need to create a kind of addiction, etc., the project should not be endorsed.
Alternatively, it might happen that the goal of the IoT system involves a disproportionate use of personal data which defies the minimization principle, rendering it hard to be in compliance with the applicable legal framework. Furthermore, developers also should keep in mind that the processing of data in the IoT may also concern individuals who will not be subscribers or users of their technology. This scenario creates risks associated with the fact that some data subjects might not be aware that their data is being processed. Additionally, “if the controller envisages a ‘model’ where it takes solely automated decisions having a high impact on individuals based on profiles made about them and it cannot rely on the individual’s consent, on a contract with the individual or on a law authorizing this, the controller should not proceed.” Finally, developers shall assess whether the project is acceptable according to ethical standards, despite it being compliant with legal obligations.
To sum up, developers shall analyze carefully the possible impact of the technology and appropriate measures to be designed to guarantee data protection, privacy and other rights, as defined by the Charter of Fundamental Rights of the European Union and related legal framework As regards data protection and privacy, if the analysis shows that the processing will not be acceptable on the basis of the Charter of Fundamental Rights of the European Union, the GDPR and the ePrivacy framework, the project should not be endorsed.
|Box 1: Smart Glasses
The Art. 29 WP draws attention to this issue with the following example: “wearable devices like smart glasses are likely to collect data about other data subjects than the owner of the device. It is important to stress that this factor does not preclude EU law from applying to such situations. The application of EU data protection rules is not conditioned by the ownership of a device or terminal but by the processing of the personal data itself.”
If developers are willing to create a device such as this, they should be aware of the fact that the GDPR requires the fair and lawful processing of all personal data gathered. This includes, among others, the condition of a valid legal basis for a processing operation, purpose limitation, data minimization, limitation of data retention, data quality and security, rights of the data subjects and independent supervision. GDPR also introduces the principle of accountability as an overarching obligation to strive for compliance not only with the letter of the law. It also provides concrete instruments and tools to achieve accountability, with a risk based approach implemented inter alia in data protection impact assessments (DPIA), data protection by design and by default, nomination of a data protection officer as well as compliance with existing codes of conduct and certification mechanisms.
The developers should consider all these essential issues at the first stages of their project development, so as to avoid unnecessary efforts, if compliance with the data protection legal framework cannot be guaranteed.
In addition, a clear idea of the project will help determine in early stages of the development other legal issues within data protection law, such as the possible need of international transfers of data, the existence of joint-controllers or processors, which need to be carefully selected, or the security and organizational measures to minimize risks.
This document will analyze the main data protection obligations in more detail.
1Art. 29 Op. cit. p. 13. ↑
2Ibid., p.30. ↑