The consent and control conundrum in the Internet of Things

The consent and control conundrum in the Internet of Things

The Consent and Control conundrum in the Internet of Things
  • By Angeline Hayles-Henderson, Solicitor, Birmingham City Council

There is no doubt that the virtues and benefits of  emerging technologies such as the Internet of Things (IoT) , Big Data Analytics, Smart Cities  and more recently, Society 5.0 are being greatly extoled.

However, it would be remiss to fail to address an issue that some legal and technical commentators alike consider to be pivotal in building trust and confidence in how the personal data of individual end users are processed by IoT stakeholders: consent.

READ MORE: Internet-connected toys putting the privacy and safety of children at risk, warns ICO

Obtainment of informed consent should place the individual at the core of data processing considerations and implies retention of some degree of control on the part of the end user. However, in some cases this has proven to be a minefield to navigate under the current Data Protection Directive and the indications are that its likely to be even more so under the imminent General Data Protection Regulation (GDPR), the core aim of which is to enhance the rights of data subjects in an age where there has been a plethora of potentially privacy affecting technologies. The GDPR solidifies and builds upon the consent set out in the Directive to a higher standard.  Interestingly, the question of whether GDPR- compliant consent can truly be obtained in the context of IoT device usage has been the subject of discussion amongst legal practitioners and academics alike.

Article 4(11) of the GDPR provides that consent should be freely given, specific and informed and that there should be some affirmative action by the data subject to indicate consent to processing, for example by having a clear opt-in facility. This, coupled with the enhanced informational rights in respect of Privacy Notices (Articles 12-14) raises practical questions as to how companies in the context of the IoT can gain meaningful and informed consent. Furthermore, can consent be entirely informed unless the individual end user fully understands the technical aspects of how their data is processed? A valid counter-argument would be that providing information to a data subject that is too technical could fall foul of the transparency requirements of the GDPR.

READ MORE: 5 reasons why you need a GDPR-compliant privacy policy, and where to get one

Consent is not the only legal ground for processing. There is the Legitimate Interest condition which can be used if Legitimate Interests are not outweighed by the interests of the individual. Moreover, Article 6(1) (f) refers to the “Fundamental Rights and Freedoms of the Data Subject”. In the IoT environment the processing of personal data is likely to affect the fundamental rights of the end user to a significant degree, for example, if health-related data is collected by a device. The Legitimate Interest condition places the onus on IoT stakeholders when acting as data controllers, to be fair and transparent in their decision making when conducting the interest balancing exercise. It can be asserted, therefore, that when compared to consent, Legitimate Interest, when used as a lawful basis for processing provides the end user with very little control.

The Article 29 Working Party in its Opinion of the Developments of the IoT alluded to the importance of empowering end users by allowing them to exercise their rights and be “in control of their personal data at any time”. This should, at least theoretically, facilitate end user control throughout the life cycle of the device or product.

READ MORE: Over a million organisations infected by Botnet that enslaves IoT devices

With issues such as consent, and the seemingly fast pace of technologies appearing to potentially be a blot on the landscape of the GDPR,  it  appears that its primary aim of placing the individual at the core of Privacy  will, even after its implementation into UK law, continue to be a work in  progress.

Copyright Lyonsdown Limited 2021

Top Articles

300% increase in global cyber attacks

According to NTT's Global Threat Intelligence Report, there has been a 300% increase in cyber attacks globally Manufacturing, healthcare and finance industries all saw an increase in attacks globally (300%,…

US pipeline giant Colonial Pipeline suffers disruptive DarkSide ransomware attack

Colonial Pipeline suffered a DarkSide ransomware attack late last week that forced it to shut all pipeline operations.

NCSC's Active Cyber Defence programme helped sink 70k online scams in 2020

NCSC's Active Cyber Defence programme, which includes the Suspicious Email Reporting Service, helped in taking down over 70,000 online scams totalling 1.4 million URLs last year.

Related Articles