Opinion / The consent and control conundrum in the Internet of Things
The consent and control conundrum in the Internet of Things
7 December 2017
- By Angeline Hayles-Henderson, Solicitor, Birmingham City Council
There is no doubt that the virtues and benefits of emerging technologies such as the Internet of Things (IoT) , Big Data Analytics, Smart Cities and more recently, Society 5.0 are being greatly extoled.
However, it would be remiss to fail to address an issue that some legal and technical commentators alike consider to be pivotal in building trust and confidence in how the personal data of individual end users are processed by IoT stakeholders: consent.
Obtainment of informed consent should place the individual at the core of data processing considerations and implies retention of some degree of control on the part of the end user. However, in some cases this has proven to be a minefield to navigate under the current Data Protection Directive and the indications are that its likely to be even more so under the imminent General Data Protection Regulation (GDPR), the core aim of which is to enhance the rights of data subjects in an age where there has been a plethora of potentially privacy affecting technologies. The GDPR solidifies and builds upon the consent set out in the Directive to a higher standard. Interestingly, the question of whether GDPR- compliant consent can truly be obtained in the context of IoT device usage has been the subject of discussion amongst legal practitioners and academics alike.
Article 4(11) of the GDPR provides that consent should be freely given, specific and informed and that there should be some affirmative action by the data subject to indicate consent to processing, for example by having a clear opt-in facility. This, coupled with the enhanced informational rights in respect of Privacy Notices (Articles 12-14) raises practical questions as to how companies in the context of the IoT can gain meaningful and informed consent. Furthermore, can consent be entirely informed unless the individual end user fully understands the technical aspects of how their data is processed? A valid counter-argument would be that providing information to a data subject that is too technical could fall foul of the transparency requirements of the GDPR.
Consent is not the only legal ground for processing. There is the Legitimate Interest condition which can be used if Legitimate Interests are not outweighed by the interests of the individual. Moreover, Article 6(1) (f) refers to the “Fundamental Rights and Freedoms of the Data Subject”. In the IoT environment the processing of personal data is likely to affect the fundamental rights of the end user to a significant degree, for example, if health-related data is collected by a device. The Legitimate Interest condition places the onus on IoT stakeholders when acting as data controllers, to be fair and transparent in their decision making when conducting the interest balancing exercise. It can be asserted, therefore, that when compared to consent, Legitimate Interest, when used as a lawful basis for processing provides the end user with very little control.
The Article 29 Working Party in its Opinion of the Developments of the IoT alluded to the importance of empowering end users by allowing them to exercise their rights and be “in control of their personal data at any time”. This should, at least theoretically, facilitate end user control throughout the life cycle of the device or product.
With issues such as consent, and the seemingly fast pace of technologies appearing to potentially be a blot on the landscape of the GDPR, it appears that its primary aim of placing the individual at the core of Privacy will, even after its implementation into UK law, continue to be a work in progress.