The consent and control conundrum in the Internet of Things

The consent and control conundrum in the Internet of Things

The Consent and Control conundrum in the Internet of Things
  • By Angeline Hayles-Henderson, Solicitor, Birmingham City Council

There is no doubt that the virtues and benefits of  emerging technologies such as the Internet of Things (IoT) , Big Data Analytics, Smart Cities  and more recently, Society 5.0 are being greatly extoled.

However, it would be remiss to fail to address an issue that some legal and technical commentators alike consider to be pivotal in building trust and confidence in how the personal data of individual end users are processed by IoT stakeholders: consent.

READ MORE: Internet-connected toys putting the privacy and safety of children at risk, warns ICO

Obtainment of informed consent should place the individual at the core of data processing considerations and implies retention of some degree of control on the part of the end user. However, in some cases this has proven to be a minefield to navigate under the current Data Protection Directive and the indications are that its likely to be even more so under the imminent General Data Protection Regulation (GDPR), the core aim of which is to enhance the rights of data subjects in an age where there has been a plethora of potentially privacy affecting technologies. The GDPR solidifies and builds upon the consent set out in the Directive to a higher standard.  Interestingly, the question of whether GDPR- compliant consent can truly be obtained in the context of IoT device usage has been the subject of discussion amongst legal practitioners and academics alike.

Article 4(11) of the GDPR provides that consent should be freely given, specific and informed and that there should be some affirmative action by the data subject to indicate consent to processing, for example by having a clear opt-in facility. This, coupled with the enhanced informational rights in respect of Privacy Notices (Articles 12-14) raises practical questions as to how companies in the context of the IoT can gain meaningful and informed consent. Furthermore, can consent be entirely informed unless the individual end user fully understands the technical aspects of how their data is processed? A valid counter-argument would be that providing information to a data subject that is too technical could fall foul of the transparency requirements of the GDPR.

READ MORE: 5 reasons why you need a GDPR-compliant privacy policy, and where to get one

Consent is not the only legal ground for processing. There is the Legitimate Interest condition which can be used if Legitimate Interests are not outweighed by the interests of the individual. Moreover, Article 6(1) (f) refers to the “Fundamental Rights and Freedoms of the Data Subject”. In the IoT environment the processing of personal data is likely to affect the fundamental rights of the end user to a significant degree, for example, if health-related data is collected by a device. The Legitimate Interest condition places the onus on IoT stakeholders when acting as data controllers, to be fair and transparent in their decision making when conducting the interest balancing exercise. It can be asserted, therefore, that when compared to consent, Legitimate Interest, when used as a lawful basis for processing provides the end user with very little control.

The Article 29 Working Party in its Opinion of the Developments of the IoT alluded to the importance of empowering end users by allowing them to exercise their rights and be “in control of their personal data at any time”. This should, at least theoretically, facilitate end user control throughout the life cycle of the device or product.

READ MORE: Over a million organisations infected by Botnet that enslaves IoT devices

With issues such as consent, and the seemingly fast pace of technologies appearing to potentially be a blot on the landscape of the GDPR,  it  appears that its primary aim of placing the individual at the core of Privacy  will, even after its implementation into UK law, continue to be a work in  progress.

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]