Profiling the European Citizen in the Internet of Things: How Will the General Data Protection Regulation Apply to this Form of Personal Data Processing, and How Should It?
73 Pages Posted: 22 Mar 2016
Date Written: February 29, 2016
The Internet of Things increases the ability of companies to create detailed profiles of consumers. Profiling is not bad per se, but there might be negative effects for consumers when profiles are applied to them (discrimination, manipulation, loss of privacy). Recently, the Article 29 Working Party issued an opinion on how the current EU Data Protection Directive (Directive 95/46/EC) applies to data processing in the Internet of Things. However, the relevance of this opinion is limited in two ways. First, by the time the Internet of Things will have fully arrived, the main legal framework for the protection of individuals with regard to the processing of personal data will be the General Data Protection Regulation (GDPR). Second, the work of the Working Party is strongly influenced by the presumption that users must remain in control over their personal data, even though it is questionable whether such control is feasible in an Internet of Things-environment. Therefore, the Working Party opinion should be updated and reconsidered.
This master thesis explains how the new EU data protection framework will apply to profiling in the Internet of Things, including the new provisions that address profiling. Next to that, this thesis presents an alternative approach to data protection with regard to profiling in the Internet of Things. This approach does not concentrate on individual control. Instead, this thesis argues that in the Internet of Things data protection should mainly be about fair and transparent processing obligations for the data controller and processor. In particular controllers should inform the consumer in detail about the processing – not to give the consumer control, but to enable civil society to “control” the profiling to a certain extent. In connection with this, the GDPR provides ground to involve civil society organisations in data protection impact assessments. Such an approach is most promising to protect individual rights in this context.
Keywords: data protection; privacy; Directive 95/46/EC; General Data Protection Regulation; Internet of Things; profiling
Suggested Citation: Suggested Citation