The GDPR and the Internet of Things: A Three-Step Transparency Model

Law, Innovation and Technology

32 Pages Posted: 6 Mar 2018 Last revised: 9 Oct 2018

See all articles by Sandra Wachter

Sandra Wachter

University of Oxford - Oxford Internet Institute

Date Written: February 5, 2018


The Internet of Things (IoT) requires pervasive collection and linkage of user data to provide personalised experiences based on potentially invasive inferences. Consistent identification of users and devices is necessary for this functionality, which poses risks to user privacy. The General Data Protection Regulation (GDPR) contains numerous provisions relevant to these risks, which may nonetheless be insufficient to ensure a fair balance between users’ and developers’ interests. A three-step transparency model is described based on known privacy risks of the IoT, the GDPR’s governing principles, and weaknesses in its relevant provisions. Eleven ethical guidelines are proposed for IoT developers and data controllers on how information about the functionality of the IoT should be shared with users above the GDPR’s legally binding requirements. Two use cases demonstrate how the guidelines apply in practice: IoT in public spaces and connected cities, and connected cars.

Keywords: Data protection, Ethics, Privacy, Internet of things, Profiling

Suggested Citation

Wachter, Sandra, The GDPR and the Internet of Things: A Three-Step Transparency Model (February 5, 2018). Law, Innovation and Technology, Available at SSRN: or

Sandra Wachter (Contact Author)

University of Oxford - Oxford Internet Institute ( email )

1 St. Giles
University of Oxford
Oxford OX1 3PG Oxfordshire, Oxfordshire OX1 3JS
United Kingdom

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics