The GDPR and the Internet of Things: A Three-Step Transparency Model
Law, Innovation and Technology doi.org/10.1080/17579961.2018.1527479
32 Pages Posted: 6 Mar 2018 Last revised: 9 Oct 2018
Date Written: February 5, 2018
The Internet of Things (IoT) requires pervasive collection and linkage of user data to provide personalised experiences based on potentially invasive inferences. Consistent identification of users and devices is necessary for this functionality, which poses risks to user privacy. The General Data Protection Regulation (GDPR) contains numerous provisions relevant to these risks, which may nonetheless be insufficient to ensure a fair balance between users’ and developers’ interests. A three-step transparency model is described based on known privacy risks of the IoT, the GDPR’s governing principles, and weaknesses in its relevant provisions. Eleven ethical guidelines are proposed for IoT developers and data controllers on how information about the functionality of the IoT should be shared with users above the GDPR’s legally binding requirements. Two use cases demonstrate how the guidelines apply in practice: IoT in public spaces and connected cities, and connected cars.
Keywords: Data protection, Ethics, Privacy, Internet of things, Profiling
Suggested Citation: Suggested Citation