Who Is Responsible for Data Processing in Smart Homes? Reconsidering Joint Controllership and the Household Exemption
10 Pages Posted: 12 Dec 2019
Date Written: November 18, 2019
The growing industrial and research interest in protecting privacy and fighting cyberattacks for smart homes has sparked various innovations in security- and privacy-enhancing technologies (S/PETs) powered by edge computing. The wide range of actors contributing to certain technical solutions with a view to building a safer smart home means that the legal landscape for those technologies is highly complex. To determine how responsibility and accountability should be fairly assumed by stakeholders, there is a pressing need to first clarify the roles of these parties within the existing data protection (DP) legal framework. This article focuses on two legal concepts under the GDPR as the mechanisms to (dis)assign responsibilities to various categories of entities in a domestic IoT context: joint controllership and the household exemption. A close examination of the relevant provisions and case-law shows a widening notion of joint controllership and a narrowing scope for the household exemption. While this interpretative approach may prevent evasion of accountability in specific cases, it may lead to the unintended consequence of imposing disproportionate compliance burdens on developers, contributors, and users of smart home safety technologies. By discouraging users to adopt S/PETs, DP law may likely lead to a lower level of DP protection. The differential responsibilities among joint controllers as envisaged in case-law may reconcile the tensions to some degree, but certain limitations remain. The regulatory dilemma in this regard highlights some underlying assumptions of DP law that are no longer valid with regard to a smart home, and thus calls for further conceptual and empirical studies on fair reassignment of responsibility and accountability in a domestic IoT setting.
Keywords: Internet of Things, smart home, data protection, privacy, cybersecurity, GDPR, joint controller, household exemption, accountability, responsibility
Suggested Citation: Suggested Citation