Who Is Responsible for Data Processing in Smart Homes? Reconsidering Joint Controllership and the Household Exemption

10 Pages Posted: 12 Dec 2019

See all articles by Jiahong Chen

Jiahong Chen

University of Nottingham

Lilian Edwards

University of Newcastle - Law School

Lachlan Urquhart

University of Edinburgh - School of Law; Horizon Digital Economy Research Institute

Derek McAuley

University of Nottingham

Date Written: November 18, 2019

Abstract

The growing industrial and research interest in protecting privacy and fighting cyberattacks for smart homes has sparked various innovations in security- and privacy-enhancing technologies (S/PETs) powered by edge computing. The wide range of actors contributing to certain technical solutions with a view to building a safer smart home means that the legal landscape for those technologies is highly complex. To determine how responsibility and accountability should be fairly assumed by stakeholders, there is a pressing need to first clarify the roles of these parties within the existing data protection (DP) legal framework. This article focuses on two legal concepts under the GDPR as the mechanisms to (dis)assign responsibilities to various categories of entities in a domestic IoT context: joint controllership and the household exemption. A close examination of the relevant provisions and case-law shows a widening notion of joint controllership and a narrowing scope for the household exemption. While this interpretative approach may prevent evasion of accountability in specific cases, it may lead to the unintended consequence of imposing disproportionate compliance burdens on developers, contributors, and users of smart home safety technologies. By discouraging users to adopt S/PETs, DP law may likely lead to a lower level of DP protection. The differential responsibilities among joint controllers as envisaged in case-law may reconcile the tensions to some degree, but certain limitations remain. The regulatory dilemma in this regard highlights some underlying assumptions of DP law that are no longer valid with regard to a smart home, and thus calls for further conceptual and empirical studies on fair reassignment of responsibility and accountability in a domestic IoT setting.

Keywords: Internet of Things, smart home, data protection, privacy, cybersecurity, GDPR, joint controller, household exemption, accountability, responsibility

Suggested Citation

Chen, Jiahong and Edwards, Lilian and Urquhart, Lachlan and McAuley, Derek, Who Is Responsible for Data Processing in Smart Homes? Reconsidering Joint Controllership and the Household Exemption (November 18, 2019). Available at SSRN: https://ssrn.com/abstract=3483511 or http://dx.doi.org/10.2139/ssrn.3483511

Jiahong Chen (Contact Author)

University of Nottingham ( email )

United Kingdom

Lilian Edwards

University of Newcastle - Law School ( email )

Newcastle upon Tyne, NE1 7RU
United Kingdom

Lachlan Urquhart

University of Edinburgh - School of Law

Old College
South Bridge
Edinburgh, EH8 9YL
United Kingdom

Horizon Digital Economy Research Institute ( email )

University of Nottingham Innovation Park
Triumph Road
Nottingham, NG7 2TU
United Kingdom

Derek McAuley

University of Nottingham ( email )

University Park
Nottingham, NG8 1BB
United Kingdom

Register to save articles to
your library

Register

Paper statistics

Downloads
27
Abstract Views
256
PlumX Metrics