Abstract

This paper explores the importance of accountability to data protection, and how it can be built into the Internet of Things (IoT). The need to build accountability into the IoT is motivated by the opaque nature of distributed data flows, inadequate consent mechanisms, and lack of interfaces enabling end-user control over the behaviours of internet-enabled devices. The lack of accountability precludes meaningful engagement by end-users with their personal data and poses a key challenge to creating user trust in the IoT and the reciprocal development of the digital economy. The EU General Data Protection Regulation 2016 (GDPR) seeks to remedy this particular problem by mandating that a rapidly developing technological ecosystem be made accountable. In doing so it foregrounds new responsibilities for data controllers, including data protection by design and default, and new data subject rights such as the right to data portability. While GDPR is ‘technologically neutral’, it is nevertheless anticipated that realising the vision will turn upon effective technological development. Accordingly, this paper examines the notion of accountability, how it has been translated into systems design recommendations for the IoT, and how the IoT Databox puts key data protection principles into practice.

Highlights

  • The ‘connected home’ currently sits at the ‘peak of inflated expectations’ in Gartner’s often-cited hype cycle, and the Internet of Things (IoT) is a key driver of the hype.[1]

  • This article explores the importance of accountability to data protection (DP), and how it can be built into the Internet of Things (IoT)

  • While General Data Protection Regulation (GDPR) is ‘technologically neutral’, it is anticipated that realizing the vision will turn upon effective technological development

Read more

Summary

INTRODUCTION

The ‘connected home’ currently sits at the ‘peak of inflated expectations’ in Gartner’s often-cited hype cycle, and the Internet of Things (IoT) is a key driver of the hype.[1]. Article 24 focuses on the nature of their wider responsibilities: Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. In accordance with Article 24, taking into account the nature, scope, context, purposes and risks of processing, DPbD shall reflect the ‘state of the art’.43 This includes putting appropriate ‘technological’ measures in place to demonstrate accountability and achieve compliance. Accountability turns on the ability to question accounts provided by data controllers around their data handling practices This requires that record keeping about data processing is in place to demonstrate that compliance with GDPR has been considered and acted upon. Article 45 states transfers can occur to countries deemed to provide adequate protection by the European Commission, including Uruguay, art 5(1)(b) GDPR. art 5(1)(c) GDPR. art 5(1)(e) GDPR, with the exception of longer storage for archiving in the public interest, scientific or historical research or statistical purposes

Articulating and responding to processing responsibilities
18 Building accountability into the IoT Figure 2
Findings
Limitations on international data transfer

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.