Demonstrably doing accountability in the Internet of Things

Abstract

This article explores the importance of accountability to data protection (DP), and how it can be built into the Internet of Things (IoT). The need to build accountability into the IoT is motivated by the opaque nature of distributed data flows, inadequate consent mechanisms and lack of interfaces enabling end-user control over the behaviours of Internet-enabled devices. The lack of accountability precludes meaningful engagement by end users with their personal data and poses a key challenge to creating user trust in the IoT and the reciprocal development of the digital economy. The European Union General Data Protection Regulation 2016 (EU GDPR) seeks to remedy this particular problem by mandating that a rapidly developing technological ecosystem be made accountable. In doing so, it foregrounds new responsibilities for data controllers, including DP by design and default, and new data subject rights such as the right to data portability. While GDPR is ‘technologically neutral’, it is nevertheless anticipated that realizing the vision will turn upon effective technological development. Accordingly, this article examines the notion of accountability, how it has been translated into systems design recommendations for the IoT and how the IoT Databox puts key DP principles into practice.