From the journal, Personal and Ubiquitous Computing, comes a paper on Realising the right to data portability for the domestic Internet of things. This paper is free to read (link) through September 2019.
Bringing the new right to data portability (RTDP) from an abstract legal provision in Article 20 of the EU General Data Protection Regulation (GDPR) 2016 into practice requires a greater role for the IT design community. Simply put, the RTDP seeks to empower users by giving them greater control over their personal data, enabling them to both acquire their data and then move it around, for example to a different data controller. In this paper, we focus on how IT designers can use Privacy by Design (PbD) approaches to respond to these RTDP obligations. We are particularly interested in how the RTDP plays out for the technological context of the domestic Internet of things (IoT). By examining the legal, commercial and technical landscape around the RTDP, we can begin to unpack the practical roadblocks and opportunities ahead in implementing the right in practice.
Legally, IT designers are increasingly being called upon to engage with regulatory compliance through Article 25 of the GDPR. This provision establishes the legal obligation to do information privacy1 by design and default for personal data-driven technologies. PbD mandates creation of safeguards to satisfy the requirements of the entire GDPR and protect data subject rights.2 This requires IT designers to build appropriate technical or organisational safeguards into the system, taking into account the state of the art, cost of implementation, and nature, scope and purpose of processing.
We are particularly interested in the domestic IoT domain, where personal information is collected by physical sensors and actuators installed in socially complex, traditionally private settings . Many IoT services maintain an ongoing relationship with users where their personal data is mined and analysed with the goal of providing value-added, contextually appropriate, services—for example automating routine tasks like room heating management. Readings from motion, temperature or CO2 sensors can be combined to make inferences, develop behavioural profiles and make predictions about users. There are privacy implications around how such IoT-derived personal data is pieced together to create models of room and building occupancy.
IoT devices often dictate how users can interact with their personal data. Seemingly mundane design decisions around supported interactions and how a system handles data (e.g. cloud or local storage) can limit control and transparency around the personal data flows. This can impact user comprehension about how their data are being used (e.g. for profiling, targeted behavioural advertising, law enforcement investigations), and accordingly impacts their agency to exercise their legal rights (e.g. how to do subject access requests or withdraw consent). Greater attention needs to be paid to how these IoT systems are designed and their associated data-driven business models to foster trust in these new technologies.
Data is utilised by many stakeholders in the IoT data supply chain, often legitimised by the legal fiction of informed consent through service terms and conditions. The scope for IoT privacy harms often stem from risks around data flowing beyond appropriate contexts, without adequate user oversight. Legally, the lack of scope users have to control data flows after it is collected is a concern for ethical and sustainable growth of the emerging IoT market. A key motivation of the RTDP is redressing the dominant model of centralising data from different sources for subsequent analytics.
In this paper, we challenge the current zeitgeist that monetisation of data, with its incumbent legal obligations, is the best business model for many personal domestic IoT systems. However, in response, through a PbD approach, novel technical platforms and architectures, like personal information management systems (PIMS), we also offer new directions. PIMS support realisation of legal rights by giving users greater control over their personal data. More broadly, they provide a route to rebalancing power asymmetries between users and service providers, by disrupting emergent commercial practices of IoT services.
The paper proceeds as follows. In Sect. 2, we introduce the RTDP, its legal nature, what it requires from IT designers whilst reflecting limitations, particularly in relation to domestic IoT. In Sect. 3, we consider regulatory challenges from the emerging domestic IoT sector and situate our arguments within the wider legal mandate of RTDP as part of doing information PbD for the IoT. In Sect. 4, we focus on technical approaches to support realisation of RTDP, namely PIMS. The state of the art in data management architectures, tools and platforms that can provide portability, increased transparency and user control over data flows are analysed. In Part IV, we bring our perspectives together to reflect on the numerous technical, legal and business barriers and opportunities that will shape implementation of the right in practice, and how the relationship may shape future IoT innovation and business models. We finish with brief conclusions about the ongoing relationship between RTDP and PbD for the IoT.