https://orcid.org/0000-0001-5748-8631
![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
ABSTRACT
This article introduces information gathered through 21 semi-structured interviews conducted with UK, EU and international professionals in the field of General Data Protection Regulation (GDPR) compliance and technology design, with a focus on the smart home context and vulnerable people using smart products. Those discussions gave various insights and perspectives into how the two communities (lawyers and technologists) view intricate practical data protection challenges in this specific setting. The variety of interviewees allowed to compare different approaches to data protection compliance topics. Answers to the following questions were provided: when organisations develop and/or deploy smart devices that use personal data, do they take into consideration the needs of vulnerable groups of people to comply with the GDPR? What are the underlying issues linked to the practical data protection law challenges faced by organisations working on smart devices used by vulnerable persons? How do experts perceive data protection law-related problems in this context?
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 This study was approved by the Research Ethics Committee of the School of Computer Science, University of Nottingham (reference: CS-2020-R11).
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (General Data Protection Regulation, ‘GDPR’), [2016] OJ L 119/1.
3 See, for example, Stanislaw Piasecki and Jiahong Chen, ‘Complying with the GDPR When Vulnerable People Use Smart Devices’ (2022) 12(2) International Data Privacy Law 113 as well as Gianclaudio Malgieri and Jędrzej Niklas, ‘Vulnerable Data Subjects’ (2020) 37 Computer Law & Security Review 105415.
4 Milda Macenaite, ‘From Universal Towards Child-Specific Protection of the Right to Privacy Online: Dilemmas in the EU General Data Protection Regulation’ (2017) 19(5) New Media & Society 765; Convention on the Rights of the Child, GA Res. 44/25, annex, 44 UN GAOR Supp. (No 49) at 167, UN Doc. A/44/49 (1989).
5 Heather D'Cruz, Philip Gillingham and Sebastian Melendez, ‘Reflexivity, its Meanings and Relevance for Social Work: A Critical Review of the Literature’ (2005) 37(1) Brit J Soc Work 73, 77.
6 Geoff Walsham, ‘Doing Interpretive Research’ (2006) 15(4) European Journal of Information Systems 320, 320.
7 Carla Willig, Introducing Qualitative Research in Psychology (2nd edn, McGraw-Hill Education 2008) 17.
8 Victoria Clarke and Virginia Braun, ‘Thematic Analysis’ (2017) 12(3) The Journal of Positive Psychology 297, 297.
9 Virginia Braun and Victoria Clarke, ‘One Size Fits All? What Counts as Quality Practice in (Reflexive) Thematic Analysis?’ (2021) 18(3) Qualitative Research in Psychology 328, 333; Virginia Braun and Victoria Clarke, ‘Conceptual and Design Thinking for Thematic Analysis’ (2021) 9(1) Qualitative Psychology 3, 6–8.
10 Braun and Clarke, ‘One Size Fits All? What Counts as Quality Practice in (Reflexive) Thematic Analysis?’ 333 (n 9).
11 Virginia Braun and Victoria Clarke, ‘Using Thematic Analysis in Psychology’ (2016) 3(2) Qualitative Research in Psychology 77, 84.
12 Braun and Clarke, ‘One Size Fits All? What Counts as Quality Practice in (Reflexive) Thematic Analysis?’ 340 (n 9).
13 ibid.
14 ibid.
15 ibid 341.
16 ibid 331.
17 Braun and Clarke, ‘Conceptual and Design Thinking for Thematic Analysis’ 12 (n 9).
18 Virginia Braun and Victoria Clarke, ‘To Saturate or not to Saturate? Questioning Data Saturation as a Useful Concept for Thematic Analysis and Sample-Size Rationales’ (2021) 13(2) Qualitative Research in Sport, Exercise and Health 201, 206.
19 Braun and Clarke, ‘Conceptual and Design Thinking for Thematic Analysis’ 15 (n 9).
20 Braun and Clarke, ‘To Saturate or not to Saturate?’ 207 (n 18).
21 Braun and Clarke, ‘Conceptual and Design Thinking for Thematic Analysis’ 17 (n 9).
22 Braun and Clarke, ‘To Saturate or not to Saturate?’ 12 (n 18).
23 Nadezhda Purtova, ‘Do Property Rights in Personal Data Make Sense after the Big Data Turn?: Individual Control and Transparency’ (2017) 10(2) Journal of Law and Economic Regulation 64.
24 Florencia Luna, ‘Elucidating the Concept of Vulnerability: Layers Not Labels’ (2009) 2(1) International Journal of Feminist Approaches to Bioethics 121.
25 Michael Veale, Reuben Binns and Jef Ausloos, ‘When Data Protection by Design and Data Subject Rights Clash’ (2018) 8(2) International Data Privacy Law 105, 105.
26 Data Protection Commission, ‘Data Protection Commission’s two statutory inquiries into Facebook’s processing of children’s data on Instagram (opened in Sept 2020)’ (19 October 2020) <https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commissions-two-statutory-inquiries-facebooks-processing-childrens-data-instagram> accessed 2 June 2023.
27 Midas Nouwens and others, ‘Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence’ (CHI '20: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, Honolulu, April 2020).
28 Information Commissioner’s Office, ‘Age Appropriate Design: A Code of Practice for Online Services’ (2 September 2021) <https://ico.org.uk/for-organisations/childrens-code-hub/> accessed 2 June 2023.
29 Art. 6.1 (f) of the GDPR states that processing personal data is lawful when it is ‘necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child’ (emphasis added).
30 European Data Protection Board, ‘Guidelines 4/2019 on Article 25 Data Protection by Design and by Default’ (12–13 November 2019) <https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_201904_dataprotection_by_design_and_by_default.pdf> accessed 2 June 2023.
31 Veronica Donoso, Maarten Van Mechelen and Valerie Verdoodt, ‘Increasing User Empowerment through Participatory and Co-design Methodologies’ (EMSOC, 2014) <https://www.researchgate.net/publication/298722734_Increasing_User_Empowerment_through_Participatory_and_Co-design_Methodologies_EMSOC_report> accessed 2 June 2023.
32 Information Commissioner’s Office, ‘Age Appropriate Design’ 37 (n 28).
33 Ingrida Milkaite and Eva Lievens, ‘The Internet of Toys: Playing Games with Children's Data?’ in Giovanna Mascheroni and Donell Holloway (eds), The Internet of Toys: Practices, Affordances and the Political Economy of Children's Play (Palgrave Macmillan 2019) 285.
34 Piasecki and Chen (n 3).
35 European Data Protection Board, ‘Guidelines 4/2019 on Article 25 Data Protection by Design and by Default’ (n 30).
36 Sandra Wachter, ‘The GDPR and the Internet of Things: A Three-Step Transparency Model’ (2018) 10(2) Law, Innovation and Technology 266.
37 Mireille Hildebrandt and Laura Tielemans, ‘Data Protection by Design and Technology Neutral Law’ (2013) 29(5) Computer Law & Security Review 509.
38 Piasecki and Chen 128 (n 3).
39 Information Commissioner’s Office, ‘When do we need to do a DPIA?’ (2021) <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/> accessed 2 June 2023.
40 Maria Eduarda Gonçalves, ‘The Risk-Based Approach Under the New EU Data Protection Regulation: a Critical Perspective’ (2020) 23(2) Journal of Risk Research 139.
41 Alessandro Mantelero, ‘AI and Big Data: A Blueprint for a Human Rights, Social and Ethical Impact Assessment’ (2018) 34(4) Computer Law & Security Review 754.
42 Stanislaw Piasecki, Lachlan Urquhart and Derek McAuley, ‘Defence Against the Dark Artefacts: Smart Home Cybercrimes and Cybersecurity Standards’ (2021) 42 Computer Law & Security Review 105542.
43 TSA, ‘The Quality Standards Framework’ (2022) <https://www.tsa-voice.org.uk/-covid-19/safe-working-environments/quality-standards-fr/> accessed 2 June 2023; ID Cyber Solutions, ‘Cyber Essentials Plus’ (2022) <https://cyberessentials.online/cyber-essentials-plus/> accessed 2 June 2023.
44 Jiahong Chen and Lachlan Urquhart, ‘“They’re All About Pushing the Products and Shiny Things Rather than Fundamental Security”: Mapping Socio-Technical Challenges in Securing the Smart Home’ (2022) 31(1) Information & Communications Technology Law 99.
45 James Elliott Construction Limited v Irish Asphalt Limited, Case C-613/14, [2016] (ECLI:EU:C:2016:821); European Commission, ‘Harmonised Standards’ (2019) <https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards_en> accessed 2 June 2023.
46 See, for example, Department for Culture, Media and Sport, ‘Consultation on the Government's Regulatory Proposals regarding Consumer Internet of Things (IoT) Security’ (3 February 2020) <https://www.gov.uk/government/consultations/consultation-on-regulatory-proposals-on-consumer-iot-security/consultation-on-the-governments-regulatory-proposals-regarding-consumer-internet-of-things-iot-security> accessed 2 June 2023; British Standards Institution, ‘BSI Launches Kitemark for Internet of Things Devices’ (15 May 2018) <https://www.bsigroup.com/en-GB/about-bsi/media-centre/press-releases/2018/may/bsi-launches-kitemark-for-internet-of-things-devices/> accessed 2 June 2023.
47 The GDPR states that ‘in order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services’ (Rec. 100 and Art. 42 GDPR); Irene Kamara, Thordis Sveinsdottir and Simone Wurster, ‘Raising Trust in Security Products and Systems through Standardisation and Certification: The Crisp Approach’ (ITU Kaleidoscope: Trust in the Information Society (K-2015), Barcelona, December 2015).
48 European Data Protection Board, ‘Guidelines 4/2019 on Article 25 Data Protection by Design and by Default’ (n 30).
49 Convention on the Rights of the Child (n 4).
50 Information Commissioner’s Office, ‘Age Appropriate Design’ 35 (n 28).
51 Differential privacy means that ‘when a statistic is released, it should not give much more information about a particular individual than if that individual had not been included in the dataset’ and federated learning ‘is an emerging approach allowing the training of machine learning models on decentralised data, for privacy or practical reasons. A central server coordinates a network of nodes, each of which has training data. The nodes each train a local model, and it is that model which is shared with the central server. In other words, data is protected at the device level’ (The Royal Society, ‘Protecting Privacy in Practice. The Current Use, Development and Limits of Privacy Enhancing Technologies in Data Analysis’ (March 2019) <https://royalsociety.org/-/media/policy/projects/privacy-enhancing-technologies/privacy-enhancing-technologies-report.pdf> accessed 2 June 2023, 49–50).
52 Silicon Labs, ‘CHIP 180 - Connected Home over IP’ (2022) <https://www.silabs.com/support/training/connected-home-over-ip-intro> accessed 2 June 2023.
53 VentureBeart, ‘How Matter 1.0 will Enable Smart Home Devices to Work Together with All Major Ecosystems’ (2022) <https://venturebeat.com/ai/how-matter-1-0-will-enable-smart-home-devices-to-work-together-with-all-major-ecosystems/> accessed 2 June 2023.
54 Connectivity Standards Alliance, ‘Matter, The Foundation for Connected Things’ (CSA, 2022) <https://csa-iot.org/all-solutions/matter/> accessed 2 June 2023; CSA, ‘Building the Foundation and Future of the IoT’ (CSA, 2022) <https://csa-iot.org/> accessed 2 June 2023.
55 For a recent discussion on this topic see, for example, Stanislaw Piasecki, Jiahong Chen and Derek McAuley, ‘Putting the Right P in PIMS: Normative Challenges for Protecting Vulnerable People’s Data through Personal Information Management Systems’ (2022) 13(3) European Journal of Law and Technology 1.
56 Convention on the Rights of the Child (n 4).
57 Mantelero (n 41).