'Who is responsible for data processing in smart homes? Reconsidering joint controllership and the household exemption' by Jiahong Chen, Lilian Edwards, Lachlan Urquhart, Derek McAuley in (2020) International Data Privacy Law comments
The growing industrial and research interest in protecting privacy and fighting cyberattacks for smart homes has sparked various innovations in security- and privacy-enhancing technologies (S/PETs) powered by edge computing. The complex technical set-up has however raised a whole series of legal issues surrounding the regulation of smart home with data protection law.
To determine how responsibility and accountability should be fairly assumed by stakeholders, there is a pressing need to first clarify the roles of these parties within the existing data protection legal framework. This article focuses on two legal concepts under the General Data Protection Regulation (GDPR) as the mechanisms to (dis)assign responsibilities to various categories of entities in a domestic Internet of Things (IoT) context: joint controllership and the household exemption.
A close examination of the relevant provisions and case-law shows a widening notion of joint controllership and a narrowing scope for the household exemption. While this interpretative approach may prevent evasion of accountability in specific cases, it may lead to the unintended consequence of imposing disproportionate compliance burdens on developers, contributors, and users of smart home safety technologies. By discouraging users to adopt S/PETs, data protection law may likely lead to a lower level of privacy and security protection. The differential responsibilities among joint controllers as envisaged in case-law may reconcile the tensions to some degree, but certain limitations remain. The regulatory dilemma in this regard highlights some underlying assumptions of data protection law that are no longer valid with regard to a smart home, and thus calls for further conceptual and empirical studies on fair reassignment of responsibility and accountability in a domestic IoT setting.
The authors argue
Smart home Internet of Things (IoT) devices are notoriously badly secured. Commercial practices geared towards usability see devices shipped with default passwords, but users rarely change these. This has led to cases of IP connected cameras being remotely accessible via search engine Shodan, enabling babies to be monitored sleeping. Similarly, poorly secured devices can be more vulnerable to remote access attacks, implicating them in botnets. We have seen this in the case of the Mirai, Persirai and Reaper botnets. Concurrently, there are growing concerns about the personal data-driven economy resulting from new compliance requirements and high fines under the General Data Protection Regulation (GDPR). A key issue is the dominant cloud-based big data analytics infrastructure dominating IoT product and service design. It enables creation of cheaper devices with data collected locally, analysed remotely, and the service provided locally again.
These IoT privacy and security concerns have sparked a growing research agenda in creating local data storage and analysis infrastructures, where data analytics is brought to the data, as opposed to centralizing the data. This provides users more control over who accesses their data, why, for how long, and so forth. From a regulatory perspective, the European Data Protection Supervisor (EDPS) has extolled the virtues of such personal information management systems (PIMS) sitting at the edge of the network, as has a recent Royal Society report.
Development and adoption of security- and privacy-enhancing technologies (S/PETs) are not just priorities on the EU’s Digital Single Market Strategy, but indeed encouraged or even required by the GDPR. Yet, the uptake of these technologies will depend on a suitable legal environment with appropriate regulatory incentives provided for developers and users of such technologies and without imposing excessive compliance burdens on them. We however have concerns over the potential impact of data protection law on S/PETs in a domestic IoT context, especially considering how responsibility and accountability are assigned to various groups of actors under the current legal framework. The notion of joint controllers and the household exemption are therefore of significant relevance as they serve as the GDPR’s primary mechanisms to identify the parties responsible to ensure data protection requirements are met.
To illustrate the implications of joint controllership and the household exemption for domestic IoT S/PETs with edge computing solutions, this article will look at two ongoing research initiatives. The Databox project (funded by the UK's Engineering and Physical Sciences Research Council, EPSRC) demonstrates how data protection principles can be built into data processing architectures by design. With personal data stored and analysed on a local PIMS, Databox aims to enable users to benefit from the use of their data without compromising their data privacy. Work by Urquhart et al. considers how it enables accountability, as required in Article 5(2) of the GDPR, by providing mechanisms both for substantive compliance, but also demonstrating compliance. Another EPSRC-funded project, Defence Against Dark Artefacts (DADA), addresses smart home cybersecurity risks by identifying strategies for providing security threat management at the edge of the network. This is achieved by screening the behaviour of devices on the network, and detecting when activity is abnormal. If data flows are going to unexpected destinations or exhibiting abnormal patterns, this may indicate threat actors with remote access or stealing information.
The development and operation of both Databox and DADA, however, relies heavily on the collection and analysis of device data (which may turn out to be personal or even sensitive data) and involve a wide range of actors who may or may not be categorized as data controllers or data subjects. The complexity of legal relationships in IoT has been highlighted in the literature, and S/PETs will only further increase such complexity. Stakeholders surrounding such systems include architectural developers (eg Databox and DADA developers), third-party component builders (service/app/driver providers), device manufacturers and users, while homeowners, family members, neighbours and visitors may be affected. All these complexities pose pressing questions in both theoretical and practical terms about how responsibilities are managed, and who the different stakeholders are.
In a scenario where, for example, a homeowner has set up the smart home with such an S/PET solution, should they be treated as a (joint) data controller? If so, can they reasonably claim they are exempted from the controller obligations on the basis of a purely household activity? What about the other involved parties, such as developers of the S/PET system? Fundamentally, and as will be shown below, these questions may eventually come down to the fair allocation of data protection responsibility and accountability among a range of stakeholders. Edge computing for smart homes holds great promise with its architecture designed to keep the use of personal data inside the home, but it remains unclear whether using such technologies would turn homeowners into liable joint controllers. As the rest of this article will show, the way joint controllers and the household exemption have been construed in case-law—with the intention to provide seamless protection to data subjects—may end up running counter to this objective by creating deterrence against the uptake of S/PETs such as Databox and DADA.
