My home is my castle?
For years fictional smart homes have been portrayed in books and movies. Nowadays, fiction becomes true. Everyone can move to an apartment where every device is tailored to them. Growing technology facilitates people’s life, however, it also poses many risks and raises a lot of legal challenges.
The Idea of smart homes
In ancient times men haunted mammoths and built fire to survive. In the 90’s people ordered pizza from their phone. Today, we have smart homes with self-filling fridges that know, even better than us, what to order for dinner. Without a doubt, such technology facilitates our life, but it also interferes with our privacy. This is why, today’s challenge is to find a balance between a better quality of life and safeguarding privacy.
Smart houses are part of the bigger domain, the so called Internet of things (IoT). This term was first introduced by Kevin Ashton in 1999 in his presentation for Protector & Gamble. Since then, this concept has not had an unanimously well-defined definition.[1] Generally speaking, when we refer to the IoT we understand the concept of an interconnected environment of physical objects linked to the Internet through small built-in sensors, that creates a computer-based ubiquitous ecosystem in order to facilitate and introduce functional solutions for daily routines and activities. [2] In other words, the IoT is an intranet for smart devices. As mentioned above, smart homes are included in this definition. They encompass items such as smart household devices, thermostats and lighting.
Living in smart houses is comparable to living in the Jetsons family house from the famous 60’s animated sitcom.
The legal framework of smart house environments
The phenomenon of processing personal data
Apart from being an object of admiration, smart houses raise a lot of questions and present many legal challenges. First of all, it should be noted that the legal aspects of smart houses have not yet been regulated extensively.[1] There is no direct provisions concerning the legal regulations of smart devices. This means that it will be necessary to apply solutions that already exist. Thus, the biggest hardship we now face is finding the existing provisions that ought to be applied to smart devices’ environment. In order to solve this problem, the European Commission’s working group has prepared opinion 8/2014 [2] that addresses key issues involving the applicability of data protection law in the IoT domain.
From the opinion we can draw a conclusion that due to the way smart houses function there often, if not always, occurs personal data processing. In order to support this statement we should first analyse the definition of personal data. According to Article 2 of the “old” Directive 95/46/EU [3] “personal data shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.
According to Article 4 GDPR [4] “personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Examining these two definitions demonstrates a broad notion of personal data that was adjusted to changing realities. In light of the new definition envisaged in GDPR, location data or online identifier, inter alia, should be considered personal data. The latter one is not only a traditional online identifier but also an identifier that uses RFID technology (widespread in smart devices).
Taking into consideration the above-mentioned definitions and specificities of smart houses’ environments that is based on RFDI technology, it becomes apparent that personal data processing occurs in smart houses. It is possible to identify a person by analysing her position, ways of moving or patterns of behaviour.[5]
Legal basis of processing personal data
Consent. The processing of personal data has to have a legal basis. GDPR lists them without an order of priority. However, in practice, in smart homes the most important legal basis will be the consent of the data subject.
Consent must be valid, freely given, specific, informed and active. However, a lot of smart homes’ devices are not equipped with screens or keyboards. Until now, constructors focused on functionality rather than privacy issues.[1] For this reason, it is necessary to ask: how should the user’s consent look like? It is obvious that the simple act of switching on a device cannot be treated as a valid consent. Therefore, the best solution for receiving a valid consent may well be achieved by sticky policies.
A sticky policy is based on human nature and repetitive patterns of people’s behaviour. A smart device remembers the privacy choice that person has made before and uses the same option in the next selection. This systems’ functioning is based on machines’ abilities to learn by observing people’s habits. This way of making decisions may seem the best option to legalise the processing of personal data is smart houses. .[2]
Contract. Another legal base for personal data processing is a contract. Article 7 b GDPR states that the processing is legitimate when it is necessary for the performance of a contract to which the data subject is party. Operations with data are legitimised after signing a contract and concern only the data subject who is a party. Second limitation is the necessity of processing data in order to perform a contract. According to this provision, gathering data of people who are not a party is prohibited. .[3]
It may seem that a contract’s base has little chance to be widely used in smart homes. It is hard to imagine that every member of the family will be a party to the contract. It is impossible due to the fact that many of the smart house residents have no legal capacity. What is more, a smart home is still a home. Sociability is part of human nature and it is hard to imagine greeting guests by forcing them to sign a contract will be a new tradition. Moreover, this kind of consent could not be treated as freely given.
Legitimate interest Legitimising the collecting of personal data can be justified by legitimate interests, Article 6 1 f of GDPR permits the processing of personal data where it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” This situation poses a serious risk of infringement of human rights and there is little chance that stakeholders of smart devices would use this legal base. [4]
Defining data controller, data processor and data subject
Processing of personal data involves activities of many entities. These actors are: data subject, data processor and data controller. Defining who exercises which role in a smart house is important for many legal reasons. Data processors and controllers bear liability for personal data breaches, while data subjects have, inter alia, a right to data portability as well as to withdraw consent.
One of the biggest challenges in a smart home environment is to determine who exercises the role of data controller. In a nutshell, the data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller.
Thus, from a smart house’s perspective the data controller shall be consider: device manufacturers, social platforms, third-party applications, device lenders or renters, data brokers or data platforms[5]
Device manufacturers. In the traditional world we would have considered as manufacturers the persons or entities who produce, sell or label products. The IoT’s domain is characterised by its own singularity. The complexity of operating systems that are components of smart devices results in extending the notion of manufacturers. Under this term, one shall also consider developers or modifiers of operating systems, as well as software’s installers. In order to provide proper system’s functioning these entities have to acquire knowledge about data and frequency of collection and define entities who receive such information. Thus, it shall be concluded that device manufacturers meet the criteria set for data controllers under GDPR. [6]
Social platforms developers. It is commonly known that people have a willingness to share their lives on social media platforms. Seeing photos of food that have been just consumed or amount of burned calories on social platforms has become part of our lives. One shall assume it will be the same with smart homes. The prospect of someone sharing a smart fridge’s order seems likely and to be expected in this day and age. In all likelihood, this will happen via a smart-home tailored app. Thus, once someone agrees to terms and conditions of the app that is tied with a social media platform, then all the data gathered through the smart product will also be processed by the social network for their own determined aims.
Other third parties. Smart houses store gigabytes of data that is of huge value for other third parties. In order to profile customers and propose tailor-made offers chain stores wish to gain some insights into customers’ eating habits. By implementing this strategy, business actors can generate a profit. Taking into account the number of their consumers this can add an enormous income. If these players acquire data, they shall also be considered as data processors. However, we should underline that third entities have no power in defining what kind of data is collected; this is a fundamental difference between third parties and manufactures.[7]
Data subject. In light of GDPR, users of domotics are treated as data subjects. Until their personal data is collected only for domestic purposes, they will fall from this designatum. However, the business model of smart houses presupposes sending data to manufacturers. Thus, the possibility of applying this exclusion is rather minimal.
It should also be added that the notion of data subject cannot be limited only to residents. Devices also register visitors’ moves, gather and process data about them. This means that it is necessary to have legal basis for processing visitors’ data.[8] This constitutes another legal challenge.
Privacy in smart houses. Privacy as a fundamental right
Fundamental rights are an indispensable element of democracy. They are the basis of democratic orders. The most commonly known acts where fundamental rights are enshrined are: the Convention of Human Rights[9] and the European Charter of Fundamental Rights.[10] Although these are the basis of modern societies, they do not comprise technology issues, which are immanent elements of today’s world. Breaching this technological gap takes place through looking as case law. By analysing rulings and factual states one draws the conclusion that the idea of human dignity needs reshaping.[11]
In smart homes people are treated as objects, a collection of valuable data that can be exchanged. The biggest legal challenge is to prevent such perception. This is the reason why it is necessary to extend the notion of human dignity, freedom of expression and privacy by including in it the right to be forgotten or right to opt out from the electronic world)[12]
It may seem that the right at stake in a smart home is the right to privacy. Article 8 of Convention states that: “ Everyone has the right to respect for his private and family life, his home and his correspondence.” In many rulings the ECHR describes this provision as My home is my Castle. It shall be underlined that privacy and data protection are not the same notions. In order to distinguish them the Concept of opacity and transparency can be useful.[13] According to this theory privacy is considered as a tool of opacity that means it serves as a veil against unwanted insight. On the other hand, data protection is a tool of transparency that allows by enacting laws to safeguard private entities from the abuse of data processing. However, it shall be underlined that these notions bear the same core[14] – the idea of autonomy and dignity.[15]
Privacy in houses seems like an indispensable element of the idea of the home and premise of its sanctity. Usually, the threshold of the house was a demarcating line between our private and public sphere. In a smart house, this division seems outdated. Today, people have a tendency to let everyone in. Not by opening the door to a stranger, but by installing smart devices. All data that are gathered can be public and available in a cloud. Potentially, everyone has the possibility to see how much we sleep, at what time we come back home, how our exercise routine looks like or what the title of our favourite TV episode is.[16] Privacy has become public.
People decide to live in smart homes because it optimises their life. They perceive smart homes as a product, which increases the comfort of their life. They are not aware that a house equipped with sensors is also a tool to gather data, which can be used by public or private entities. They are not aware that the fridge can spy on them. Recent years have shown that residents of smart houses can not feel safe and sound.
One has to bear in mind that smart home’s devices are always listening to you. It is true that they activate after using a clue word, but first they have to hear it. Having a smart device is like allowing someone to install bugs in your house. [17] It shall be underlined that smart devices also record ambient noises. During day to day conversations, we convey a large amount of information. Thus, it should not come as a surprise that an advertisement that has just popped on the computer’s screen is linked with a conversation that we had the day before with our relatives.
Does anyone remember communism era? where every move and word was registered by an army of spies? Now the government has no need for them. Smart devices allow authorities to easily “move in” citizen’s homes. One also ought to remember the Wikileaks affair that released information indicating that CIA and MI5 created a “fake off” mode in Samsung smart TV that allows to record conversations without users’ awareness[18]. It shall be added that authorities are not the only entities that can spy on you. Vizio company was fined over 2 million US Dollars over allegations of tracking viewers without their consent. [19]Smart devices were also targeted by hackers. Cyber criminals ‘broke-in’ baby monitors.[20]
It is ironic that in order to protect their security and privacy in practice, people actually get rid of them. By building their own castle, they built Panopticon where all smart devices exercise the role of watchmen and residents are not able to tell whether or not they are under scrutiny.
Privacy by design and by default
The EU noticed that using smart devices constitutes a threat to privacy. To prevent the leaking of data, system’s hacking, the EU imposed on data processors and controllers new obligations. They are obliged to protect data from the moment of smart devices’ creation.
GDPR is a great shift in the current tech-approach and shows how thinking about smart devices and the necessity to protect privacy and data hasve changed. In 2014 ENISA stated that “privacy and data protection features are, on the whole, ignored by traditional engineering approaches when implementing the desired functionality. This ignorance is caused and supported by limitations of awareness and understanding of developers and data controllers as well as lacking tools to realize privacy by design. While the research community is very active and growing, and constantly improving existing and contributing further building blocks, it is only loosely interlinked with practice.”[21]
GDPR envisages two ways of protecting data: privacy by design and privacy by default. These ways of protecting data can be used in smart devices. First model of protecting privacy requires applying this idea into the design. In other words, design of items shall apply such solutions as: data anonymization, user-friendly interface and minimal data retention limits. The second option is called privacy by default. This rule requires closing gateways as default setting . This option can be changed only through the awareness of the data subject – the person whose data is going to be transferred should change this settings.
Both methods represent a proactive approach as they focus on preventing privacy violations instead of removing their consequences. It is a risk-based approach. Every data controller shall assess the risk of technology and select the best way to protect data. GDPR does not indicate specific methods for data protection. But from a smart home environment perspective the most suitable method shall be data encryption. The functioning of smart houses is based on the exchange of information between devices – possibly through RFID technology.
Conclusion
The advent of new technology is immanently tied with new legal challenges. The reason for this is that the digital world creates terra incognita with new actors, new business models and new resources’ personal data. Data is the new oil and thanks to people’s activity it is superabundant.
Those who will acquire the knowledge on how to use this new oil in the future ought to be bright.[22]
One of the methods of extracting data is smart homes. The amount of information that is gathered there is immense. Unfortunately, only a few number of people know about it. In order to facilitate their lives they decide to live in smart homes. And the price that is paid for living there, is not money, but the inhabitants’ privacy, personal data and security.
In order to protect people legislators enact laws. However, laws in many cases do not keep up with innovations. In order to solve these issues a tight cooperation and a changing approach are needed. One the one hand, technologists and programmers must take into consideration data protection and privacy issues in the developing phase of tech-items. On the other hand, lawyers and legal experts have to reshape core notions and concepts of some legal definitions.
Last but not least, residents of smart houses must also put in the effort and ask themselves one essential question: how much of my private life am I willing to sacrifice in order to eat crunchy toasts in front of Vizio TV ?
[1]K. Ashton, That’s Internet of Things’ Thing, [website], 2009, http://www.rfidjournal.com/articles/view?4986,
[1] FTC Staff Report, Internet of Things: Privacy & Security in Connected World, 2015, p.5
[1]P. Litwiński, Internet of things. Legal aspects [online video], https://www.youtube.com/watch?v=0k9S8yuI_ic&t=608s
[1]Article 29 Working Party, Opinion 8/2014 on the Recent developments on the Internet of Things, WP 223, 2014, p. 7, available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf
[1]Aricle 2 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereafter data Protection Directive or “DPD “
[1]Article 4 of Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereafter data GDPR)
[1]P. Litwiński, op. cit
[1]L. Edwards, Privacy, Security and data protection in smart cities: A critical EU law perspective, European Data Protection Law Review 2(1): p. 28-58.
[1]Ibid., p. 33
[1]J.Barta, Data Protection. Commentary, Kraków, 2015, p. 143
[1]Article 29 op.cit , p.15
[1]Article. op.cit, p.11
[1]Ibid.p.12
[1]Ibid.p.13
[1]Ibid.p.12
[1]European Convention of Human Rights, Rome, 1950
[1]Charter of fundamental rights of the european union. 7 December 2000
[1]H.R. Schindler et al, Europe’s policy options for a dynamic and trustworthy development of the Internet of Things (SMART 2012/0053), prepared for the European Commission, DG Communications Networks, Content and Technology (CONNECT), Brussels (31 May 2013), http://www.rand.org/pubs/research_reports/RR356.html, p. 90-92
[1]Ibid.
[1]P. Hert, S. Gutwirth, Privacy, Data Protection and Law Enforcement. Opacity of the Individual and the Transparency of Powe’,p. 61
[1]P. Blume, Data Protection and Privacy – Basic Concepts in a Changing World, Scandinavian Studies in Law (Volume 56, 2010), p. 152.
[1]P. Hustinx, EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation, 2014, [website] https://edps.europa.eu/data-protection/our-work/publications/speeches-articles/eudata-protection-law-review-directive_en ( accessed 14 November 2017)
[1]B-J. Koops On Legal Boundaries, Technologies, and Collapsing Dimensions of Privacy Politica e Società 3(2), p. 247-264
[1]B. Prayank, How Smart Home Assistants Are Killing Your Privacy, [website], 2017 https://www.guidingtech.com/64646/echo-google-home-cortana-siri-privacy-issues
[1] C. McGoonan Why your smart TV is the perfect way to spy on you [website], 2017, http://www.telegraph.co.uk/technology/2017/03/08/smart-tv-perfect-way-spy
[1] J. Kastrenakes Most smart TVs are tracking you — Vizio just got caught [website], 2017,
https://www.theverge.com/2017/2/7/14527360/vizio-smart-tv-tracking-settlement-disable-settings
[1] K. Hill ‘Baby Monitor Hack’ Could Happen To 40,000 Other Foscam User [website], 2017, https://www.forbes.com/sites/kashmirhill/2013/08/27/baby-monitor-hack-could-happen-to-40000-other-foscam-users/#5e5328a358b5
[1]G Danezis et al Privacy and Data Protection by Design – from Policy to Engineering (ENISA: Heraklion 2014) p 4
[1] A. Rajan Data is not the new oil [website], 2017 http://www.bbc.com/news/entertainment-arts-41559076