Best Practices and Recommendations
This section aims to provide an overview of the recommendations provided in guidelines and opinions of the European Data Protection Board, its predecessor A29 WP, national supervisory authorities, and stakeholders consultation. In most documents, the recommendations address specifically the different entities involved in the IoT ecosystem, namely (a) the users/consumers and others, (b) the Operating System (OS) and device manufacturers, (c) the third-party application developers, (d) other third parties, (e) the social networking platforms, f) the standardization/certification bodies, and (g) data platforms.
Human-Centric Approach Through Awareness and Education
The European Commission has emphasized that the IoT ecosystem should be human centric, empowering the data subjects to retain control over their data . Some authors suggest to that end a user-centric privacy management [74, p. 385], combined with raising awareness and educating individual users. IoT devices and applications should be accompanied by proper, sufficient, and understandable information, otherwise consent obtained on the basis of incomplete data protection policies may not be considered as informed and thus as nonvalid. For example, smart sex toys that can reveal very intimate information remind users to rethink the information provided to them, the information they choose to share and the security risks relating not only to the directly collected data but also to the inferred or derived .
Education must present engineering students and manufacturers of IoT devices with examples of “good privacy designs” and simple design principles to follow when creating smart objects and systems, addressing technical, organizational, and philosophical questions in a co-design process . Re-thinking the design of objects, having in mind “privacy first,” could, for instance, simply entail the addition of a switch that could allow consumers to visually understand the data transmissions of their devices and let them select whether the latter shall communicate with the cloud, with the local network, or shall refrain from transmitting any data .
This brings us to the argument that, to move from a traditional enterprise-centric approach of security and privacy to a human-centric one, empowering the data subject. requires cross-disciplinary efforts [25, p. 191], including research on philosophical, technical, and societal topics [65, p. 38]. Enabling user’s choice beyond “take-it-or-leave-it” models would require the re-thinking of how to provide consent alternatively through agile and continuous consent management [65, p. 37].
Incentives and Audits
Many of the documents studied prioritize a necessary mind shift. One way to motivate such change could be through Key Performance Indicators (KPIs) and metrics for security and data privacy, to provide incentives for manufacturers and retailers to consider data protection and privacy by design and by default as “key selling point of innovative technologies” [9, p. 21]. For the KPIs to be effective, they should be combined with continuous monitoring by internal and external oversight mechanisms and be reviewed through independent privacy and security audits.
Information by Design for the Sake of Transparency
The data controllers should offer simple opt-outs and/or granular choices on the type of the data being processed and the frequency of the data gathering, whenever applicable [9, p. 21]. They should also ensure that they have the right legal basis for further processing, in the case of repurposing or sharing with other entities and making sure that the appropriate technical and organizational measures are in place [9, p. 21].
The A29 WP has identified as “appropriate measures” for the provision of information for screenless smart technology and the IoT environment, the following:
icons, QR codes, voice alerts, written details incorporated into paper setup instructions, videos incorporated into digital set-up instructions, written information on the smart device, messages sent by SMS or email, visible boards containing the information, public signage or public information campaigns.
[52, p. 21]
As Recital 60 GDPR reads, information may be provided in combination with standardized icons—so-called privacy icons [80, p. 358], allowing the data controllers to take a multi-layered transparency approach, by reducing the need for lengthy written data protection/privacy policies [52, p. 25]. Specifically, icons that are presented electronically, which will be often the case for IoT devices or IoT device packaging, must be machine-readable [52, p. 25]. Currently, Personal Information Management Systems are emerging to enable user’s control over their personal data, but the need to develop new tools and mechanisms to facilitate the exercise of data subjects’ rights remains pressing [81, p. 6].
For instance, Wachter proposes a three-step transparency model, which requests data controllers in the IoT context to describe the possible risks, explain the kind of safeguards in place to limit in particular inaccurate assumptions and discrimination risks, and demonstrate transparent mitigation plans for addressing the risks in case of system compromise [40. pp. 12-13].