Skip to main content

Research Repository

Advanced Search

Who is Responsible for Data Processing in Smart Homes? Reconsidering Joint Controllership and the Household Exemption

Chen, Jiahong; Edwards, Lilian; Urquhart, Lachlan; Mcauley, Derek

Who is Responsible for Data Processing in Smart Homes? Reconsidering Joint Controllership and the Household Exemption Thumbnail


Authors

Jiahong Chen

Lilian Edwards

Lachlan Urquhart

Derek Mcauley



Abstract

The growing industrial and research interest in protecting privacy and fighting cyberattacks for smart homes has sparked various innovations in security- and privacy-enhancing technologies (S/PETs) powered by edge computing. The complex technical set-up has however raised a whole series of legal issues surrounding the regulation of smart home with data protection law. To determine how responsibility and accountability should be fairly assumed by stakeholders, there is a pressing need to first clarify the roles of these parties within the existing data protection data protection legal framework. This article focuses on two legal concepts under the GDPR as the mechanisms to (dis)assign responsibilities to various categories of entities in a domestic IoT context: joint controllership and the household exemption. A close examination of the relevant provisions and case-law shows a widening notion of joint controllership and a narrowing scope for the household exemption. While this interpretative approach may prevent evasion of accountability in specific cases, it may lead to the unintended consequence of imposing disproportionate compliance burdens on developers, contributors, and users of smart home safety technologies. By discouraging users to adopt S/PETs, data protection law may likely lead to a lower level of privacy and security protection. The differential responsibilities among joint controllers as envisaged in case-law may reconcile the tensions to some degree, but certain limitations remain. The regulatory dilemma in this regard highlights some underlying assumptions of data protection law that are no longer valid with regard to a smart home, and thus calls for further conceptual and empirical studies on fair reassignment of responsibility and accountability in a domestic IoT setting.

Citation

Chen, J., Edwards, L., Urquhart, L., & Mcauley, D. (2020). Who is Responsible for Data Processing in Smart Homes? Reconsidering Joint Controllership and the Household Exemption. International Data Privacy Law, 10(4), 279–293. https://doi.org/10.1093/idpl/ipaa011

Journal Article Type Article
Acceptance Date Jun 3, 2020
Online Publication Date Sep 2, 2020
Publication Date 2020-11
Deposit Date May 27, 2020
Publicly Available Date Mar 29, 2024
Journal International Data Privacy Law
Print ISSN 2044-3994
Electronic ISSN 2044-4001
Publisher Oxford University Press (OUP)
Peer Reviewed Peer Reviewed
Volume 10
Issue 4
Pages 279–293
DOI https://doi.org/10.1093/idpl/ipaa011
Keywords cybersecurity, Internet of Things, GDPR, household exemption, joint controller, privacy
Public URL https://nottingham-repository.worktribe.com/output/4518311
Publisher URL https://academic.oup.com/idpl/advance-article/doi/10.1093/idpl/ipaa011/5900395