Who Is Responsible for Data Processing in Smart Homes? Reconsidering Joint Controllership and the Household Exemption

The growing industrial and research interest in protecting privacy and fighting cyberattacks for smart homes has sparked various innovations in security- and privacy-enhancing technologies (S/PETs) powered by edge computing. The complex technical set-up has however raised a whole series of legal issues surrounding the regulation of smart home with data protection law. To determine how responsibility and accountability should be fairly assumed by stakeholders, there is a pressing need to first clarify the roles of these parties within the existing data protection data protection legal framework. This article focuses on two legal concepts under the GDPR as the mechanisms to (dis)assign responsibilities to various categories of entities in a domestic IoT context: joint controllership and the household exemption. A close examination of the relevant provisions and case-law shows a widening notion of joint controllership and a narrowing scope for the household exemption. While this interpretative approach may prevent evasion of accountability in specific cases, it may lead to the unintended consequence of imposing disproportionate compliance burdens on developers, contributors, and users of smart home safety technologies. By discouraging users to adopt S/PETs, data protection law may likely lead to a lower level of privacy and security protection. The differential responsibilities among joint controllers as envisaged in case-law may reconcile the tensions to some degree, but certain limitations remain. The regulatory dilemma in this regard highlights some underlying assumptions of data protection law that are no longer valid with regard to a smart home, and thus calls for further conceptual and empirical studies on fair reassignment of responsibility and accountability in a domestic IoT setting.<br>


Introduction: towards a safer home built by many
Smart home Internet of Things (IoT) devices are notoriously badly secured. Commercial practices geared towards usability see devices shipped with default passwords, but users rarely change these. This has led to cases of IP connected cameras being remotely accessible via search engine Shodan, enabling babies to be monitored sleeping. 1 Similarly, poorly secured devices can be more vulnerable to remote access attacks, implicating them in botnets. We have seen this in the case of the Mirai, 2 Persirai 3 and Reaper 4 botnets. 5 Concurrently, there are growing concerns about the personal datadriven economy resulting from new compliance requirements and high fines under the General Data Protection Regulation (GDPR). 6 A key issue is the dominant cloud-based big data analytics infrastructure dominating IoT product and service design. It enables creation of cheaper devices with data collected locally, analysed remotely, and the service provided locally again. 7 These IoT privacy and security concerns have sparked a growing research agenda in creating local data storage and analysis infrastructures, where data analytics is brought to the data, as opposed to centralizing the data. This provides users more control over who accesses their data, why, for how long, and so forth. From a regulatory perspective, the European Data Protection Supervisor (EDPS) has extolled the virtues of such personal information management systems (PIMS) sitting at the edge of the network, 8 as has a recent Royal Society report. 9 Development and adoption of security-and privacy-enhancing technologies (S/PETs) are not just priorities on the EU's Digital Single Market Strategy, 10 but indeed encouraged or even required by the GDPR. 11 Yet, the uptake of these technologies will depend on a suitable legal environment with appropriate regulatory incentives provided for developers and users of such technologies and without imposing excessive compliance burdens on them. We however have concerns over the potential impact of data protection law on S/PETs in a domestic IoT context, especially considering how responsibility and accountability are assigned to various groups of actors under the current legal framework. The notion of joint controllers and the household exemption are therefore of significant relevance as they serve as the GDPR's primary mechanisms to identify the parties responsible to ensure data protection requirements are met.
To illustrate the implications of joint controllership and the household exemption for domestic IoT S/PETs with edge computing solutions, this article will look at two ongoing research initiatives. The Databox project (funded by the UK's Engineering and Physical Sciences Research Council, EPSRC) demonstrates how data protection principles can be built into data processing architectures by design. 12 With personal data stored and analysed on a local PIMS, Databox aims to enable users to benefit from the use of their data without compromising their data privacy. Work by Urquhart et al. considers how it enables accountability, as required in Article 5(2) of the GDPR, by providing mechanisms both for substantive compliance, but also demonstrating compliance. 13 Another EPSRC-funded project, Defence Against Dark Artefacts (DADA), 14 addresses smart home cybersecurity risks by identifying strategies for providing security threat management at the edge of the network. This is achieved by screening the behaviour of devices on the network, and detecting when activity is abnormal. If data flows are going to unexpected destinations or exhibiting abnormal patterns, this may indicate threat actors with remote access or stealing information. 15 The development and operation of both Databox and DADA, however, relies heavily on the collection and analysis of device data (which may turn out to be personal or even sensitive data) and involve a wide range of actors who may or may not be categorized as data controllers or data subjects. 16 The complexity of legal relationships in IoT has been highlighted in the literature, 17 and S/PETs will only further increase such complexity. Stakeholders surrounding such systems include architectural developers (eg Databox and DADA developers), third-party component builders (service/ app/driver providers), device manufacturers and users, while homeowners, family members, neighbours and visitors may be affected. All these complexities pose pressing questions in both theoretical and practical terms about how responsibilities are managed, and who the different stakeholders are.
In a scenario where, for example, a homeowner has set up the smart home with such an S/PET solution, should they be treated as a (joint) data controller? If so, can they reasonably claim they are exempted from the controller obligations on the basis of a purely household activity? What about the other involved parties, such as developers of the S/PET system? Fundamentally, and as will be shown below, these questions may eventually come down to the fair allocation of data protection responsibility and accountability among a range of stakeholders. Edge computing for smart homes holds great promise with its architecture designed to keep the use of personal data inside the home, but it remains unclear whether using such technologies would turn homeowners into liable joint controllers. As the rest of this article will show, the way joint controllers and the household exemption have been construed in caselaw-with the intention to provide seamless protection to data subjects-may end up running counter to this objective by creating deterrence against the uptake of S/ PETs such as Databox and DADA.
Joint controllership: everyone is a data controller?
In ascertaining who is responsible for what sorts of data protection obligations, the first step is always to identify the data controller, or controllers. Under the accountability principle of the GDPR, data controller is the one ultimately responsible for compliance of data protection law. 18 While other categories of actors, such as data processors or -as will be explained below-developers of data processing systems, also play a role in ensuring all data protection principles are observed, the major burdens fall on data controllers.
The GDPR has maintained the same definition of data controller as under the Data Protection Directive (DPD), which is 'the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data'. 19 It follows that, although the GDPR has introduced a number of new provisions on (joint) controllership, there is no reason to assume that the case-law handed down by the Court of Justice of the EU (CJEU) or the opinions issued by the Article 29 Working Party (A29 WP, now the European Data Protection Board, EDPB) at the time of the DPD are no longer relevant, except where they are clearly contrary to the new rules. In fact, it would be helpful to review how the scope of data controller and the notion of joint controllership have been interpreted by the Court and the WP, which would shed further light on how the GDPR is likely to apply to future cases involving a spectrum of stakeholders around

Guidance by European regulators: joint controllership by legal arrangement
When assessing the nature of controllership with regard to a particular entity, one would need to address two key issues: (i) What makes an entity a data controller instead of a mere data processor or even just a 'facilitator'; (ii) What makes two or more entities joint controllers rather than independent, sole controllers for different processing operations. Indeed, these are among the major topics covered by the A29 WP's 2010 Opinion on the concepts of controller and processor. 20 Such distinctions are of important legal significance in that, on the one hand, data controllership means the assumption of the primary responsibilities for compliance with data protection law, 21 and on the other, joint controllership means they are under the obligation to make arrangements for shared responsibilities and might be held jointly liable for the entirety of data processing. 22 The first question regarding the distinction between data controller and data processor is certainly of theoretical and practical significance to protecting personal data in a domestic IoT context, not least because of the cloud-based approach prevalent in the design of many IoT devices, which leads to the ongoing debate about the role of cloud providers as data processors. 23 Importance as this issue is, it falls outside of the main focus of this article and should be a subject matter for future research.
The second question, which is more relevant to the inquiry of this article, concerns the conditions for a group of entities to become joint controllers. The WP points out from the outset of the Opinion that 'pluralistic control' is possible and may take a wide variety of forms. 24 The interactions between joint controllers may reflect 'a very close relationship (sharing, for example, all purposes and means of a processing) or a more loose relationship (for example, sharing only purposes or means, or a part thereof)'. 25 However, the mere existence of cooperation between different entities do not necessarily render them joint controllers. 26 Rather, they can be independent (sole) controllers responsible only for their part of the data processing chain. 27 That said, it is also stressed that the assessment must also take into consideration whether 'at macrolevel' the processing operations form a 'set of operations' with joint purposes and means. 28 This is particularly likely to be the case when the involved parties have set up shared infrastructures to process personal data. 29 The examples and discussions throughout the Opinion show that what the WP envisages as joint controllership relies on a legal arrangement whereby 'clear and equally effective allocation of obligations and responsibilities' can be established between controllers. Even when the formal agreement between controllers do not reflect the actual legal relationship (eg designating one party as a data processor while it actually exercises control under the agreement), the substance of such an agreement, accordingly to the Opinion, nevertheless serves as an important indication of the 'contractual arrangements' or 'factual circumstance' against which the validity of appointment of (joint) controllers, as well as their respective responsibilities, is assessed. 30 Such a 'joint controllership by legal arrangement' approach is also mirrored in a latest EDPB guidance, requiring that '[w]henever joint controllership is envisaged, the parties must apportion in a clear and transparent way their respective responsibilities vis-à-vis the data subject'. 31 Likewise, the discussion in the recent EDPS guidelines on the concepts of controller, processor and joint controllership focuses heavily on scenarios where 'by entering into [an] agreement, the parties commonly determine (or converge on) the purpose and essential elements of the means'. 32 It should be noted that the EDPS's analysis is conducted under Regulation 20 Art 29 Data Protection Working Party, 'Opinion 1/2010 on the concepts of "controller" and "processor"' (2010) 00264/10/EN WP 169. 21 DPD, art 6(2); GDPR, art 5(2 2018/1725, which governs processing of personal data by EU institutions, 33 rather than the GDPR. However, given the similarity in substance and terminology between the two Regulations, 34 it remains helpful in revealing the perceptions of EU data protection regulators towards the notion of joint controllership under the GDPR.
To sum up, the interpretative approach taken by European regulators has placed significant emphasis on the co-decision made between actors involved in the data processing in question when ascertaining their legal status. It is even suggested that data controllers can be 'appointed' by means of legal arrangements, although such an appointment, without prejudice to the data subject's rights against each of them, 35 should be 'null and void' if the designated party does not actually exercise effective control over the processing. 36 Moreover, the joint responsibilities are considered a matter that should 'be determined in principle by controllers' as long as the rights of data subjects remain fully respected. 37 From Google Spain to Fashion ID: joint controllership by technical and organizational configurations Four years after the WP's Opnion, the CJEU had the opportunity to examine the concept of data controller in the high-profile Google Spain case. 38 In answering the question referred by the national court as to whether Google constitutes a data controller by operating a search engine that indexes and presents as results the webpages that contain personal data, the Court examines the role of Google in the spreading of information on the Internet. It has come to the conclusion that Google 'plays a decisive role in the overall dissemination of those data in that it renders the latter accessible to any internet user making a search on the basis of the data subject's name, including to internet users who otherwise would not have found the web page on which those data are published'. 39 Also, for the first time, the Court has declared that both the letter and the spirit of data protection law necessitates a broad definition of data controller to ensure 'effective and complete protection of data subjects', 40 which, as will be shown below, has been consistently reiterated by the Court in later decisions.
While the Court has not directly dealt with the issue of joint controllers in this case, an interesting remark was made about how joint controllership may possibly stem from technical configurations. To explain why a website's ability to opt out from Google's indexing (with the 'robots.txt' protocol or the 'noindex' code) does not mean Google does not exercise control over the processing of data, the Court notes that 'even if that option for publishers of websites were to mean that they determine the means of that processing jointly with [Google], this finding would not remove any of the latter's responsibility'. 41 While stated in a purely hypothetical manner, this observation seems to suggest that it is possible for a website to become a joint controller with Google simply by using (or not using) certain technical settings.
The possibly loose relationships between joint controllers are also recognized in Wirtschaftsakademie, where the Court rules that the administrator of a Facebook fan page is a joint controller with Facebook. 42 It is reasoned that 'the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page'. 43 It is also pointed out that the administrator 'has an influence on the processing of personal data' by 'defin[ing] the criteria in accordance with which the statistics are to be drawn up and even designat[ing] the categories of persons whose personal data is to be made use of by Facebook', which 'contributes to the processing of the personal data of visitors to its page'. 44 While the Court took note of the potential contractual relationship between a fan page administrator and Facebook, this did not play a substantial role in the Court's analysis. 45  Electronic copy available at: https://ssrn.com/abstract=3483511 refer to as 'joint controllership by technical configurations'.
In a later case Jehovan todistajat, 46 the Court further expanded the scope to also cover 'joint controllership by organisational configurations'. The Court was asked to clarify, inter alia, whether the Jehovah's Witnesses Community should be regarded as a joint controller with its members who collect personal data through door-to-door preaching. An answer was given in the affirmative, on the ground that the 'preaching activity is . . . organised, coordinated and encouraged by that community'. 47 In other words, the mere exertion of organizational influence on how data are processed and for what purposes will suffice to turn an entity into a joint controller.
It is also noteworthy that the Court made it clear that determining the purposes and means of data processing does not necessarily involve 'the use of written guidelines or instructions from the controller'. 48 Nor is it relevant whether the involved party has actual access to the personal data in question. 49 This clearly sets out a broad scope of joint controllers who do not always have to jointly make decisions on the most important aspects of data processing.
In the latest decision, Fashion ID, 50 the Court further confirmed how joint controllership may arise regardless of the lack of a legal relationship between the parties concerned, or the absence of access to the personal data by one of them. Like Wirtschaftsakademie, the Court was asked to give clarifications on joint controllership with Facebook, but in a different setting: Placing a 'Like' button on one's website that would trigger the user's browser to communicate with Facebook's server and thus make certain information accessible by the latter. The judgment has explained in detail how both the purposes and means are jointly determined by Facebook and the website.
On the one hand, as the Court explains, 'Fashion ID appears to have embedded on its website the Facebook "Like" button made available to website operators by Facebook Ireland while fully aware of the fact that it serves as a tool for the collection and disclosure by transmission of the personal data of visitors to that website'. 51 By including such codes that direct the user's browser to communicate with Facebook, reasons the Court, the website has exercised 'a decisive influence' on the means by which the personal data is processed. 52 On the other hand, Facebook and Fashion ID are held to have jointly determined the purposes of the processing, which is promoting the latter's products 'in the economic interests of both Fashion ID and Facebook Ireland, for whom the fact that it can use those data for its own commercial purposes is the consideration for the benefit to Fashion ID'. 53 Such joint determination, unlike in Wirtschaftsakademie, does not require the operator of the website to sign up for Facebook's service, and thus does not necessarily involve a prior contractual relationship between the parties. Again, all it takes is the technical configurations respectively arranged on both sides following a technical protocol that would altogether enable Facebook to gain access to the personal data in question.

Implications for the smart home ecosystem
From Google Spain to Fashion ID, there has been an evident and consistent confirmation of the broad scope-if not an expansion of the scope-of joint controllers. 54 Also unmistakably and unmissably clear is the strong message from the case-law that this approach is necessary to ensure a high level of data protection afforded to data subjects. 55 Of course, a widely inclusive notion of joint controllership may arguably hold responsible entities accountable more tightly, and may prevent them from escaping from their data protection duties. However, this may also mean unnecessary or even unfair compliance burden on certain actors involved in, for example, the development and adoption of edge computing technologies, such as Databox and DADA. Such an impact, as will be discussed below, might run counter to certain policy objectives of data protection law, in particular when the responsibilities among stakeholders are not clearly demarcated.
For developers of smart home S/PETs-either the architectural designer of the system or the collaborating or independent developers of certain components-the widening scope of joint controllership means that they may well fall within the definition of a joint controller, as they are the ones defining in technical terms how smart home data are collected and for what potential purposes. One might be tempted to argue that under certain technical models where such developers do not have access to the personal data, they may be considered non-controllers. However, as highlighted above, the Court has ruled in several cases that it is irrelevant whether a concerned party has actual access or not to the data when it comes to ascertaining its controllership. 56 This raises an array of questions regarding how data subject rights could be exercised against such controllers when many of those requests-such as access, rectification, erasure-can be fulfilled only when the controller has direct or indirect control over the personal data. Equally profound are the implications for the users of these technologies, who may find themselves in a dilemma where they make use of such systems in their smart homes in the hope of enhancing privacy or cybersecurity for themselves, their family, their visitors or even the entire infrastructural network, but end up being held liable as a joint controller. From a technical point of view, there is little substantial difference between operating a smart home device that enables data collection and embedding a 'Like' button on a website that triggers data transmission. Keeping smart homeowners in the expanding circle of joint controllers may in individual cases offer some extra protection to data subjects, but this may at the same time create some widespread effects on the adoption of these technologies.
While the WP and the Court seem to have taken into consideration the fair assignment of responsibilities in the case of joint controllership-as will be further discussed below-this would not be effective without further guidance on who should be responsible for what obligations in a given scenario. Before conducting a more nuanced analysis of the allocation of responsibilities, it is necessary to examine some general mechanisms that may serve to push back the expanding boundaries of joint controllership. In the next section, the household exemption will be discussed in detail.
Household exemption: what happens in the house stays in the house?
Even if it is established that a person acts as a data controller, solely or jointly, it does not always follow that the full spectrum of data controller obligations will fall on them. In fact, Article 2 of the GPDR carves out a list of areas from its material scope, one being the household exemption, which could be potentially relevant to the context of smart home security technologies. Article 2(2) GDPR provides that: 'This Regulation does not apply to the processing of personal data: . . . (c) by a natural person in the course of a purely personal or household activity'. Recital 18 further clarifies the meaning of 'a purely personal or household activity' with the qualification of 'with no connection to a professional or commercial activity'. A number of examples are also given in the same recital, which 'could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities'. Compared with a similar recital in the DPD, which gives examples 'such as correspondence and the holding of records of addresses' 57 , the new GDPR recital may seem to have expanded the scope by expressly including social networking and online activities, 58 it should be noted that the GDPR's 'could include' wording may actually suggest a narrower scope than that of the DPD's 'such as'.

The household exemption in a connected and smart home
Before discussing the remit of 'personal or household activity' in the light of these specific examples, and to keep the discussion more focused on the challenging issues, a more straightforward consideration should be pointed out and excluded from our further discussion. In the context of smart home IoT, it is unlikely that the manufacturers of the devices or developers of the software may benefit from this exemption. For one thing, there is a clear professional or even commercial involvement (regardless of their non-/for-profit status) that would rule out the claim of purely personal activity. For another thing, many of these manufacturers or developers are simply not natural persons, but rather organizations, which is also clearly excluded by the exemption. It would be a different question whether they are (joint) controllers, or what responsibilities they have in this case. What is certain, however, is that they can hardly avoid the application of the GDPR by invoking the household exemption. A slightly more reasonable claim may be made by individuals independently contributing to the development of the technologies, but this would 56 Wirtschaftsakademie (n 42) para 38; Jehovan todistajat (n 46) para 69; Fashion ID (n 49) para 82. 57 DPD, recital 12. 58 For the discussions of the applicability of the household exemption to social media users, see Napoleon Xanthoulis, Negotiating the EU Data be also hard to justify because, apparently, the use of such technologies concerns, if any, the household of the user, not of the contributors. For this reason, the discussion in this part will focus mainly on whether the end users of S/PETs, namely the homeowners, can be exempted from data controller obligations. The CJEU decision on Ryne s might be a good starting point for this inquiry as it concerns the use of CCTV-a home security device, albeit not a smart one in this specific case. 59 The Court was asked to decide whether the operation of a CCTV installed on one's home but partly monitoring a public space falls under the household exemption. In the judgment, it is reasoned that: [t]o the extent that video surveillance such as that at issue in the main proceedings covers, even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely "personal or household" activity . . .. 60 Referring to Recital 18 DPD and by way of example, the Court explains that such an activity may cover 'correspondence and the keeping of address books . . . even if they incidentally concern or may concern the private life of other persons'. 61 Yet, the Court has not further clarified whether it would make a difference if the CCTV is directed entirely towards the inner space of a family home.
However, it is evident that the CJEU has consistently taken a remarkably strict approach to the scope of the exemption. In fact, the Court has never ruled in favour of a claim of the exemption in the limited number of relevant cases it has decided on. 62 In Jehovan todistajat, for example, the Court has summarized the two considerations established in previous cases that would preclude the applicability of the household exemption: (a) access by an unrestricted number of people; and (b) extension to a public space beyond the private setting of the person. 63 In this regard, the question central to the use of S/ PETs in a smart home setting would concern the extent to which the use of data is confined to the private sphere of the user and their family. Unlike the case of cameras, however, there is no clear physical boundaries in an IoT setting. While the purpose of the use of these technologies may well be solely for protecting the inner space of home-informationally or physically-the adoption of such measures may, depending on the exact technical model, involve individuals outside the family, either in physical proximity (eg neighbours, visitors) or in the distance (eg other users connected to the same service).
More importantly, the domestic purpose or intention alone does not form a sufficient basis for the household exemption claim. In Ryne s, even though the Court is mindful that the use of CCTV may serve the purpose of protecting one's family, it nevertheless rejects the applicability of the household exemption, and points to alternative permissive mechanisms within the legal framework, such as the 'legitimate interests pursued by the controller, such as the protection of the property, health and life of his family and himself'. 64 In this regard, it does not seem to matter whether a smart homeowner deploys S/PET devices solely for domestic purposes. The mere fact that such technologies involve collection of personal data from outside the family or dissemination of personal data to outside the domestic sphere will sufficiently exclude the application of the household exemption. The Court's consistent rejection of the claims clearly shows the shrinking possibility for users of these technologies to benefit from the exemption.

Why exempt household activities in the first place? A historical approach
The application of the household exemption means that any data processing falling within the scope of 'a purely personal or household activity' would not be subject to any restrictions imposed by the GDPR. At first glance, many might find this exclusion surprising or even unreasonable: One would expect a highest standard of data protection at home as this amounts to a probably most private and sensitive space. Yet, applying the exemption does not mean that individuals are not protected when it comes to household activities, as any access of data from outside the household that intrude the private sphere of the home would not be considered 'personal' and indeed would be subject to the GDPR. However, this does raise the interesting question as to why such an exemption was introduced in the first place.
The earliest equivalent to today's definition of the household exemption can be found in Sweden's 1982 Amendment to the Data Act 1973, which provides that the prior approval and reporting requirements for data 59  registers do not apply to 'personal data registers established by an individual or exclusively for personal use'. 65 In the explanatory notes, this was justified on the ground that 'it is not possible to regulate all forms of use of personal data that normally occur in the daily interactions between people, e.g. in private notes, address or phone number lists, and letters etc'. 66 as well as 'registers relating to one's own family finances'. 67 On the international level, the updated version of Convention 108 adopted in 2018 ('Convention 108þ') includes a clear household exemption. In the new Article 3(2), it is provided that '[t]his Convention shall not apply to data processing carried out by an individual in the course of purely personal or household activities'. A rationale has been given in the Explanatory Report: This exclusion aims at avoiding the imposition of unreasonable obligations on data processing carried out by individuals in their private sphere for activities relating to the exercise of their private life. . . . The sharing of data within the private sphere encompasses notably the sharing between a family, a restricted circle of friends or a circle which is limited in its size and based on a personal relationship or a particular relation of trust. 68 As regards the EU, the original Commission proposal of the DPD offers a justification of excluding the application to 'files held by . . . an individual solely for private and personal purposes' 69 : '[I]nvasions of privacy are unlikely to occur . . . because the data are used for private purposes only, as is the case with a personal electronic diary'. 70 Indeed, considering the potential risks in such scenarios, it would be significantly disproportionate to require individuals to comply with data protection law, including allowing data subjects access to the data, just because their personal details are mentioned in an ediary.
Even more interestingly, in the same proposal, another account was provided in the draft Recital 9 (which did not make its way to the Council's Common Position 71 ): '[D]ata files falling exclusively within the confines of the exercise of a natural person's right to privacy, such as personal address files, must be excluded'. 72 While closely related to the point mentioned in the previous paragraph, this explanation has taken a somewhat different approach: Applying data protection law to purely personal activities is not just unnecessary for protecting the data subject, but also potentially intrusive for the individuals keeping such data, 73 as it would potentially force them to disclose highly sensitive materials at the request of the data subject.
To sum up, from the limited number of official documents providing an explanation to the introduction of a household exemption, three inseparable but somewhat different theories can be identified: Data protection law should not apply to purely personal or household activities because it would be (i) unfair, as it would impose unreasonable obligations to the data controller; (ii) unnecessary, as the privacy threats are minimal in these cases; and (iii) invasive, as it would risk forcing individuals to disclose confidential information.
When joint controllership and the household exemption face a smart home: do they still work?

Joint controllership and the household exemption as mechanisms for allocating responsibilities
In the two previous sections, it has been shown how the scope of joint controllership has been widening whereas the scope of the household exemption has been narrowing as the two concepts have been interpreted by the CJEU. Consequently, for owners of smart homes, choosing to embrace a technology designed to improve the security and privacy of their homes may mean a high risk of being categorized a joint controller and without the protection afforded by the household exemption.
Joint controllership and the household exemption, although as two separate legal issues, are closely linked here since the former sets out the threshold whereby a group of entities are made collectively responsible for the data processing, whereas the latter functions in a way that essentially exempts the individuals processing personal data from controllership if the activities in question are purely personal or domestic. The GDPR further clarifies that the exemption applies only to natural persons but not to the entities providing means for such activities. 74 Accordingly, with regard to the processing involved in the sending of private messages on social media, for example, the senders and receivers may be exempted from the application of the GDPR, but the social media service provider will not. In other words, the household exemption is a controller-specific exemption that seeks to relieve private individuals from the compliance burdens.
For this reason, the notion of joint controllership and the household exemption are in essence an all-ornothing mechanism by precluding the responsibilities for some groups of data users, and thus imposing them exclusively on some other groups. 75 Working together, these two concepts follow the logic that, if a person is a data controller and unqualified for the household exemption, then they will be charged with the full responsibilities (or as a part of a full package of responsibilities); otherwise, they will have no responsibility at all. The responsibilities of each joint controller, as explained below, may not be identical, but without clear guidance, joint controllership may lead to a considerable amount of burdens that are not proportionate to the role of each controller. To the extent that joint controllership and the household exemption determine who should and who should not be held responsible for data processing activities, they serve as a legal mechanism to assign responsibilities.
This marks a fundamental difference underlying privacy and data protection law: while privacy law focuses more on the secrecy of personal and private information, data protection law mainly addresses the accountability of uses of personal data. 76 As much as confidentiality forms an important part of accountability, the latter is achieved also through other mechanisms, such as integrity, availability, transparency and so on. One important aspect of a data protection regime is thus to determine the extent to which the responsibilities are distributed-or rather, centralizedamong various stakeholders. By setting out the household exemption, for instance, EU data protection law has in effect removed the responsibilities from individuals when using personal data for purely personal activities. Indeed, individuals are expected to be subject to a much lower level of accountability when they engage in a conversation with family and friends, or handling personal details of family members within the household.
The way joint controllership and the household exemption are laid down in the GDPR reflects a few assumptions that might be valid for a traditional home but probably not anymore for a smart home. First, it is assumed that personal or domestic activities are mostly confined within the physically discernible boundaries of a private space. The keeping of an address book, 77 for example, usually operates solely within one's home and thus has little, if any, impact on the listed contacts. Secondly, responsibilities can be clearly defined and simply assigned or disassigned to a specified group of persons. In the case of an address book, again, the book-keepers would be the only parties responsible for the use of the address book, which does not involve the issues of shared responsibilities. Under these two conditions, the two notions may work well in a straightforward manner: Within the house, no responsibility; outside the house, full responsibility. However, as will be shown in the rest of this section, these two assumptions do not work in an IoT context anymore.

In or out: disappearing boundaries of the home
There should be little dispute that the examples provided by Recital 18 GDPR-ie 'correspondence', 'holding of addresses'-can be reasonably exempted from the application of data protection law since the imposition of the obligations on individuals in these contexts would be, as highlighted above, unfair, unnecessary and invasive. Private messages mentioning a third-party individual solely for personal purpose, for instance, should not result in the mentioned person given the right to access the information. Again, this does not mean that the information involved in such activities is unprotected. Confidentiality of communications, whether in postal or electronic forms, remains protected by (e-)privacy law. This is underpinned by the idea that certain spaces can be clearly demarcated as private or personal, and thus what happens within such spaces should be free from interference. Interestingly, though, the two examples provided by Recital 18 in fact represent two quite different types of private space, and not necessarily limited to the physical household. Koops distinguishes 'home' and 'private communications' as two different types of 'intimate zones'. 78 Whereas 'holding of addresses' can be considered within the 'home' space, 'correspondence' clearly falls within the 'private communications' space. Yet, these two instances share the similarly visible infrastructural boundaries that afford a relatively high level of assurance that the information contained within such boundaries-what happens inside the house, or what is written inside the envelopewould not reach the outside world and would thus have little external impact. Unless intentionally intruded or disclosed, which clearly breaches the private space, the expectation of what should stay private and thus subject to a significantly lower level of accountability is rather clear.
There is a rich body of literature discussing the importance of boundary management under the heading of 'privacy'. 79 Non-smart homes and non-electronic communications in most cases have more manageable boundaries as they are clearly defined and visible to all parties. Setting aside the question whether privacy is a helpful approach here, 80 what should be less disputable is the challenge to boundary management posed by the increasing prevalence of IoT technologies. The boundaries of a smart home are remarkably more fluid as smart devices may-and, sometimes indeed, are designed to-transmit information about what is happening inside the home to the remote cloud. Also, the internal functioning of a smart home may be affected by or even dependent on events taking place outside the home. Even more fundamental, IoT technologies pose challenges to what is traditionally considered trusted as part of one's home. 81 Unlike a nonsmart home, the relational and informational boundaries have disentangled from the physical boundaries. 82 This is particularly the case in the scenarios central to this article, ie S/PETs operating on an open-source, data-intensive and dynamic basis, such as Databox or DADA. Depending on the exact design of the system, a smart home security solution may, for example, record the presence of detected new devices, which could be brought into or close to the house by visitors or neighbours. 83 Unlike using a physical domestic diary to keep record of guests, such a system may store more details of the device or reveal certain patterns. In most cases, the communication and storage of information would be secure, but it is certainly not as straightforward as a paper diary book, and family members, visitors, neighbours might have concerns over the safety of such information. The functioning of devices may also be affected by what is happening outside the home. The system may decide, for instance, to disconnect a device from the network after identifying suspicious pattern matching a newly reported cyberattack.
In a hyper-connected setting like a smart home, it is no longer clear whether the involved parties-the homeowner, their family, their neighbours, their visitors, other connected users, operators of the devices, cloud providers-should be considered 'inside' or 'outside' the home. Or maybe more fundamentally, we might need to reflect on the appropriateness of the metaphor of a traditional house-perhaps the external and internal spheres are no longer separated by a thin wall, but rather bridged by a spectrum of domains with different levels of proximity to the core of the home, and thus carrying different expectations of accountability. 84 To such an extent, a smart home may even be seen as a digital 'private-public place'. 85 This points towards the need for further user-centric research on user expectation and experiences in a smart home equipped with S/PET systems, but from a legal point of view, the assumption that a relatively clear line can be drawn between the domestic and public spaces will only become increasingly unrealistic. 86 All or nothing: centralized data controllership in a decentralized technological reality In a simple, one-to-one legal relationship, the GDPR's centralized model mirrored in joint controllership and the household exemption 87 have the benefit of allowing for a clear focal point of obligations largely reflecting the expected roles of the parties involved. When it comes to a highly complex technological setting, however, it does not seem fair anymore to distribute the duties of care in an all-or-nothing manner. The example of S/PETs discussed in this article serves as a good case in point: Such technologies rely on the collaborative involvement of a range of actors who have different roles to play, and thus have different level of control over the functioning of the system.
We propose to use functional terms to capture the nature of control exercised by a variety of actors. The developers of the system, for example, have schematic control as they determine the structure of data and protocols mandating the communications between components across the system, but they have no access to the actual data; the device manufacturers have input control as they determine what data are collected and transmitted through the network; the developers of drivers or apps have interpretative control as they determine how data or data pattern can be translated into actionable decisions; the users (homeowners) have operational control as they determine what components or functionalities are enabled. As a preliminary example, however, this taxonomic approach will certainly require further theoretical and practical elaboration.
The level of integration and inter-dependency between various types of actors means that accountability is shared, not just in proportional/quantitative terms but also in a functional/qualitative manner. The operational control by the users naturally requires them not to abuse the system by, say, monitoring the digital activities of their neighbours; the input control by the manufacturers requires them not to over-collect data; the schematic control by the developers requires them not to make unauthorized data sharing possible between different components. Sitting in different functional divisions of the system, they are in position for different forms of accountability. Particularly important are the asymmetries in resources and power reflected in different forms of control and the implications for regulation. The simple answer offered by joint controllership and the household exemption, however, seems to have failed to reflect such a complex landscape. The idea of differentiated responsibilities as envisaged by the WP and the CJEU-which will be discussed in the next sectionmay mitigate this issue to some extent, but certain challenges remain.
In this regard, the GDPR contains a provision that is highly relevant but remarkably under-discussed: Recital 78 provides that 'producers of the products, services and applications should be encouraged to take into account the right to data protection . . . with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations'. It sheds some light on the roles that the involved parties are expected to assume in the collaborative process of improving security/privacy for smart homes. Interestingly though, it seems these producers are not categorized as data controllers (or at least implying that they can be treated as non-controllers in some contexts) as they are simply 'encouraged' but not 'obliged' (as the case would be for a controller) to take into account the rights of the data subjects. In the case of S/PETs for smart homes, the contributors to some components are technically not data controllers indeed-due to the fact that, say, they do not actually determine the overall purpose of the system but simply offer a partial technical solution to the community. Yet, it does not follow that they do not have any control over how data are eventually processed. It equally does not follow that it would be fair to impose the full range of data controller obligations on them. In determining to what degree and in what form they should act responsibly and how such responsibilities should be translated into legal obligations, maybe it would take more than an answer of yes or no.
The same goes for the owner of a smart home equipped with such technologies-they have a certain level of control over the use of data for purposes that 85  might be largely but not necessarily entirely 'personal or household'. In order to decide the extent to which the exemption should apply to them, one would need to go back to the three questions that the early legislator adopting the household exemption might have asked themselves: Is it fair to impose the data controller obligations on them? Is it necessary to do so taking into account the potential risks? Is it invasive to do so considering the implications for the homeowner and their family? The three answers may not be fully consistent anymore. Perhaps more importantly, in a world of decentralized control over data processing, and possibly diffused responsibilities among entities, 88 these questions might well be a matter of balance rather than one of choice.

Differentiated responsibilities among joint controllers: promises and limitations
One might argue that the expanding scope of joint controllership and the shrinking scope of the household exemption do not necessarily mean disproportionate obligations imposed on certain groups of actors. Indeed, Article 26(1) of the GDPR requires that joint controllers should 'in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation . . . by means of an arrangement between them'. 89 Also, while this requirement is newly introduced by the GDPR, during the time of the DPD, the WP as well as the CJEU have already expressed some support to such a possibility. The A29 WP has indeed anticipated the need to ascertain 'which controller is competent -and liable -for which data subjects' rights and obligations . . . where the various joint controllers share purposes and means of processing in an asymmetrical way'. 90 While the WP has not ruled out the possibility of joint and several liability-ie each and all joint controllers fully liable for any breach arising from the data processing-it has pointed out that in most cases 'the various controllers maybe be responsible -and thus liable -for the processing of personal data at different stages and to different degrees'. 91 This interpretation has later been confirmed by the Court in Wirtschaftsakademie, which states that 'the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data' and that 'those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case'. 92 This approach is subsequently reaffirmed by the Court in both Jehovan todistajat 93 and Fashion ID. 94 As explained above, it is indeed reasonable and necessary to differentiate the obligations of different controllers taking into account their respective roles in the whole process of determining the purposes and means of data processing. However, the approach proposed by the WP, later confirmed by the Court and then adopted by the GDPR is subject to a number of challenges.
Firstly, the current mechanism is largely based on the assumption that joint controllers have or can come to agree on how the responsibilities should be distributed among themselves. In fact, as mentioned above, data controllers are required to do so under the GDPR 'by means of an arrangement between them'. 95 Yet, our analysis in the section on joint controllership above has shown that the establishment of controllership does not require a legal arrangement between the concerned parties, and can simply result from technical or organizational configurations. Even if it is argued that such an arrangement can and should be concluded, in the context of open-source development, this would be highly difficult. 96 Secondly, both the WP and the Court have considered the possibility of joint controllers as a result of data processing 'at different stages' or 'to different degrees', and thus the 'level of responsibility' should be differentiated. This solution essentially views the distribution of data protection responsibilities as a matter of degree in temporal or proportional terms, which would make sense in allocating ex post responsibilities-ie liabilities. Van Alsenoy, for example, analyses the liabilities of data controllers and data processors from a tort law perspective. 97 The joint and several liability approach, for example, can be supported by Recital 146 98 and justified with the 'common fault' theory, 99 although the GDPR exempts controllers who can prove 'not in any way responsible'. 100 However, unlike tort law, data protection law concerns not only ex post liabilities, but also ex ante duties, including the mandatory conditions for lawful processing of personal data and other safeguards throughout the personal data lifecycle. The way liabilities are distributed among responsible parties, often ascertained in monetary form and as a matter of degree, would not be suitable for allocating ex ante duties. As highlighted in the previous section, different forms of control (eg schematic, input, interpretative, operational, etc) would put joint controllers in different positions to adopt different measures, which is a matter not the same as 'different stages' or 'different degrees'. In any case, the default approach of joint and several liability is certainly unhelpful in assigning data protection responsibilities fairly.
Thirdly, it remains unclear how to reconcile what seems to be a conflict 101 between the requirement to determine the responsibilities among joint controllers 102 and the proviso that data subject rights can be exercised against any of the joint controller. 103 One potential solution rests in Article 26(2), which requires the arrangement between joint controllers to 'duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects'. 104 This can be interpreted as allowing joint controllers to appoint one of them to be responsible for certain types of data subject rights, as long as this mirrors its role and relationship with the data subject; otherwise, the data subject would not be bound by such a designation and may decide to exercise their rights against any of the controllers. 105 In practice, some of these challenges may be slightly mitigated by restricting the ways data subject rights may be exercised against some of the joint controllers. Article 23 of the GDPR allows Member State laws to set out such restrictions on a number of bases, including safeguarding 'the protection of the data subject or the rights and freedoms of others'. 106 The security and privacy interest of the homeowners, for instance, may be recognized by national laws against the rights of the data subjects. Making these rules, however, would require a strong justification based on fair allocation of responsibilities, and may risk creating further fragmentation among Member States.
The lack of legal certainty on these matters may significantly impede the development and adoption of smart home technologies that would enhance privacy and security for IoT users. Fair allocation of data protection responsibilities would entail going beyond the current approaches of joint controllership and the household exemption, and instead, investigating what role each of the participating parties is playing, and accordingly, what appropriate duties they should be expected to assume. 107 Much work is needed to map out different categories of actors in the domestic IoT ecosystem in order to ascertain their best position in the data protection regime. Since it is now part of the EDPB's plan to review the WP's Opinion on controller and processor, 108 the need to carry out further research, both theoretically and empirically, will become even more pressing.

Conclusion
Before the advent of smart home IoT technologies, ascertaining how data protection law should regulate users in a domestic setting was once straightforward; the burdens of domestic data controllers were alleviated by relieving them of the data protection responsibilities. This is not the case anymore. The use of cases discussed throughout this article have shown how domestic IoT has challenged some of the underlying assumptions of data protection law, and has created legal uncertainties as to who should assume the primary responsibility among a group of stakeholders connected to the smart home edge computing architectures, as well as how accountability can be achieved in a coordinated and shared manner between them.