The number of smart home devices is increasing. They are used by vulnerable people regardless of whether they are designed specifically for them or for the general population (eg, smart door locks, smart alarms, or voice assistants). This PhD focusses on children and inherently vulnerable adults, and analyses how to comply with the General Data Protection Regulation (GDPR) when the latter use smart products, with a particular focus on the UK through references made to the Information Commissioner’s Office guidelines and reports. Complying with the GDPR provisions related to the processing of vulnerable people’s data would be beneficial not only for the latter but also for organisations developing and deploying smart devices. This thesis argues in favour of protecting vulnerable people’s data by design and default in every smart product. The objective of this work is also to draw attention to the need of thinking about vulnerability across all data protection principles and to propose solutions on how to effectively comply with the GDPR in this context.
This PhD contains a legal doctrinal chapter, an empirical part (interviewing lawyers and technologists working within the smart home field) as well as a chapter related to theoretical debates and PETs.
In the doctrinal chapter, research into data protection law and legal concepts is conducted to understand the current legal landscape, guidelines and opinions related to this field of study. Personal data can be processed only if an appropriate legal basis is chosen and all of its conditions are met, and if all GDPR principles are respected. In this part of the thesis, the most relevant data protection law provisions in the context of the use of smart products by vulnerable people are identified and discussed.
The empirical chapter introduces information gathered through semi-structured interviews conducted with UK and international professionals in the field of data protection law and technology design, with a focus on the smart home context. Those discussions gave various insights and perspectives into how the two communities view intricate practical data protection challenges.
The chapter related to theoretical debates and privacy enhancing technologies (PETs) analyses personal information management systems (PIMS) in order to understand how to protect and manage vulnerable people’s data more effectively in smart homes and, as a result, enhance compliance with data protection law. Relying on PETs to safeguard vulnerable people’s personal data could lead to questions as to the normative grounds for this technological approach. By examining debates such as privacy as confidentiality versus privacy as control, this thesis explain why edge computing PIMS could help in improving GDPR compliance while underlining that designers of PIMS need to consider the consequences of implementing different privacy paradigms.
This author is supported by the Horizon Centre for Doctoral Training at the University of Nottingham (RCUK Grant No. EP/L015463/1) and EPSRC.