A smart home is a safe home? – data protection issues of smart homes
After taking a look at specific dangers to our personal data in the field of technological innovation, I wish to call attention to how everyday objects in our homes could violate the very foundation of our privacy. Tabloid warnings have suggested that anyone with a Ring doorbell camera could face fines of £100k after the Fairhurst v Woodard case, as it put stress on the fact that particular attention should be paid to the audio recording in smart video equipment purchased to surveil one’s home. But what is the true problem with doorbell cameras, in particular, Ring doorbell? In this case, the issue was simply processing personal data in an unlawful manner, as the camera was able to capture audio from over 60ft away, which meant that personal data could have been attained from people outside the boundaries of the defendant’s property who were unaware that they were being recorded and their identities could have been revealed from the data, which is not proportional to the doorbell’s owner’s desire to prevent criminal activity from taking place at his home.
This is just one example of the dangers that lie ahead when we attempt to make our lives more comfortable by upgrading to smart homes. There have also been reports of a robot vacuum cleaner which published intimate pictures of a woman online.
To start off, I would like to establish what a smart home is and what legal framework surrounds the potential issues that may arise in relation to this concept. A smart home is most easily defined as a habitation that has been outfitted with technological solutions that are intended to provide people with services that are suited to their needs. What makes a smart home separate from traditional living areas of humans is the ability to gather information from its surroundings and react accordingly. For example, in this type of home the resident may be able to close the curtains by a single spoken command, as artificial intelligence is used to develop a more comfortable living experience through robotics which are there to complete everyday tasks. As an important component of the Internet of Things (IoT), smart homes serve users by communicating with various digital devices based on IoT. A smart home can actually be seen as a domain of IoT, which is the network of physical devices that provide electronic, sensor, software, and network connectivity inside a home. The most popular Home Controllers are those that are connected to a Windows based PC during programming only, and are then left to perform the home control duties on a standalone basis.
Nowadays, it is not only smart homes which are available to users who wish to live in such an environment, as there is also an expansion in the popularity of smart cities, which endeavour to make cities more efficient, sustainable and liveable through the functionality of all the critical infrastructure. The key issue in the case of such cities is the giving of meaningful consent to processing of personal data.
However, as of 2024 the more pressing matter is still the issue of data breaches when it comes to smart homes. How can we ensure that our privacy stays intact if we are willingly bringing in devices that can be used for surveillance into our most private living quarters? Unfortunately, we must see that ΙοΤ is a technology of interest for modern hackers and cybercriminals, thus their presence in our lives require new solutions to combat existing security challenges. The data generated around a single device may not be sensitive in itself, but due to the interconnected nature of Iot networks present in smart homes, it can reveal information such as the consumer habits, patterns of behavior, and other data which may present significant risk for rights and freedoms of data subjects. This is especially interesting as the EU’s draft AI Act prohibits profiling or other practices that might affect the subject’s behavior. Additionally, it is clearly stated that “the use of ‘real time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement is also prohibited unless certain limited exceptions apply.” These issues will undoubtedly present themselves when data breaches occur due to technology applied in smart homes. IoT devices might just represent a higher risk for personal data than previous monitoring technologies, as the GDPR does not provide all the answers related to safety, and new regulation of AI is not enough to combat the ever-growing new technologies used.
Studies explored the importance of a safe usage of personal health data from the users before. Privacy is considered to be one of the six different risk types in the context of technology-based innovations, in addition to functional, financial, temporal, psychological, content and social risks. Therefore, it is viewed as a significant challenge for organizations in the context of smart home usage and in particular in the area of service strategies. Studies have shown that with the rapid advancement of intelligent systems a simple “one-size-fits-all” approach to assure privacy is unable to meet the needs of data subjects. Therefore, the stipulations found in the GDPR are not enough to prevent possible data breaches and uphold a persons’ right to privacy, as afforded by international legal instruments such as Article 8 of the EU Charter of Fundamental Rights. In fact, it is a more dynamic approach that assures control over the technological functionalities present in smart homes, which could help prevent misusing personal data.
The possible data breaches could be even more devastating when it comes to the rights of minors. As the data controller has to prove the compliance with the processing principles of GDPR, they are also responsible for implementing the appropriate measures in order to preserve data protection of the minors in the context of the smart home IoT devices. According to the household exception of GDPR, controllers of smart homes process data at a professional level. Anonymization is required to be examined regarding the new components of each processing inside smart home applications and thus regularly be reviewed in order to remain an efficient security tool. When it comes to children who live in smart homes, GDPR compliance demands the enforcement of technical and organizational measures regarding a specific data processing. This entails nine criteria that have been adopted, in order to determine the conduction of a DPIA and the establishment of specific lists by the member states at national level.
To sum up, we can see that smart homes, while they are the possible future we are heading towards, also bring with themselves numerous unique challenges that we should respond to. One way in which this can be done is by putting safeguards in place, or by bringing in a more dynamic approach to sanction data breaches specifically related to personal information which stems from IoT used in smart homes.
Mónika Mercz, JD, is specialized in English legal translation, Junior Researcher at the Public Law Center of Mathias Corvinus Collegium Foundation in Budapest while completing a PhD in Law and Political Sciences at the Károli Gáspár University of the Reformed Church in Budapest, Hungary. Mónika’s past and present research focuses on constitutional identity in EU Member States, with specific focus on essential state functions, data protection aspects of DNA testing, environment protection, children’s rights and Artificial Intelligence.