In a contributed article for Internet of Business, Kristina Holt, a senior associate at law firm Pinsent Masons law discusses why consent is not as insurmountable a barrier to the IoT as it seems.
Have a discussion with a business about IoT and it won’t be long before its perceived biggest challenge comes up: consent.
At a recent Internet of Moving Things event (part of the PETRAS initiative), this was the recurring theme. Can we really expect a driver of an autonomous vehicle to read thorough epic consent forms while on the go? How is it possible to get informed, unambiguous, freely given consent at high speed, on the move, and still allow the IoT universe to operate?
What if we wanted our connected vehicle to be able to order milk from the supermarket with a remote payment from our bank while driving home? There will be a transfer of personal data from the car to both the bank (to release funds) and the supermarket to order the milk.
Would the individual have to consider and give consent to each release of information while driving their car? Could they really be said to be concentrating on giving proper consent in these circumstances?
What if the answer is, possibly, that consent would not really be needed at all…?
The consent of consumers is not always needed in order to process their personal data. One alternative basis for personal data processing is where the processing is necessary for the performance of a contract with the individual.
An example where this might arise is where a business needs to processes a customer’s data to supply services to that person that they have requested. It also includes steps taken at their request before entering into a contract.
For example, an individual may send a request via an app on their connected car to buy some milk from the supermarket which they will collect on their way home. The transfer of their personal data from the car to the bank and the supermarket is necessary for performance of the contract – if the data is not sent they will not get the milk. The data needs to be sent in order to supply the service requested. Therefore this is not a question of consent.
Another alternative basis is if the processing is in the “legitimate interests” of the data controller. A private-sector organization, can process personal data without consent if it has a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.
For instance, the supermarket might store and analyse the data received from the individual. It realises that a request for milk comes from this person every Tuesday at around 6pm. The supermarket might use this information to send message to the individual on Tuesday at 5pm suggesting that they may want milk today. The person did not ask for this message (which would be a form of marketing) but it provides a commercial benefit to the supermarket while (arguably) does not harm the individual.
There are other reasons for processing which are concerned with the wellbeing of individuals or the public at large. You can process data if it is necessary for performance of a task in the public interest and if there is some underpinning UK legislation.
An example might be legislation designed to direct connected and autonomous vehicles in a way that was most efficient for traffic flow.
Continuing our example, one particular Tuesday evening there may have been an accident causing gridlock in the streets around the supermarket. As a result, a centralized traffic management system might be able to direct the person’s milk order to another store and suggest that they take that route home instead.
As we have seen, consent may not be as urgent a concern as many IoT-focused organizations seem to believe.