by Alex van der Zeeuw and Alexander van Deursen
Today, more and more everyday devices are connected to the internet: for example smart energy meters, smart lighting systems, smart doorbells, or activity trackers, all part of the so-called Internet of Things (IoT). The operation of smart devices is often automatic or remote, such as lighting or heating conditions that are automaticaly adapted to the current situation. In all cases, the use of smart devices involves a large number of measurements and the storage of an enormous amount of data. From heart rate and sleep rhythm to one's whereabouts or gas and electricity consumption. Everything is saved. The detailed data collected provide an enormous predictability of behavioral patterns. The possibilities for third parties are abundant. The predictability can be used maliciously by criminals, or for the better, for example for discounts on insurance premiums. It is often necessary to have access to your own data and that it is clear which data contribute to a particular discount. Because when a number of people pay less, this also means that this data makes other people pay more. It is important that you can check and correct the collected data when algorithms process incorrect information. Obtaining your personal data is then the first step.
GDP regulations of the EU give consumers the right to request their stored data. The company that uses the data (often the manufacturer of a smart device) must send it in a readable format within a month after a request is filed. But what exactly should you request? Companies that supply the devices usually store the data for product improvement and marketing purposes. Not very consumer oriented. Without knowing exactly what data is being collected, it is difficult as a consumer to clarify which data you would like to receive. Personal data for a company often only means account information. These are, for example, email addresses, passwords, and account numbers. When you ask for more, the answer often follows that no further personal data is collected, but only some information about fpor example when devices are switched off and on, or information about the settings and preferences mad, including geographical data that shows where exactly you switched on the light in your home. So nothing personal… All in all, it concerns very personal behavioral patterns that can be constructed with the stored data. In the rare case that a company does send all the data, it often concerns huge JSON or CSV files, which for many are difficult to open, let alone read or understand.
“Requesting data collected by smart devices, which should be properly regulated by law, rarely goes well in practice.”
In many cases, you will not get the information at all, receive incomplete information, or information in an unmanageable format. Is this such a problem? Until now, personal data from the Internet-of-Things has provided a rather kafkaesque process that usually works out well. At least, we are not yet aware of the harm because this data is virtually inaccessible. It has been neatly laid down that you have the right to view readable data including an explanation of the personal data that products collect. But what is missing is a clear description of what personal data are. What exactly readable means, or when an explanation is sufficient. The law is there, but practice still needs to be much better.