Internet of Things, Artificial Intelligence, Profiling and Automated decision-making
Practical guidelines on how to identify specific data protection compliance aspects, risks and demonstrate accountability under the EU General Data Protection Regulation (GDPR) in the Internet of Things (IoT) and Automated decision-making/Artificial Intelligence domain.
Dominik Mahr, Associate Professor, School of Business and Economics, Maastricht University
Maja Brkan, Assistant Professor in EU law, Faculty of law, Maastricht University
Cosimo Monda, Director, European Centre on Privacy and Cybersecurity, Maastricht University
This module addresses data protection implications of new technologies, covering automated decision-making/AI and the Internet of Things. In times of rapid change and innovation, understanding these technological developments and their data protection and privacy implications is key for forward-looking organizations as well as for data protection professionals, who will certainly face questions on these matters rather sooner than later.
In this course data protection implications of IoT and Automated decision-making/Artificial Intelligence are specifically analysed, and practical insights on how address compliance and demonstrate accountability in such complex domain will be shared with the participants.
The following questions are addressed:
- What is IoT and automated decision-making/AI and how does it work in practice?
- Which are the main data protection issues and the main provisions of the GDPR?
- How to select the most appropriate legitimate ground to process data (e.g., data subject’s consent, legitimate interest pursued by the controller or by a third party, execution of contractual obligations)?
- How to ensure effective compliance with the purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability?
- How to identify and effective regulate respective duties and obligations of the parties involved to assure compliance with the GDPR?
- How to correctly comply with the duty to inform the data subjects?
- To what extent can we speak about 'algorithmic transparency' and algorithmic accountability, given the complexity and opacity of the algorithms?
- How to correctly identify the personal data flow/transfer outside the EU?
- Does IoT and automated decision-making/AI triggers the obligation to conduct a DPIA?
- How to determine the appropriate technical and organisational measures to ensure a level of security appropriate to the risk?
- Cross-cutting reflection on how these technologies interplay with each other and other technological developments.