Suostumus henkilötietojen käsittelyn perusteena esineiden internetissä

The rise of the Internet of Things (IoT) has brought with itself an unimaginable ease to large-scale collection and sharing of personal data. Such large-scale collection and sharing are often done on the basis of data subject’s consent. Consent enjoys a prominent role in the European data protection framework. Consent has, however, been criticised for not providing individuals with adequate protection in online environments. This problem will only be exacerbated with the rise of IoT as IoT extends the data collection practices of the online environments also to offline environments. The purpose of this thesis is to explore the use of consent in the processing of personal data in the IoT. There are two research questions this thesis aims to answer: i) what are the problems and challenges related to the traditional consent based model in relation to IoT, and ii) is there an alternative way forward to user consent? This will be done through legal doctrinal methodology. However, this thesis will also take an interdisciplinary approach as it also draws from different disciplines than law such as technology, behavioural sciences and economics. This thesis shows that, in digitalized world, consent is neither freely given nor informed; thus, challenging the notion of valid consent. These problems arise from information and power asymmetries that are present between data subjects and controllers. However, IoT also brings with itself a unique set of problems as most IoT devices lack screens and input methods making it hard for individuals to access information and provide consent. Moreover, the unobtrusive and ubiquitous nature of IoT makes data collection activities invisible making it hard to apply transparency principle. It is also predicted that the presence of IoT in public spaces leads to the diminishment of private spaces. In light of this, this thesis discusses some alternative ways forward to user consent. The first approach focuses on improving consent, while the second approach aims to shift the focus away from consent by placing accountability on controllers. While both of these alternatives have appeal, they do not come without challenges. Therefore, more research is needed in the field of IoT and data protection