| dc.description.abstract | Many businesses and individuals across the world are becoming increasingly reliant on the Internet of Things (IoT). Smart devices that can constantly collect and process personal information are already shaping and altering people’s daily lives. Data protection, which regulates the processing of personal information, aims to safeguard various values, one of which is informational self-determination. The idea of informational self-determination is rooted in principles of human dignity, individual freedom, and autonomy. This concept is firmly established within the framework of European Union (EU) personal data protection, primarily through the concept of consent. Consent stands as one of the most frequently used mechanisms to legitimise large-scale data collection and processing activities. It stands as a crucial tool employed to grant autonomy, power and control over users’ personal information while ensuring they possess knowledge about the intentions and methods of data collection and processing. However, the constant connectivity of smart devices and data processing jeopardises such principles and values. To address these kind of new generation concerns, the European Union (EU) has introduced specific laws to govern data collection and data processing activities, including its landmark the General Data Protection Regulation (GDPR). Consent mechanisms are intended to ensure that individuals can make autonomous decisions about their personal information based on their own values and interests. Their primary purpose is to guarantee that users maintain control over how and for what purpose their data can be collected and processed. Consent is therefore supposed to give users control over their personal information as stipulated under EU laws. However, this thesis argues that certain principles of consent are not being honoured in practice. There is a gap between what the law aims to protect and what happens in practice. As a result, individuals have started to lose control over their personal information as new applications and technologies are launched to the market, generating their value from aggregating and analysing data. Therefore, data controllers need to incorporate additional measures (such as data protection by design and data protection by default) and ensure that principles such as fairness and transparency are effectively implemented. Ensuring adherence to data protection principles, along with implementing additional measures and the elements of consent is imperative in mitigating the challenges and safeguarding individuals’ rights. This thesis, therefore, investigates the reciprocal influences of law and technology, and sheds light on how disruptive technologies are transforming lives and businesses and changing society’s attitude towards privacy matters. It argues that, even in cases where data controllers obtain the consent of data subjects as envisaged under the GDPR, it is not always the effective guardian of autonomy. Individuals who accept privacy policies cannot possibly foresee the consequences of their data being gathered and processed, and indeed it is unrealistic to expect this of average consumers, given the growing complexity of Big Data analytics. Accordingly, this research closely examines the loss of control over personal data that is resulting from the evolving features of technology, and the impact of consumer IoT devices on autonomy, which inevitably leads to analysis of the consent paradox. Additionally, it evaluates whether consent can be considered as an absolute instrument to safeguard individuals’ control over their personal information. This research also provides a detailed analysis of the inapplicable provisions of consent mechanisms that compromise primary values such as self-determination by creating uncertainties in practice. It uses case studies and examples from practice to evaluate the efficiency of the current regulations. Furthermore, it explains why additional measures have become crucial to support the decision-making process of the user in terms of ‘control’ and ‘autonomy’. EU legislation is taken as the starting point for the examination of these matters, since its privacy and data protection regulations affect all organisations located in or exporting to the EU, as well as organisations monitoring the behaviours of data subjects within EU borders by processing their personal data. The EU’s privacy and data protection regulations have an additional significance since they are frequently used as guidance by non-Member States. | en_US |
