Keywords

1 Introduction

Advanced information societies are undergoing a deep and most likely irreversible digital transformation, affecting its technological, socioeconomic, spatial, and cultural foundations. The notion of digital transformation has been increasingly used in many specific contexts such as smart cities (Harmon, Castro-Leon, & Bhide, 2015; Salem, 2016), digital literacy (ICT Panel, 2002), organizational change (Bounfour, 2016; Seufert & Meier, 2016), or innovative provisions of public services such as health care (Agarwal, Gao, DesRoches, & Jha, 2010; Herrmann et al., 2018). Typical goals of digital transformation—a complex socio-technical process that involves an interplay among people, technologies, and institutions—are higher productivity, cost efficiency, reliability, and accessibility. In this chapter, digital transformation is understood more broadly as the transformative effect of Information and Communication Technologies (ICTs) and their effect on human activities and people’s social lives (Taipale, 2009; Wajcman, 2015). The use of transformative technologies is not only changing transport, mobility lifestyles, ways of learning, and working but also the meanings and practices of friendship, romances, and the whole notion of intimacy (Hobbs, Owen, & Gerber, 2017).

Since the turn of the millennium, the Internet and the smartphone have been at the center of digital transformation, given their daily use by billions of people worldwide. As Lugano (2010) pointed out, this transformative effect is particularly prominent when conceptualizing the smartphone as a general-purpose platform for attaining individual and/or collective purposive action goals. From this perspective, the smartphone has “an enabling role and an emancipatory function for digital communities because it provides, through community-generated services (CGS), an increased capability to drive change.” It is recognized that always-on digital devices such as smartphones and tablets should be regarded as powerful double-edged technological weapons: to maximize benefits, while alleviating risks, they should be handled with care and wisdom. Hence, participation in the digital world requires awareness of today’s reality and its ambiguities, risks, and opportunities. The Internet and smartphones, particularly when considered from the viewpoint of social media, are powerful dual-use technologies: depending on how they are used, they can be beneficial or harmful. Unlike traditional weapons, it is not the device itself (e.g., the smartphone) that is harmful, but rather the data that such device produces about us, either silently in the background (e.g., through its sensors) or more explicitly as part of our social communication and activity with apps.

From the perspective of an individual, two interrelated trends of digital transformation are illustrated within this chapter. The first trend concerns the increasing types of personal data, previously invisible, inaccessible, or just intimately kept in people’s intimate spheres which are nowadays continuously logged, quantified, gamified, and presented explicitly not only back to the person but sometimes also shared with his or her own social circles—even made public. To maximize its preservation, alleviate risks of loss and enable portability, personal data—even of sensitive nature—will be less and less stored just in physical form (e.g., paper) and kept in a single device (smartphone memory) or digital support (e.g., DVD, USB stick, and computer hard drive). In short, personal data will be increasingly moving from people’s minds and hearts to the cloud. The second trend is that despite technical enforcements, efforts to explain and simplify personal privacy managements to users, and legislative adaptations such as—in Europe—the European General Data Protection Regulation (GDPR)Footnote 1 it is still practically impossible to gain full control of one’s own data once this is collected and uploaded to the even-expanding Internet cloud. And the situation is not expected to improve in the near future with the next step of the digital transformation—the Internet of Things (IoT). The IoT will further integrate aspects of the physical and digital world, pushing further the blurring of the boundaries of the wider consequences of the process of digital convergence (Lugano, 2010). Moving from this consideration, Baldini, Botterman, Neisse, and Tallacchini (2018) call for an ethical design of the IoT based on a policy-based framework, which is “respectful of the rights of the citizens instead of being only driven by economic considerations.” According to this view, new approaches to privacy and data protection are needed since “the amount of collected data from the IoT will be too difficult to control—and the complexity becomes even higher when attempting to determine which data are personal and which are not” (Baldini et al., 2018).

Interestingly, in the months before the introduction of the GDPR, the “Facebook—Cambridge Analytica” case occupied the global media headlines, with a strong impact on business and political discussions.Footnote 2 This was probably the largest personal data scandal in history, involving the use of personal data collected since 2014 from at least 87 million Facebook users, mostly from the USA, for a purpose (i.e., influencing political opinions) that was different than the declared one (i.e., carrying out academic research). The unprecedented opportunities that smartphones and social media offer to study human behavior correspond to new risks for influencing and manipulating opinions and behaviors at local, national, and global levels (Gross, 2018).

Many other stories could be reported on inappropriate uses of personal data. An interesting one was published by The Guardian in July 2017 on data collected by Tinder, a popular dating smartphone app. Judith Duportail, journalist and author of this story, found that that the company behind Tinder gathered a “dossier” of over 800 pages on the journalist, based on her Tinder use and about 1700 messages exchanged. The official purpose for dating apps to collect all such data is to “personalize the experience for each of our users around the world” (Duportail, 2017) by means of advanced algorithms that are part of the core company technology and therefore protected as intellectual property. In short, details on such algorithms and ways in which personal sensitive data is processed cannot be revealed to the user. Luke Stark, digital technology sociologist at Dartmouth University, provided his comment on the story, underlining that “Apps such as Tinder are taking advantage of a simple emotional phenomenon; we can’t feel data. This is why seeing everything printed strikes you. We are physical creatures. We need materiality.” This is one of the key aspects of the digital transformation, to which we, as human beings, cannot easily and rapidly adapt.

Nandwani and Kaushal (2017) carried out a study on the vulnerability of users to privacy disclosures in online dating applications such as Tinder. According to the authors of the study, in <30 min they could collect from most users personal data such as full name, date of birth, phone number, personal photo, email address, and work occupation details. This is an example of social engineering attack (Krombholz, Hobel, Huber, & Weippl, 2015), which has become very popular in the age of always-on smartphone connectivity and social media.

In the IoT context, the collection of personal data and personal sensitive data will affect not only personal computers and smartphone apps but also a large amount of smart devices including connected and automated vehicles and domestic robots used for companionship or even for sex (Cheok, Levy, Karunanayaka, & Morisawa, 2017; Danaher & McArthur, 2017; Sharkey, van Wynsberghe, Robbins, & Hancock, 2017). In these contexts, data will be often collected through natural interactions and conversations with virtual assistants (Lugano, 2017).

Entering this digital world is easy and convenient and may be used for “flight” instead of “fight” whenever needed. However, this sense of freedom and power is an illusion: while access, creation, and the sharing of data (in any form) is rather easy, gaining full control over one’s own personal data is practically impossible. Once shared, data can be copied and stored locally; it is not possible to know how many copies exist, who has access to them, and how they are used. The discussion on the “right to be forgotten” (Newman, 2015), with different views and interpretations across the world, represents only the tip of the iceberg of the whole issue of personal data control. Feelings of frustration and the need to regain control contribute to the rise of phenomena such as digital paranoia (McNeal & Schmeida, 2015) and digital detox (Miksch & Schulz, 2018; Ugur & Koc, 2015). These reactions may also lead to new forms of exclusion and digital divide, especially among weaker social groups (Baldini et al., 2018). Other worrying practices related to the misuse of sensitive data are sexting and revenge porn, which often involve teenagers (Englander, 2015), and increasingly happen among strangers who meet online. How do we protect users from these negative trends in the age of ubiquitous and pervasive computing?

Ensuring adequate control over personal data is one of the greatest challenges of being part of a digital world. Many parallel developments aim at addressing the challenge of control over personal data at various levels: at a technological level (e.g., facial recognition software to detect misuse of images), at an educational level (e.g., promoting digital civility), and at a legal level (e.g., introduction of the GDPR in the European Union). In line with the view presented by Baldini et al. (2018), we claim in this chapter that all the ongoing data protection developments are not yet adequate to address the challenges of the IoT. This claim is illustrated in the chapter as follows: after an overview on how the GDPR aims at further protecting users in the European Union, we make specific reference to the processing of personal sensitive data in the area of connected and automated driving (CAD) and domestic social robots with an advanced artificial intelligence (AI). The two areas have been selected due to being related to each other, and therefore useful to understand ongoing trends and future developments. In particular, CAD is the first major IoT area that will most likely affect lives of billions of people worldwide in the next few years. In CAD, being connected means that vehicles will be able to exchange information wirelessly with other vehicles and infrastructure as well as with the vehicle manufacturer and/or third-party service providers. Vehicle connectivity enables a communication that is cooperative, not competitive. Technically, this is described as cooperative intelligent transport systems (C-ITS), an area of ITS that focuses on vehicles’ connectivity and cooperative communication. In addition to being connected, CAD vehicles will also be increasingly automated in some aspects of safety-critical control functions without direct driver input. While CAD will materialize in the next wave of intelligent cars and transport systems, domestic social robots and advanced AI will be less visible as they will be gradually embedded and penetrate all forms of digital technologies and devices, including CAD. Like smartphones, CAD will also collect large amounts of personal data, which will be aggregated and processed by advanced AI. Part of the processed data will also be used to enhance the user experience and provide further service options to the user through smart interfaces and virtual assistants (a form of social robot). This form of value creation, largely dependent on the collection and aggregation of user’s personal data with other data sources, is challenged by the need to strengthen the protection of the same personal data. Although personal data collection is typically assessed by taking into account both the privacy and the (cyber-)security perspectives, in this chapter we primarily focus on personal privacy implications. The chapter concludes by pointing out areas in need of further investigation, underlining the importance of dialog and collaboration among the research community, policymakers, and business actors.

2 GDPR and Data Protection in the IoT

This section frames the discussion on personal data and the GDPR requirements in relation and context to the IoT. Specifically, while IoT technologies are designed for end users, the GDPR requirements and measures are largely addressed to companies responsible for the collection and processing of personal data. To what extent can users be empowered and gain control over their data? While a trade-off among value creation and user protection is understandable, users cannot easily influence such decisions, as their perception, awareness, and actual control over data are strongly influenced by companies’ corporate communication and GDPR-compliant design of devices and user interfaces.

The Internet of Things has been defined as “an emerging global Internet-based information architecture facilitating the exchange of goods and services in global supply chain networks” (Weber, 2010). Regarded as an information architecture, privacy and security are typically described as IoT technology requirements related to the “concealment of personal information as well as the ability to control what happens with this information” (Weber, 2010). To the end user, the IoT may be more simply explained as a “collection of “things” embedded with electronics, software, sensors, actuators, and connected via the Internet to collect and exchange data with each other” (Yang, Wu, Yin, Li, & Zhao, 2017).

The IoT extends the Internet as it is known today by interconnecting objects of everyday use. A 2017 report on the IoT by Gartner estimated that 20 billion devices will be connected by 2020 (Hung, 2017). Compared to the “first wave” of digital transformation, symbolically associated to always-on connected smartphones, IoT is the next wave of digital transformation enabling many devices of everyday use, such as the car, fridge, or television, to be always-on and interconnected. This means that all the devices, similarly smartphones, will also be continuously collecting and processing personal data—sometimes of sensitive nature. Such data will be stored in company servers, typically based on cloud computing technology. As a valuable asset, criminals will be interested to find out creative and innovative ways to exploit vulnerabilities to realize their own interests. For this reason, privacy and security requirements for the IoT represent one of the key areas that will determine the success, or the failure, of the associated products and services strongly influenced by customers’ trust.

In parallel to the enforcement of technological solutions put in place by businesses, public authorities contribute by updating the data protection legislative framework. In this respect, the introduction of the GDPR in Europe represents an important step for strengthening citizens’ data protection rights in terms of increased transparency and awareness on how collected personal data is used. In the GDPR,Footnote 3personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Specific identifying factors include in particular:

  1. (a)

    Genetic data: personal data concerning inherited or acquired genetic characteristics of a natural person and providing unique information on the physiology or health of that person;

  2. (b)

    Biometric data: personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of the natural person, which make it possible to clearly identify the person;

  3. (c)

    Health data: personal data relating to the physical or mental state of a natural person, including data on the provision of healthcare services.

Among personal data, in this chapter we focus on personal sensitive data: this is described by the GDPR as a special category of “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, […] genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”Footnote 4 It is also worth referring here to the notion of processing of personal data. According to the GDPR, processing means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”Footnote 5 Personal data may be processed by the operator and intermediary as prescribed by law. The GDPR introduces functional requirements, technical requirements, process requirements, privacy requirements through encryption, disaster recovery requirements and also introduces an incident management process. To meet the requirements for processing personal data, the following obligations must be met first:

  • Legality: fairness and transparency;

  • Transparency of information: notifications and procedures for exercising the rights of the data subject;

  • Purpose of processing: exception for research purposes;

  • Processing time: necessary limitation of data storage must be necessary for the purpose;

  • Data minimization: data must be accurate and current, and data that is outdated must be erased immediately;

  • Confidentiality and integrity: protection against unauthorized and unauthorized access and data processing, security of personal data.

Some of the requirements, which companies processing and storing personal data must fulfill, are particularly relevant in the context of IoT. These include monitoring aspects such as IoT vulnerability to various types of hacker attacks, the adopted security measures for IoT and industrial safety, and the review of practices and procedures of business partners (suppliers, customers). At an implementation level, companies also need to take care of the following:

  • Impact assessment of the Internet of Things anddata protection: this obligation is required, in particular, in the case of a new specific personal data processing puts at high risk, if compromised, the rights and freedoms of the person concernedFootnote 6;

  • IoT device connectivity: evaluate the most suitable technological standard and solution for IoT connectivity. These could range from the short-range ones such as ZigBee or those used in a long-range context, such as Low Power Wide Area (LPWA) technologies (e.g., common for smart home solutions and wireless apps);

  • Providing consent to the processing of personal data: informed consent is one of the legal grounds for lawful processing of personal data. Explicit consent by the user is expected also for IoT applicationsFootnote 7;

  • Other GDPR measures relevant to the IoT area: the GDPR include specific rules on the processing of personal data on children, the right of deletion, the right of access to personal data, or the right to file a complaint with the supervisory authority.Footnote 8

The GDPR does not require special methods to be used for security. Encryption pseudonymization, anonymization, and multifactor authentication are all valid options. Each organization needs to review and choose its methods according to the systems they use, the related costs, and the level of risk.

As described, many of the GDPR requirements are relevant to the IoT. The GDPR regulates specific areas of processing and protection of personal data, not referring to specific technologies. For this reason, the GDPR does not allow addressing with certainty all the issues concerning the IoT. Given the wide scope of the GDPR and general conditions for its compliance, most likely it will be necessary to create, within the GDPR general framework, specific rules and requirements for each relevant IoT area.Footnote 9

The introduction of the GDPR is a step to make the EU the world’s lead privacy regulator, in theory a model to be followed worldwide. However, as highlighted by de Arriba-Sellier (2018), there is a concrete risk that the GDPR will empower lawyers, rather than citizens. Risks and challenges are mostly related to the educational (and sociocultural) understanding of the GDPR from companies’ communication perspectives, as well as the citizen perspective. To what extent do citizens understand their data protection rights? How will the GDPR affect citizens’ smartphone usage practices today? How will it affect the new challenges presented by IoT applications? How big are the differences in privacy perception and experience in terms of age groups, gender, cultures, and lifestyles?

3 Data Protection in the Context of Connected and Automated Vehicles

Connected and automated driving (CAD) is one of the first IoT application areas that is associated with several entirely new concerns over the personal data protection of transport users and mobility systems. While IoT technologies support the emergence of intelligent transport systems (ITS) delivering an increased level of safety, convenience, and personalization to the user, at the same time they also create conditions for an “always-on,” real-time system of global surveillance.

The volume of personal data processed by car manufactures was minimal several years ago. This was mostly related to the information collected through a contract at the time of buying the car, and to the subsequent history of car usage and ownership (e.g., technical maintenance, insurance, change of ownership or residence, and accidents). In the IoT context, thanks to sensors, cameras, and other technological devices (Fig. 1), from which the cars acquire abilities to collect and process information and to interconnect and communicate with transport infrastructure, vehicles, and people inside the car (drivers, passengers) and outside (pedestrians, cyclists). Technically, types of car communications are referred to as Vehicle-to-Infrastructure (V2I), Vehicle-to-Vehicle (V2V), and Vehicle-to-Device (V2D). In-car communication can occur, for instance, through various forms of interaction with virtual assistants (Lugano, 2017).

Fig. 1
The infographic image of different technologies supporting connected and automated cars.

Technologies supporting the connected and automated car (FPF, 2017)

Full size image

The innovation, development, and use of connected and autonomous vehicles will involve the collection of a wide range of personal data, ranging from transport and mobility data (e.g., location, direction of travel, average speed, mileage, and journey history) to identity and behavioral data (e.g., passengers’ identities, car comfort preferences, or health-related data such as fatigue and stress). Even schedules of planned events, collected from passengers’ connected devices, may be used for optimizing route and personalized communication.

The short—and largely incomplete—list of types of personal data that may be used in this context is a reason for new privacy concerns, and most likely additional legislative adaptations and requirements. For instance, concerning the purpose of data collection—will such data be collected simply to optimize the travel experience, or will it also be used for targeted marketing, advertising, and profiling (e.g., review of insurance terms based on monitoring of driver’s additional health parameters)? From a security viewpoint, what risks would arise from the collection of such data?

As mentioned in the introduction, failure to properly address privacy and security may significantly decrease trust and acceptance toward this new generation of cars, which is already rather low (Abraham et al., 2016; Cavoli et al., 2017; Eurobarometer, 2015, 2017; Kyriakidis, Happee, & De Winter, 2015).

Let us consider the opinion of the Article 29 Data Protection Working Party on C-ITS (WP29, 2017b), “a peer-to-peer solution for the exchange of data between vehicles and other road infrastructural facilities (traffic signs or other transmitting/receiving base stations) without the intervention of a network operator”. “[…] Two types of messages are exchanged in the context of C-ITS: the so-called Cooperative Awareness Messages (CAM), broadcasted with continuity and containing kinematic data and the dimensions of the vehicle, and the Decentralized Environmental Notification Messages (DENM), sent in addition to the CAM messages only upon the occurrence of specific events (like accidents) for urgent emergency situations, and containing location information about the event.” The analysis of the Working Party concluded that broadcast messages exchanged by the vehicles are personal data because they relate to identified or identifiable data subjects. The Working Party also raised specific concerns related to the applicability of GDPR (in particular, Article 11) in the C-ITS context: “By invoking art. 11 of the GDPR without specifying what additional data are necessary to enable identification of the data subjects, the exercise of data subject rights (access, rectification, portability, etc.) is de facto prevented. […] Therefore, the Article 29 Working Party calls for proposals from the C-ITS WG on the concept of “additional information” that can be provided in the context of this new service to make this provision effective, taking into account for instance specific vehicle data, or the highly identifiable nature of location data” (WP29, 2017b).

Additionally, the Working Party also expressed more general privacy concerns about the large-scale deployment of C-ITS. While the variety of benefits of C-ITS introduction are acknowledged, from a privacy perspective, “the large-scale deployment of this new technology, which will entail the collection and processing of unprecedented amounts of location data of individuals in Europe, poses new challenges to the fundamental rights and to the protection of personal data and privacy both of users and of other individuals that will possibly be affected.” As an example, C-ITS will share to the cloud information on where people drive and how they drive—information that was previously kept in the mind of the driver or communicated to the GPS of his/her car. The Working Party warns of the fact that “unrestricted and indiscriminate access to data shared within C-ITS may allow for the unfair accumulation of individual movement profiles, a “datification” of driving behaviors, on which personalized goods and services can be shaped, advertised and sold” (WP29, 2017b). Based on the in-depth assessment of the privacy and security risks of C-ITS, a long list of the actions required to enhance the GDPR is provided.

It is worth noting that C-ITS is only one of the technological and application areas of connected and automated driving. For instance, future mobility schemes combining autonomous vehicles with shared mobility typically require some sort of matching between demand and offer, and a degree of service personalization (Krueger, Rashidi, & Rose, 2016). The challenge of data protection can be better understood by referring to the implications related to the continuous collection of one of the key variables, on which the whole connected and autonomous driving ecosystem is built: the tracking of user location by GPS technology. In the USA, the case of United States v. Jones attracted broad interest and reflections on the limits of government surveillance and its impact on human rights (Murphy, 2012). In this specific case, the Supreme Court of the United States declared the prolonged GPS tracking of a suspect as unconstitutional, against the Fourth Amendment of the US Constitution.Footnote 10 Four weeks of GPR tracking represented a prolonged period, which generated a dossier of about 2000 pages of data including latitude and longitude of the subject’s movement. This represented sensitive personal data, as “GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations […] Awareness that the Government may be watching chills associational and expressive freedoms. And the Government’s unrestrained power to assemble data that reveal private aspects of identity is susceptible to abuse” (Jones, 2017).

The “United States v. Jones” example is limited to GPR tracking only, but it already gives an idea of the broad data protection implications of these kinds of technologies. In the context of connected and automated driving, large amounts of data will be continuously collected and processed. Joy and Gerla (2017) provide a largely incomplete, but very significant, list of such data:

  1. 1.

    External sensors (e.g., GPS, cameras, and lidars);

  2. 2.

    Internal automotive sensors and actuators (e.g., brakes, steering wheel, and accelerator);

  3. 3.

    Internal cockpit sensors (e.g., driver’s state of health, alertness, tone of voice, and health sensors like the Ford heart monitor seat);

  4. 4.

    The Driver’s messages (e.g., tweets, Facebook, and other crowdsourced info) are also measurable sensor outputs that characterize the state of the system and of the driver;

  5. 5.

    Vehicle’s beacons, alarms report on the Vehicle state; say, position, key internal parameters, possible dangers, etc.

While privacy-preserving techniques will be applied, key principles of data protection shall be embedded in the design of the various components of the connected and automated driving ecosystem. To make such a design effective, its implementation should proceed in parallel with the development of an adequate legislative framework (i.e., adaptation of the GDPR, in Europe).

4 Designing Domestic Social Robots for Data Protection

The large-scale deployment of intelligent transport systems, and connected vehicles that are increasingly autonomous, represents just an early sign of many other similar interrelated socio-technical trends. In this section, we describe how social robots, operating as part of intelligent transport systems or in other contexts (e.g., homes, offices, and factories), will grow on an even larger scale of existing data protection challenges.

Social robots, in particular domestic social robots (Esposito, Fortunati, & Lugano, 2014; Fortunati, Esposito, & Lugano, 2015; Vincent, Taipale, Sapio, Lugano, & Fortunati, 2015, Pagallo, 2016), represent another strategic IoT area. There exist several definitions and conceptualizations of a robot: in this chapter, we limit our considerations to robots designed for interacting with humans—thus the concept of social robot—and in a specific interaction context, the domestic environment, i.e., homes. This is what we mean by domestic social robot.

A prominent characteristic of a domestic social robot is its Artificial Intelligence (AI) which is also optimized for interaction with humans. This concerns not only functional interactions and communication but also emotional ones, often in natural language (Baron, 2015; Breazeal, 2003). Although it has been questioned whether intelligent robots need emotion (Pessoa, 2017), it is out of this discussion that social communication is the primary dimension of this type of human–robot interaction (HRI). Within this context, intelligent virtual assistants such as SiriFootnote 11 or Google AssistantFootnote 12 (Hoy, 2018) are classified as domestic social robots, even if they can be used in any interaction context (i.e., domestic and non-domestic ones). Additionally, they are a form of “intangible” domestic social robot, without a unique physical structure: they can be “hosted” and run on several devices including a smartphone, smart-watch, car communication system, or smart speaker. Unlike “tangible” robots, which are physically located in the domestic context and are not necessarily connected to the IoT, virtual assistants exist in the cloud and are part of the IoT (Fig. 2). This is a key difference, when we analyze them from a data protection point of view.

Fig. 2
The website page view of the Apple Company with some images of Apple products.

Presentation of Siri intelligent assistant on Apple website

Full size image

To further narrow down the context of this analysis, it is best to address robots from the perspective of service robots. This allows differentiating such robots by the type of service or use they are designed for (e.g., companionship and assistance for the elderly, taking care of domestic tasks, and entertainment). Statistics on service robots are regularly provided by the International Federation of Robotics (IFR). The 2017 IFR report on service robots describes a growing trend of units sold worldwide: while sales of professional service robots remain modest (growth of sales from 48,018 units sold in 2015 to 59,706 sold in 2016), the amount of personal and domestic robots sold worldwide already reaches 6.7 million units, with a market value of 2.6 billion USD (IFR, 2017). Services provided by these robots include vacuum and floor cleaning, lawn-mowing, and entertainment and leisure (e.g., including toy robots, hobby systems, education, and research). In the next 15–20 years, it is expected that the popularity of social robots devoted to elderly and disabled assistance and companionship will increase as one of the measures to alleviate the societal effects of global population aging.

Interacting with domestic social robots reveals a lot about us (Broadbent, 2017). Hence, a key design principle of such robots should be to minimize the potential harm which their collection of personal data could do to the people the robots interact with. In short, domestic social robots should be designed with data protection in mind. This is very challenging, as Pagallo (2016) explains: “Although the claim and goal of lawmakers will probably revolve around the protection of individuals against every harm, e.g., psychological problems related to the interaction with domestic robots and the processing of third parties’ information, the intent to embed normative constraints into the internal control architecture of such artificial agents entails a major risk. If there is no need to humanize our robotic applications, we should not robotize human life either.”

In this respect, the best possible option would be that domestic social robots are not part of the IoT and the data collected by them is only used within the narrow and well-defined interaction context (i.e., the home). In short, to privilege data protection such robots should not be able to connect to and exchange data with digital networks. In this respect, let us consider the case of a physical domestic robot—the Roomba vacuum cleaner, and the way Google deals with data protection in the context of its intangible virtual assistant.

In relation to Roomba, leader in the production of robotic vacuum cleaners, The New York Times in 2017 warned consumers that the maps of their homes, produced and used by Roomba iRobot vacuum cleaners for their cleaning task, may also be uploaded to company servers and potentially sold to other companies such as Amazon, Apple, or Google (Astor, 2017). Although Roomba underlined that the company had no plans to sell such data, they confirmed that this data may be shared for free, with customer consent. In this scenario, homes’ maps, clearly identifying a person, may be aggregated with other sources of data concerning that person and used in a variety of ways. Even when not aggregated, information on the size of the apartment and the amount and characteristics of furniture and other equipment can allow estimating owner’s income level, and even preferred brands and lifestyle. While it is clear how such information may be used by marketers and advertisers, it is less clear what could be the potential benefits to the customers in sharing such data. Based on the requirements set by the GDPR in Europe, it is also unclear how such requirements could be met by robotic vacuum cleaners, especially in the scenario in which they can exchange data with other IoT apps and devices (belonging to the same user or to other users).

The reasoning behind the Roomba case may be extended to other types of domestic social robots, such as sex robots (Cheok et al., 2017; Danaher & McArthur, 2017; Sharkey et al., 2017). Without entering into any sort of ethical judgment about them, the personal data collected by this kind of domestic social robots would be likely very harmful to the user if such robots are given the possibility to share such data across networks. As to the human–robot emotional and intimate interactions, Calo (2011) warned that “as we manifest these interior reflections of our subconscious, a technology will be recording them. […] they will reveal information about us that a psychotherapist might envy. This arguably novel category of highly personal information could, as any other information, be stolen, sold, or subpoenaed.” In 2017, a sex toy company agreed to pay almost four million USD to customers who sued the company in a class action lawsuit. The reason behind the class action was a discovery, by security researchers, that the company was collecting and processing customers’ personal data on how customers used the sex toy (e.g., information such as temperature and intensity settings, as well as frequency of use). A Fortune.com story on this case rightly opens the article by stating “Think twice about connecting those sex toys to the Internet.”Footnote 13 In addition to companies’ inappropriate data collection practices, it is likely that without appropriate data protection mechanisms, the aforementioned phenomena of sexting and revenge porn could assume new worrying forms, dramatically impacting people’s lives.

In parallel to physical robots and robotic devices, data collected by virtual intelligent assistants must be considered. Think of the data collected by Google Assistant, one of the most advanced and popular examples of this kind of technology:

  • Web and app activity: this includes online searches and history, and nature of browsed content;

  • Device information: contents stored on the device such as lists and details of contacts, calendar events, personal notes, and apps;

  • Voice and audio activity: records voice and audio input.

Additionally, the user may also allow consent for other types of data such as:

  • Screen sharing: user may allow Assistant to process content that is on the screen of the device (e.g., camera, photo, and document) to provide recommendations and complementary information;

  • Voice match: voice recognition commands.

In line with Google’s Privacy Policy, the collected data “may be used to deliver more useful ads.”Footnote 14

The security of intelligent virtual assistants are not receiving sufficient attention (Chung et al., 2017), despite the major risks that they pose to users’ assumed personal privacy. Courtney (2017) highlighted that “users may need to start censoring what they say, or face the very real prospect of a digital spy leaking more information than they care to divulge.”

While the conversation around connected and automated driving concerns various initiatives around the world aimed at improving the current legislative framework, for the area of domestic social robots—particularly when they are considered as part of the IoT ecosystem—there are many open questions, and the ongoing efforts to regulate this area are too limited.

5 Conclusion

Society is undergoing a major digital transformation affecting all areas of human activity. While the expected benefits of this societal turn are many, the use of IoT technologies presents challenges and risks from the viewpoint of fundamental human rights, such as privacy, that should not be underestimated.

In parallel to technological advancements, the legislative framework is constantly adapting to address these emerging needs. In this respect, the recent introduction of the General Data Protection Regulation (GDPR) in Europe is a milestone toward an enhanced citizens’ data protection. However, the GDPR does have its limitations, both from the viewpoint of its practical applicability and the gray areas, mostly related to specific technologies and applications, which should be addressed with specific complements to the GDPR (e.g., guidelines and recommendations). As Baldini et al. (2018) argued, real improvements will only be possible once the IoT will be driven by ethical design, primarily addressing citizens’ rights and interests. This scenario does not however seem to be reflected in the ongoing IoT developments in specific areas such as connected and automated driving, and domestic social robots. Despite the GDPR, mechanisms allowing citizens to have adequate control over their personal data are still not in place, and the advent of the IoT only increases such challenges.

On the other hand, in the digital era, the whole meaning of privacy has evolved and often takes the form of a decision problem in which the user dynamically evaluates the potential utility and the harm associated to the digital sharing of personal content (Lugano & Saariluoma, 2007). Even if this approach is adopted as the basis for the user’s decision-making, to what extent may potential utility and harm related to digital sharing be assessed with sufficient confidence?

In an increasingly networked and digital world, the solution to personal data protection will not lie in withdrawing from all the opportunities that participation in such a world entails. The cost would be social exclusion and marginalization from such a society. Instead, a massive investment in enabling citizens to critically assess what alternative options (e.g., classic vs robotic vacuum cleaners and traditional vs self-driving cars) mean in terms of personal privacy is strongly needed. Although this is a key responsibility of the public sector, educational systems, and families, the private sector should be held accountable in the co-creation of an IoT that is as trustworthy as the companies and organizations behind it. In this context, the research community has a central role, as the knowledge produced should be used both for evidence-based decision-making and for fine-tuning and calibrating IoT design and applications.

An important lesson was learned from the case studies on connected and automated driving and domestic social robots. If these developments are necessary for society, it is clear that their functionality is largely based on the collection and processing of variables that are considered personal data and personal sensitive data. From the user perspective, such data is used in a specific context (e.g., matching demand and offer in a shared mobility system with autonomous vehicles). Being its usefulness is limited in time, it would be desirable to have an “expiration date” for the collected data. After that, no trace of such data would exist in the cloud. Potential renewal in the processing of such data should be explicitly provided by the user. This solution, however, would not allow an intelligent system to learn, since this learning is based on the processing of large amounts of data. The trade-off here is therefore on a suitable “expiration period” that would still allow the system to learn. Additionally, technical solutions are needed to avoid the indiscriminate duplication and sharing of personal data. Data anonymization is important, but not sufficient as there are known techniques with de-anonymizing data (Su, Shukla, Goel, & Narayanan, 2017). Finally, for the specific domestic context it may be more desirable for citizens’ privacy that only a few of their belongings get “smart” and “connected” to the IoT.