Position Paper: The role of law in achieving privacy and security measures in smart buildings from the GDPR context

Abstract

Background.Smart buildings are gaining more awareness and becoming adaptive to building occupant preferences, enabling by personal data processing given the implementation of sensors and pervasive computing. Although these technologies may provide great benefits, they can equally threaten the privacy of building occupants and raise data security concerns.Aim. The complexity of smart buildings poses difficulties when applying the General Data Protection Regulations (GDPR) in addressing the aforementioned concerns. This paper unpacks the specific ambiguities that make applying the GDPR in this context challenging and identify the key requirements for data controllers in managing data privacy. Methods. This paper takes on a doctrinal approach to research by drawing upon legal sources and existing scholarship in related fields, in particular, legal privacy scholars. Results. The pressing compliance problems stem from the debate on what is considered as 'personal data' in smart buildings in which dictates the compliance requirements, in particular, data protection impact assessments (DPIAs). We identify three facets that smart building controllers should focus on in complying with the GDPR: establishing personal data, identifying individual rights, and determining a high risk to the rights and freedom of natural persons. Conclusions. The law can help prevent harms and ensure that individual rights are protected in smart buildings. To achieve this, understanding the compliance pain points of smart environment in order to strike the balance between the privacy of the occupants and the benefits of smart buildings is crucial. This is a call for further empirical and interdisciplinary research to effectively address the issues surrounding smart environment compliance challenges.