Towards Privacy-Friendly Smart Products

Smart products, such as toy robots, must comply with multiple legal requirements of the country they are sold and used. Currently, compliance with the legal environment requires manually customizing products for different markets. In this paper, we explore a design approach for smart products that enforces compliance with aspects of the European Union’s data protection principles within a product’s firmware through a case study on a toy robot. This endeavour has taken us through an exchange between computer scientists and legal scholars to determine the relevant data flows, their processing needs, and the implementation decisions that would allow a device to operate while complying with the EU data protection law. By designing a data-minimizing toy robot, we show how the variety, amount, and quality of data that is exposed, processed, and stored outside of a user’s premises can be considerably reduced while preserving the device’s functionality. In comparison with a robot designed using a traditional approach, where 90% of the collected types of information are stored with the data controller or a remote service, our proposed design leads to the mandatory exposure of only seven out of 15 collected types of information, all of which are legally required by the data controller to demonstrate consent.