New challenges to personal data processing agreements: is the GDPR fit to deal with contract, accountability and liability in a world of the Internet of Things?

Abstract

The increasingly complex data-processing reality created by new technologies, such as the ‘Internet of Things’ (IoT) underline the need for stakeholders to be clear about issues relating to responsibility for the personal data they process and/or control. The European General Data Protection Regulation (GDPR) expands the obligations of data processors and brings changes to the relationships between IoT stakeholders. To understand how the law operates in an IoT context, we need to analyse the complexity of the current legal state and map out grey areas. The focus of this article lies mainly on the contractual relationship between controllers and processors dealing with new technology, and changes to data controllers’ and data processors’ rights and obligations brought by the GDPR. The main aim is to investigate whether the GDPR is fit to deal with new technologies such as the IoT.