Page - 208 - in Intelligent Environments 2019 - Workshop Proceedings of the 15th International Conference on Intelligent Environments

Besides giving data subjects effective control over their own data, the GDPRs essence is about ensuring the legality of processing: Article 6 lists in what cases process- ing qualifies as legal. At least one of the six clauses mentioned therein should be valid, to constitute legal processing. Proving the legality of data processing traditionally car- ried out e.g. by hospitals, banks, or businesses (not offering AI-based services) is already problematic due to technological issues and to automation of daily tasks. As the Cam- bridge Analytica case taught everyone well, the absence of consent makes it difficult to identify breaches or incidents, and to interpret the case in the broadest possible mean- ing under the current legislation. The simple example of mobile apps installed on per- sonal mobile phones could be mention as case studies for AI-based processing services when looking at the legal basis of processing under the GDPR. An application set up on the phone by default might be an essential part of the phone, for example, its operating system. If the components of the application essential to make the phone work require personal data processing, then the legal basis for such data processing would be most probably based on performance of a contract (Art. 6/b). If there is another app aiming to offer personal(ized) services to the users, then the data subjects consent (Art. 6/a) will be the legal basis for processing. Data processing on mobile phones in personal use are neither legal obligations for the data controller (Art. 6/c), nor are they necessary to pro- tect vital interests of any person (if we exclude the extreme possibly theoretical cases (Art. 6/d). When a data subject uses a mobile phone, legal persons behind the mobile phone, e.g. manufacturers, or software developers, do not process data to execute tasks related to their public interest (Art. 6/e) if the app offers only personal(ized) services. The legitimate interest rule, as well as performing a task carried out for public interest do not apply unless the mobile phone is part of a public service. Referring back to the performance of a contract and consent rules, even if the application is essential to oper- ate the mobile phone, once the user starts using it (by entering into the sales contract), then (s)he will immediately come across pages of consent language often disregarded (as part of the contractual fine print), but still continues to use the application because of its personalized components and relevant advantages (We could call this the trade-off effect). Applications want to know about people to offer them better personalized ser- vices. A personal health assistant app, e.g., asks peoples consent to reach their messages, contacts, pictures, calendars and sometimes to their social media accounts. However, it is usually unclear why the app reaches such wide range of personal data, and the issue of relevance surfaces. What possible consequences could be drawn from a persons social media presence regarding their health? If not from the photos taken of their meals be- fore posting them to Instagram With this example in mind, we will further present how obtaining valid consent is a challenge in the case of AI-based processing services, since presenting transparent information and ensuring data erasure might not be as easy as the GDPR and its guidelines make it seem. 2.1. Giving Consent Pursuant to Article 6 of the GDPR, consent is a legal basis and the expression of data subjects’ will which safeguards their freedom to control their personal data [9]. Article 7 of the GDPR sets forth the conditions of said consent, such as data subjects right to manage and withdraw it. This constitutes informational self-determination, which refers to the right of the data subjects to freely share their personal data while giving them G.GultekinVarkonyi /Operability of theGDPR’sConsent Rule in Intelligent Systems208