The Journal of Korean Institute of Information Technology (한국정보기술학회논문지)

Korean Institute of Information Technology (한국정보기술학회)
권호 표지
DOI QR코드

DOI QR Code

GDPR Compliant Consent Procedure for Personal Information Collection in the IoT Environment

IoT 환경에서 GDPR에 부합하는 개인정보수집 동의 절차

  • 이구연 (강원대학교 컴퓨터정보통신공학과) ;
  • 방준일 (강원대학교 컴퓨터정보통신공학과 대학원) ;
  • 차경진 (강원대학교 경영대학) ;
  • 김화종 (강원대학교 컴퓨터정보통신공학과)
  • Received : 2019.02.15
  • Accepted : 2019.04.28
  • Published : 2019.05.31
⟨ Previous Next ⟩

Abstract

Many IoT devices like sensors lack screen and input devices, thus making them hard to meet the consent conditions that GDPR requires. This is acting as a legal barrier for further advancement in the business field. In this paper, we designed the process for consent of personal information collection that meets the legal conditions. In this design, user's personal data is received in an encrypted form by data collecting server first. The encrypted personal data can be decrypted after associating with user agent based on the consent procedure of the collection of personal information. During the consent procedure, user agent understands the privacy policy about personal information collection and offers the key to decrypt the data. This kind of personal information collection agreement procedure will satisfy the transparent and freely given consent requirements of GDPR. Thus, we can speculate from here that the proposed procedure will contribute to the evolution of IoT business area dealing with personal information.

센서 등 많은 IoT 디바이스들은 화면출력 및 입력장치 등이 결여된 경우가 많아 개인정보보호법이나 GDPR 등에서 요구하는 개인정보수집 동의 절차를 만족시키기 어려워, 해당 비즈니스 분야 발전에 법적인 걸림돌로 작용하고 있다. 본 연구에서는 법적인 요건을 만족하는 IoT 시스템에서의 개인정보수집 동의 절차를 설계한다. 설계된 방식에서는 먼저 사용자의 개인정보가 암호화된 상태로 수집되며, 이후 데이터 수집 서버와 사용자 에이전트 사이에 개인정보 수집을 기반으로 연관을 맺음으로서 암호화된 내용을 복호화 한다. 이러한 연관 동의 과정에서 사용자 에이전트는 데이터 수집 서버의 개인정보수집 약관 등을 이해하고 복호화키를 제공한다. IoT 시스템에서의 이러한 방식의 개인정보수집 동의 절차는 GDPR 등의 법령에서 정하는 투명성, 자율성 등의 요건을 만족함으로서 개인정보를 취급하는 IoT 비지니스 분야의 발전에 크게 기여할 것으로 판단된다.

Keywords

References

  1. www.law.go.kr/lsInfoP.do?lsiSeq=195062&efYd=20171019#0000 : [accessed: Sep. 30, 2018]
  2. "Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)", European Commission, Jan. 2017.
  3. "Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)", Official Journal of the European Union., May 2016.
  4. www.gdpr-info.eu : [accessed: Sep. 30, 2018]
  5. Cigdem Sengul, "Privacy, consent and authorization in IoT", 20th Conference on Innovations in Clouds, Internet and Networks (ICIN), pp. 319-321, Mar. 2017.
  6. Arijit Ukil, Soma Bandyopadhyay, Joel Joseph, Vijayanand Banahatti, and Sachin Lodha, "Negotiation-based privacy preservation scheme in internet of things platform", SecurIT'12 Proceedings of the First International Conference on Security of Internet of Things, Kollam, India, pp. 75-84, Aug. 2012.
  7. Ricardo Neisse, Gianmarco Baldini, Gary Steri, Yutaka Miyake, Shinsaku Kiyomoto, and Abdur Rahim Biswas, "An agent-based framework for Informed Consent in the internet of things", IEEE 2nd World Forum on Internet of Things (WF-IoT), Milan, Italy, pp. 789-794, Dec. 2015.
  8. Ricardo Neisse, Gianmarco Baldini, Gary Steri, and Vincent Mahieu, "Informed consent in Internet of Things: The case study of cooperative intelligent transport systems", 23rd International Conference on Telecommunications (ICT), Thessaloniki, Greece, pp. 1-5, May 2016.
  9. Shi-Cho Cha, Ming-Shiung Chuang, Kuo-Hui Yeh, Zi-Jia Huang, and Chunhua Su, "A User-Friendly Privacy Framework for Users to Achieve Consents With Nearby BLE Devices", IEEE Access, Vol. 6, pp. 20779-20787, Mar. 2018. https://doi.org/10.1109/ACCESS.2018.2820716
  10. Claude Castelluccia, Mathieu Cunche, Daniel Le Metayer, and Victor Morel, "Enhancing Transparency and Consent in the IoT", IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), London, United Kingdom, pp. 116-119, Apr. 2018.
  11. Sooji Jeon, Jinhong Yang, Sungkwan Jung, and Chulsoo Kim, "A Study on the GDPR Compliant Personally Identifiable Information Management Technology for IoT Environment", 2018 Summer Conference of the Korean Institute of Communications and Information Sciences, pp. 1152-1153, Jun. 2018.
  12. Sun-Young Lee, "Analysis of User's Recognition for Personal Information Agreement and New Policy", Journal of KIIT, Vol. 12, No. 8, pp. 85-92, Aug. 2014.

Cited by

  1. Analysis and Implementation of Encryption Algorithms for Remote Update Security of IoT Healthcare Devices vol.19, pp.7, 2019, https://doi.org/10.14801/jkiit.2021.19.7.91