From Data To Decisions: Navigating IoT And Automated Decision-making

The adoption of the Internet of Things (“IoT”) is transforming how organisations collect, analyse and use data. By connecting everyday devices to the internet and each other, IoT enables the continuous generation of real time data streams. These data streams, combined with advances in artificial intelligence (“AI”) and automated systems allow organisations to analyse this data, make predictions and make decisions with minimal human intervention. While these technologies offer efficiencies and commercial opportunities, they also raise legal and regulatory considerations, particularly in relation to data privacy, transparency and accountability.

IoT refers to a network of physical devices, vehicles, appliances and other physical objects that are embedded with sensors, software and network connectivity, allowing them to collect and share data. IoT devices generate large volumes of data about users, behaviours, environments and operations. This data may include biometric information, health information, usage patterns, location data and other behavioural insights. On its own this data has limited value, however, when combined and analysed using advanced AI systems, it can enable a range of functionalities, including autonomous decision-making (“ADM”).

Automated decision-making refers to decisions made by technological systems with limited or no human involvement. These systems use predefined rules, algorithms or machine learning models to analyse data and generate outcomes or recommendations. ADM can enhance efficiency, optimise workflows and improve customer experiences, but it also requires careful governance where outcomes may affect individuals.

Data protection laws play a key role in regulating the processing of personal information collected through IoT and used in ADM systems and influence how organisations design and implement IoT and ADM solutions. The Protection of Personal Information Act, 2013 (“POPIA”) requires personal information to be processed lawfully and reasonably. In terms of section 9 of POPIA, personal information must be processed in a manner that does not infringe the privacy of the data subject. Organisations deploying IoT devices should therefore ensure that personal information collected through connected devices, including information used for profiling or decision-making, is relevant, collected for a lawful purpose and handled in a manner that respects data subjects’ privacy.

Section 57 of POPIA requires a responsible party to obtain prior authorisation from the Information Regulator if it intends to process unique identifiers (such as device IDs or account numbers) for a purpose different from the one originally intended at collection, with the aim of linking the information together with information processed by other responsible parties. The interconnected nature of IoT systems often involves sharing and combining data across different platforms or responsible parties, which may mean that the operation of such a system requires prior authorisation from the Information Regulator. This requirement is especially relevant where the data is used for profiling or automated decision-making.

The use of IoT data for ADM also raises compliance considerations under section 71 of POPIA. This provision restricts decisions made solely on the basis of automated processing of personal information, particularly where those decisions have legal consequences or significantly affect an individual. Such decisions are permissible only in limited circumstances and must be accompanied by appropriate safeguards, including human intervention. Organisations must also provide the data subject with information about the logic underlying the automated decision-making process and an opportunity to make representations or challenge the decision. While automation can improve efficiency and enable real-time decision-making, organisations should avoid relying exclusively on automated processes for decisions that significantly affect data subjects without meaningful transparency or human involvement.

Transparency is particularly important in IoT environments, where individuals may not fully understand the extent of data collection or how their information is used in decision-making. Organisations should explain how data is collected through connected devices, how it may be shared or combined, and how ADM systems reach outcomes.

Ultimately, the combination of IoT and automated decision-making systems highlights the importance of responsible technology governance and appropriate policies, processes, and frameworks. This includes conducting personal information impact assessments, providing appropriate privacy notices to ensure transparency in data collection practices, and establishing clear accountability mechanisms for automated decisions.

If your organisation is developing, deploying or integrating IoT or ADM technologies, you can contact our team for tailored advice on navigating the applicable legal and regulatory framework.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.