The Lexing conference in Paris in June 2015 on Robot Law was very interesting. Members from many countries presented on many different aspects of robot law. I presented on robot privacy: privacy in a robot’s world. There is no doubt that we will soon be living in a robot’s world with many robots doing all sorts of things. Watch this trailer to see what the future could be like in Johannesburg, South Africa. This raises some questions around privacy, especially data privacy.

Is it lawful for a robot to collect and process personal information?

Yes. Provided the conditions (or principles) for lawful processing are complied with. In South Africa, a robot could even collect personal information without someone’s consent. The normal principles would apply and the responsible party (or data controller) would for example have to make sure that they:

  • are justified in processing,
  • limit processing,
  • specify their purpose,
  • limit further processing,
  • be open about what the robot is doing,
  • secure the personal information the robot processes, and
  • allow the data subject to access the personal information a robot processes and correct it.

If a robot processes special personal information (or sensitive personal data) or personal information of children it must be authorised by law.

Who is responsible for protecting the personal information robots collect?

The person who determines why and how the robot will collect. It could be a natural (human) or legal person (like a company). It could also be more than one person. But is it the manufacturer, the owner, or the operator?  The question is always who determined why and how the robot will process. That is the responsible party. The robot itself would not be responsible.

Who is the data subject? Do robots infringe their privacy rights?

Any natural or legal person whose personal information a robot processes. For example, it could be a suspect, a patient in a hospital, an employee in the workplace, a customer in a store, or a human in their own home.

A robot could infringe their privacy right but only if they unlawfully processes their personal information. The same principles that apply to other things (like automated processes) would also apply.

Do robots present an increased risk to data privacy?

Yes. Robots have the ability to collect and store lots of personal information so the risk of someone’s data privacy being infringed is greater. But this same argument applies to many things, like the Internet of Things or social media.

Does a robot itself have a right to privacy?

Maybe. In South Africa, I think a robot can be defamed and have its privacy infringed. The former Chief Justice in 1993 in a judgement of the Appellate Division said that “as a matter of general policy the Courts have, in the sphere of personality rights, tended to equate the respective positions of natural person and artificial (or legal) persons, where it is possible and appropriate for this to be done.” He also said “that the appellant, a university and an artificial person, would in appropriate instances … enjoy a right to privacy.”

A robot can be defamed and have its privacy infringed

An artificial person is a non-living entity regarded by law to have the status of personhood (wikipedia). Surely, a robot is then an artificial person, which has a right to privacy. In South Africa, there is a legal responsibility to protect the personal information of a company. Surely, it then follows that there is a legal responsibility to protect the personal information of a robot.