“This is an interactive film where you make choices which alter the story. Throughout your viewing, there will be moments where choices will be presented at the bottom of the screen. To select one, just tap on it”. This is the initial banner the viewer sees at the beginning of Bandersnatch, the new episode in the Black Mirror television series, broadcast by the online streaming platform Netflix.

Bandersnatch is one of the many examples of interactive TV, an existent reality in which users interface with increasingly advanced Smart TVs, personal digital assistants and sophisticated applications. Despite the benefits of the seemingly unlimited ability to interact with devices,third-party provider applications and services, risks arising from this digital dialectic must be taken into account, mainly related to user data privacy.

The latest generation of Smart TVs are equipped with a number of interactive features, including an internet connection, voice and facial recognition, motion control, and a personal account creation procedure to make the viewing experience as personalized as possible. Establishing an Internet connection, and enabling these services, starts flow of data from users’ devices, with consequent impacts on their privacy.

Through these features, device manufacturers and operators collect a huge amount of data, including users’ personal information, services and applications on the individual device, TV location, biometric and voice data. In addition, the use of interactive features also makes it possible to identify users.

Prior to the implementation of European Regulation 679/2016 (“GDPR”), the Italian Privacy Guarantor and other European data protection authorities (e.g. in Germany and the Netherlands) had started to examine the issue, anticipating the possible risks arising from the use of interactive devices, and trying to provide useful guidance for users and manufacturers.

Attempts to buffer such outcomes include Article 25 of GDPR, which establishes the need to operate according to the principle of “privacy by design”. In the digital context there is a strong need to ensure privacy from the design phase of the devices, as it is essential to make a prior assessment of the privacy impact.

Users must always be provided with appropriate information that clearly describes, among other things, the type of data collected, the purposes of processing and how data transfer to third parties is regulated. These third parties, in fact, as providers of applications installed on the device, have access to the data of Smart TV users, and in this case data protection measures should be guaranteed. Examining the privacy policy of one of the main Smart TV manufacturers, exposes a full waiver of responsibility towards third parties in case of data transfer, making it highly complex for users to exercise the right of access to data (art. 15 GDPR) and control of that data.

In addition, before certain types of processing are carried out, users should always be required to give express and informed consent. Indeed, in the specific area under consideration here, only the express consent should qualify as a suitable legal basis for data processing, rather than the legitimate interest of the provider or the execution of a contract.

The Bandersnatch episode is characterized by a highly innovative narrative system. The spectator is called, in certain situations, to make choices among the alternatives proposed during the episode, which ultimately affect the development and the final outcome. Netflix is therefore able to collect the list of decisions made by users, which represent a new type of data which is then analysed to improve the storytelling and the streaming service itself.

The data obtained is in fact crucial to the business’s strategies and the strategies of manufacturers and third-party suppliers. In their privacy policies, manufacturers and providers often list the purposes for data processing too generically. Such data can be used, for example, to improve the experience and the service offering; to provide personalized services, suggest content or advertising based on users’ viewing habits.

In conclusion, GDPR has strengthened the spectrum of protection for personal data of individuals in a highly connected world characterized by a wide reaching data flow. However, it is advisable for users themselves to make informed and conscious use of new devices, taking more time to read the often ignored privacy policies. On the other hand, manufacturers and providers are required to comply with the new regulations thus doing business with the data, but with due regard for users and in compliance with applicable laws.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.