Roomba's Data Protection Obligations

Under a permissive approach, Roomba has little obligations to its customers. It is able to use a blanket statement in its policy such as "share personal information with subsidiaries, third party vendors, and the government, as well as in connection with 'any company transaction' such as a merger or external investment." to justify its actions and claim that consent has already been sought from its customers to sell their home layout maps.

However, under the prohibitive principle, Roomba would have to more transparent and explicit with its intentions when drafting their policy. Let's have a look at Art 6(1) of the GDPR to see which point it falls under.

(b) The sale of home layout maps is not strictly required for the Roomba to clean the home (performance of a contract).
(c) Sale of home layout maps to private companies does not fulfill any legal obligation.
(d) It has no bearing on the vital interest of the data subject/other natural persons (unless Roomba is sharing the home layout maps with emergency services to facilitate medical rescue).
(e) Sale of home layout maps to private companies is not done in public interest.
(f) We can argue that there is commercial interests pursued by the controller, however such interests are overridden by the personal data privacy of the owner

As such, the action of sale of home layout map appears to fall under Point a, where it is stated that the consent must be given for that specific purpose. Roomba will need to explicitly call this out in their policy statement and not rely on a generic blanket statement to cover all their various data processing actions.

I would lean towards a prohibitive approach for data protection law. In a situation of unequal expertise or bargaining power, the court will usually hold the entity with greater expertise or bargaining power to higher standards. e.g. Esso Petroluem Co Ltd vs Mardon [1976] QB801. Similarly in this case, Roomba is the expert here. They know how the automated vacuum cleaners work, what data it collects, the commercial value of the data... It is only fair to hold them to higher standards and make them explicitly list out what data is collected and for what purposes. If we shift the burden over to consumers, it will make purchasing an automated vacuum cleaner an extremely onerous task. Consumers will have to spend hours understanding the features that each brand has, whether that particular model builds a home map layout, or whether it just moves in a grid like pattern until it is unable to move anymore. Consumers might even have to look through Roomba's financial reports to figure out which companies are partnering with Roomba and infer if their data is being shared with there partners.