Introduction
The Internet of Things (IoT) is a network of smart devices connected to the Internet and often also to each other. Smart devices include:
- Wearable step trackers
- Smart home speakers
- Wi-Fi-connected lamps
- Smart TVs, baby monitors
- Certain children’s toys.
These devices contain sensors that collect and exchange personal data to achieve optimal operation. The growth of IoT is typically seen in smart homes—which are designed for such devices.
With the rise of the IoT, smart devices can analyze personal data to personalize and optimize their operation. The current regulation of smart devices is limited. However, with the adoption of the delegated act to the Radio Equipment Directive 2014/53/EU (RED) in October 2021, the European Commission (EC) brought IoT devices into its scope. In February 2022, the EC also proposed a Data Act, which provides additional privacy and security requirements for manufacturers of IoT devices.
The new legislation will complement the obligations and rights under the General Data Protection Regulation (GDPR) and the e-Privacy Directive (ePD). This blog discusses the impact of this new legislation on IoT devices. Additionally, we will list the most important action items on how to comply with the recent legislation for manufacturers of IoT devices.
Applicability of the RED
The protection of personal data is crucial for ensuring user privacy. The delegated act to the RED aims to create minimum privacy and cybersecurity requirements for all IoT devices. Consequently, any manufacturer that intends to place such devices on the EU market must include technical features to improve the level of cybersecurity and privacy.
Three of the RED’s essential obligations are:
- Manufacturers must ensure that IoT devices cannot harm the network or its functioning or misuse network resources. By making communication networks more resilient, the possibility of abusing IoT devices to harm networks can be limited.
- Manufacturers must incorporate safeguards to ensure that users’ personal data and privacy are protected. Accordingly, IoT devices that are used to process “personal data” as defined in the GDPR must-have features that guarantee the protection of privacy and personal data. The aim is to prevent unauthorized access or transmission of personal data.
- IoT devices must support specific properties to ensure protection from fraud. This means that if the equipment is used to make electronic payments the IoT device must include features to minimize the risk of fraud. By ensuring better authentication control, fraudulent payments can be avoided.
Applicability of the Data Act
The proposed Data Act introduces more requirements for IoT manufacturers as well. Its aim is to remove barriers to the accessing of data while ensuring balanced oversight of the data for its creators of such data. The Data Act contains new rules that will empower users (consumers and companies that have purchased, rented, or leased an IoT device) to control what can be done with data generated by their IoT devices.
The following primary obligations are imposed on manufacturers of IoT devices:
- Data generated by IoT devices must be provided to users upon request, without undue delay or charge (and, if possible, in real-time). On the same basis, users may request that such data be shared with third parties unless that third party acts as a gatekeeper under the Digital Markets Act.[1] This means the existing right of data portability under the GDPR will be expanded. Hence, an effort is required from both data holders (meaning those that have the right, obligation, or ability to make available certain data) and recipient third parties to adhere to data protection compliance.
- The Data Act includes measures to ensure that terms and conditions for data sharing are fair, reasonable, and non-discriminatory (FRAND). Manufacturers of IoT devices and data holders must make data available to a third party in a transparent manner. The proposed Data Act imposes restrictions on the use of unfair terms in contracts with SMEs unilaterally enforced by the other party. This includes contracts covering use and access to the data or liability in the event of non-performance of obligations related to this data. Provisions considered unfair are non-binding. The proposed Data Act contains a “black” and “grey” list of terms that are considered or presumed to be unfair.
- Restrictions on international data transfers are to be introduced. Providers of data processing services, such as cloud services providers, must protect non-personal data held in the EU to prevent any global access or transfer where such transfers of non-personal data would create a conflict with EU or member state law. Similar to the GDPR’s rule in relation to personal data, the Data Act provides that court decisions or government orders to provide access to non-personal data may only be recognized or enforceable if based on an international agreement (such as a mutual legal assistance treaty) between the requesting third country and the EU or relevant member state.
- IoT manufacturers must design their IoT devices so that the data the device collects can be accessed easily by its users. Connected products and services thus need to be designed with easy, secure, and, if applicable, direct access to data. Besides this, data holders may not use data generated by IoT devices without a valid legal basis or without a contract with the user. Users should be informed about the kinds of data generated by the IoT device before they conclude a contract, including how they may access the data and whether the data will be shared with third parties. This means that the proposed Data Act extends the obligation under the GDPR to provide information on the collection and procession of personal data to include non-personal data.
Applicability of the GDPR
The GDPR contains various possibilities for manufacturers of IoT devices to ensure the security and privacy of users.
First of all, manufacturers must rely on one of the legal bases, as set out in Article 6 of the GDPR, for the processing of personal data collected through an IoT device and must comply with the information obligation under the GDPR. If the manufacturers rely on consent to process personal data, they must abide by the GDPR-requirements for “consent.” As IoT devices often are designed to operate without human input (e.g., without a display screen), it is not possible to give consent or to view privacy settings on the device itself. To comply with both the consent requirement and information obligation, manufacturers of IoT devices without a display screen can, by placing an URL or QR code on the packaging of the IoT device, include their privacy statement and, where needed, request consent to process personal data.
In addition, privacy by design and privacy by default canimprove the security of smart devices. Also, IoT device manufacturers, as the data controller, will typically have to carry out a Data Protection Impact Assessment (DPIA).
Key action items for manufacturers
RED
- Choose specific technical solutions: To comply with the legal requirements, manufacturers must adopt technical solutions as described in harmonized standards from the EC.
- Perform a conformity assessment: Manufacturers must perform a conformity assessment procedure before placing their IoT devices on the EU market (via a self-assessment or relying on a third-party assessment performed by an independent inspection body).
Data Act
- Data user considerations: Transparency is key as to what data will be accessible to users and how to access these data.
- Data sharing: Data storage must be provided to users and, if they request to do so, to third parties as well. Non-discriminatory and fair terms and conditions for this access apply.
- Product development: Data generated by IoT products must be available to users through control of the technical design. The accessible data should be easy to read by default.
GDPR
- A legal basis for the processing of personal data is required.
- A privacy statement must be provided to the users.
- Users’ privacy must be guaranteed by privacy by design and privacy by default.
- A DPIA must be performed.
The Dentons Amsterdam IP&T team stands ready to help you navigate the increasingly complex EU data landscape and help you grow your business in the EU.
[1] Gatekeepers are large companies that operate “core platform services,” such as online marketplaces.