The Internet of Things (IoT) is getting regulated through the draft European ePrivacy privacy regulation and the revised database and product liability directives, but is this good news?
I am generally of the opinion that
"no rules are better than bad rules".
Regulations can help to foster a market, but if they just create additional obligations, they are likely to damage it.. There is no doubt that the current scenario of uncertainty as to the applicable rights and obligations might be great for lawyers, but companies that need to invest in the IoT would rather have a scenario which is "crystal clear". The challenge is to see whether European regulators will be able to identify the right balance between regulating and over regulating.
The broad approach of the draft European ePrivacy regulation to the Internet of Things
I had anticipated that the European Commission is starting a review process of the ePrivacy Regulation which complements the European Data Protection Regulation governing the processing of personal data on electronic communications.
The proposal for the ePrivacy Regulation has now been published and when it comes to Internet of Things technologies the principle is very broad:
"In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify thatthis Regulation should apply to the transmission of machine-to-machine communications. Therefore, the principle of confidentiality enshrined in this Regulation should also apply to the transmission of machine-to-machine communications."
The wording of the draft regulation is not fully clear as it does not specify whether it refers only to M2M communications containing personal data. This might be implied given that the regulation is meant to govern privacy related issues, but it is not expressly mentioned. A more literal interpretation of the provision would require at least to comply with the principle of confidentiality set out in the draft ePrivacy Regulation under which
"Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation."
The extension of the principle of confidentiality to IoT communications means that, in case of its breach, fines up to € 20 million, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year (whichever is higher) will be applicable!
The above means also that in case of Industrial Internet of Things projects where usually privacy issues are not the main priority since only machine related data is processed, data protection compliance obligations will become relevant. This is also because the draft regulation refers to the applicability of all of its contents and therefore for instance also of the need to put in place a privacy by design approach.
The project on building a European data economy is the right route?
The European Commission published a communication announcing its plan to build a "European data economy". Such plan includes not only the upcoming European General Data Protection Regulation and the above mentioned draft ePrivacy Regulation, but also the following principles:
1. The removal of unjustified restrictions to the free movement of data
This would be achieved through for instance the challenging of "data location restrictions" provided by the laws of EU Member States such as those requiring to keep data in servers in a specific country.
These restrictions should be replaced by security obligations as those provided by the NID Directive and providing for a general principle of free movement of data within the EU.
2. The setting of rules on access to and transmission to IoT data generated by Industry 4.0 machines or processes
The goal of the European Commission is to identify an approach that shall
- Improve access to anonymous machine-generated data, through open data rules enabling public authorities to access data considered to be of public interest. As any regulation on open data, the risk is that it will create a disincentive on private companies to invest in sectors if they know that the data generated by them will be shared with third parties;
- Facilitate and incentivise the sharing of data which the European Commission is considering to achieve (i) setting default clausesand prohibiting unfair terms which considerably deviate from them, (ii) creating technical standards to trace and share data (e.g. standards for APIs) and (iii) reforming the European Database Directive. These initiatives are interesting, but if the technical standards are different from those set by the market, they will lead to additional costs for market players. Likewise, default clauses might represent a limitation for investments in Europe if they lead to additional risks/liabilities for operators;
- Protect investments and assets, by means of the introduction of a so called "data producer's right" which would clarify the ownership of the user of the device on anonymous data generated by machines. The issue with such right is how it will "live" with the existing intellectual property rights. If it results in just an additional layer of rights and consequential consents necessary for the exploitation of data, it risks to fail;
- Avoid disclosure of confidential data; and
- Minimise lock-in effects where de fact the manufacturers of IoT machines become the owners of generated data since they have the control on it. This would be achieved obliging manufacturers, service providers or other parties, to provide access to the data they hold against remuneration after anonymisation. Such provision sounds like a compulsory license that would entail the same issues mentioned above in relation to open data rules.
3. The amending of rules on product liability and data portability and interoperability
The rules on the liability for any damages resulting from a fault in a connected IoT device or a robot need to be amended. This has to occur through changes to the principles set forth in the EU Product Liability Directive since strict liability rules are hard to apply to Internet of Things technologies where a malfunctioning can arise from different connected sources.
According to the European Commission, a possible approach would be to either (i) allocate more responsibilities on market players that generate more risks or have more control on them or (ii) introduce mandatory or voluntary insurance schemes.
Also, rules on the portability of the data generated by Internet of Things devices which shall be extended to non-personal data and interoperability of such data might be implemented through recommended contractual terms or technical standards facilitating the switch from different suppliers.
Such initiatives sound interesting, but if operators need to bear additional costs and risks to market their technologies in Europe, it is likely that customers are going to bear such cost, leading to a potential damage, rather than advantage for them.
The European Consultation on the new IoT rules
Given the very large number of open issues, the European Commission launched a consultation on the topic that will expire on 26 April 2017. This seems a good opportunity to identify the right approach on an issue which might have a relevant impact on the future of companies investing in Europe.