Legal requirements for IoT security in Europe: current state and outlook
Back to Technology Law Committee publications
Stefan Hessel
Reuschlaw, Saarbrücken
stefan.hessel@reuschlaw.de
Philipp Reusch
Reuschlaw, Berlin
p.reusch@reuschlaw.de
Introduction
In Europe, IT security and data protection are considered key factors for economic success in the Internet of Things (IoT) market. This applies, as current studies show, especially when these solutions are combined with artificial intelligence. At the same time, the level of IT security is very low for many IoT devices. The numerous security vulnerabilities in connected surveillance cameras, for example, show the importance of IT security. The problem has also been recognised by the legislator and should at least be improved by the introduction of the General Data Protection Regulation (GDPR)[1] and the Cybersecurity Act.[2] Whether this has been successful and where further regulation can be expected will be analysed below.
Current regulation: GDPR and the Cybersecurity Act
General Data Protection Regulation
The centrepiece of the European Data Protection Act is the GDPR. According to its Article 2(1), once personal data is processed wholly or partially automatically, the GPDR is objectively applicable. The territorial scope of application of the GDPR is broad. In particular and according to Article 3, this scope extends beyond EU borders if goods or services are intended for data subjects within the EU. When using IoT devices, the provider usually processes large amounts of the user’s personal data. If IoT devices are not offered by suppliers in the EU, the GDPR is nevertheless applicable in many cases, as non-European suppliers also target European customers, due to the size of EU market and its purchasing power. Consequently, the GDPR is applicable to a large number of IoT devices, both territorially and materially.
If the GDPR is applicable, Article 32(1) GDPR states, that technical and organisational measures (TOM) by the controller are necessary to protect personal data. Furthermore, and technologically upstream of the TOM, Article 25(1) GDPR requires the principle of data protection by design. According to this principle, the data controller is obliged to take technical and organisational measures for the protection of personal data into account during the development of the product. The GDPR requirements are formulated in a technologically-neutral manner and Article 32(1) GDPR only lists a few possible measures as examples. Nevertheless, the required security level is high and could result in a significant improvement in IT security to IoT if properly implemented.[3]
Since the introduction of the GDPR, however, there has been no noticeable improvement in IT security in the area of IoT in practice. On the contrary, an increase in the number of attacks on IoT devices in 2020 has been predicted by the SonicWall Cyber Threat Report. It predicts that attacks on IoT devices will continue to increase in 2020.[4] This discrepancy can partly be explained by the heavy workload and insufficient resources of the data protection authorities.
For example, the activity report of the ‘Bayerisches Landesamt für Datenschutzaufsicht’ (Bavarian state data protection authority for the non-public sector) shows the lack of sufficient resources on the side of the authorities to react to the large number of submissions.[5] The enforcement of the GDPR is even more complicated with regards to IoT devices, since measures under the GDPR may only be directed against the controller. This means that data protection authorities cannot take action against manufacturers, suppliers, importers or sellers, even if the controller evades access by the authorities. Controllers from the field of IoT devices are often companies from East Asia without a registered office or entity in the EU. In many cases, they do not even fulfil their obligation under Article 27(1) GDPR to appoint a representative in the EU. This makes effective enforcement of the GDPR hardly possible in such cases. Those who pay the least attention to the GDPR are rewarded under the current legal situation. Therefore, it is hardly surprising that many German companies see the GDPR as a competitive disadvantage.[6]
The German data protection authorities have also identified this issue in their ‘Erfahrungsbericht der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder zur Anwendung der DS-GVO’ (progress report of the independent data protection supervisory authorities of the Federal Government and the states in applying the GDPR). They call for both a further development of data protection legislation in the direction of product liability and an obligation to publish representatives in accordance with Article 27(1) GDPR, as it is already the case for data protection officers in Article 13f GDPR.[7] In conclusion and at this point in time, it is not expected that the GDPR will solve the massive problem of IT security in the IoT.
The Cybersecurity Act
The Cybersecurity Act stipulates the objectives, tasks and organisational issues relating to the European Union Agency for Cybersecurity (ENISA). The Act also defines a framework for the establishment of a European cybersecurity certification for ICT products, ICT services and ICT processes in accordance with its Article 1(1). The Cybersecurity Act could be applicable to IoT devices if they represent ICT products. According to Article 2(12) Cybersecurity Act, an ICT product is an element or a group of elements of a network or information system. IoT devices are a component of a network and information system[8] and, therefore, ICT products. In addition to the devices themselves, which are usually owned by the end users, the IoT is also supported by a huge server infrastructure.[9] The providers operate the server infrastructure, which is used for data evaluation, but also for controlling the devices.[10] The device control is often carried out via an interface between the server system and an app or web interface managed by the user.[11] In such cases, the server system can be classified as a service consisting wholly or mainly in the transmission, storing, retrieving or processing of information. It is therefore deemed to be an ICT service according to Article 2(13) Cybersecurity Act. Such a classification can also be based on Recital 2 of the Cybersecurity Act, which explicitly focuses on the existing IT security problems in the IoT. Furthermore, devices for children can also be classified as ICT products, such as connected toys or child tablets. Insofar as there is a server infrastructure behind the devices, it can be classified as an ICT service. However, the Cybersecurity Act does not impose any binding requirements on the IT security of IoT devices in general. Instead, Article 46 et seq of the Act provides only a voluntary certification framework, which does not create any obligations for the manufacturers to carry out certification or even third-party scrutiny procedures. With this background, it is questionable whether the Cybersecurity Act can improve the situation especially with regard to IoT devices.
Upcoming regulation – the Radio Equipment Directive
According to Article 1(1) RED, the main purpose of the Radio Equipment Directive is to create a legal framework for the radio equipment market. With regards to ensuring IT security for IoT equipment, the Directive can be applied to the extent that IoT equipment can be classified as radio equipment within the meaning of Article 2(1) No 1 RED. Radio equipment is an electrical or electronic product used for radio communication. IoT devices fulfil the definition of Article 2(1) No 1 RED and are radio equipment within the meaning of RED, if they communicate via radio links such as Bluetooth or Wi-Fi.[12] Article 3(3) (e) and (f) RED lay down a fundamental obligation to implement IT security measures. Accordingly, the equipment must be designed to protect the personal data and privacy of the user and of the subscriber. The devices must also support functions that ensure protection against fraud. However, the EU Commission has not yet adopted any binding measures, so that manufacturers do not have to meet any specific requirements. Against the background of a public consultation by the Commission on Article 3(3)(e) and (f) RED in November 2019,[13] a tightening of the existing legal situation can be expected. The result could conceivably be regulations laying down specific safety requirements for radio equipment and consequently for many IoT devices as well. The effectiveness of such a regulation, which is not related to the processing of personal data but to the characteristics of a product, is shown, for example, by section 90(1) sentence 1 of the German Telecommunications Act (TKG).[14] The law regulates the misuse of transmitting equipment and bans devices which can be misused for eavesdropping. Section 148 TKG contains the presumption of up to two years’ imprisonment or a fine for breaking this ban. Moreover, section 115(1) TKG grants the German Federal Network Agency the right to take appropriate measures to enforce compliance with the law by way of administrative proceedings. In this context, the Federal Network Agency has the opportunity, for example, to demand the destruction of banned equipment or even to prohibit its sale or to require dealers to disclose the buyers. Such prohibited devices may include IoT devices in addition to classic spy devices, such as hidden cameras in ashtrays or smoke detectors.[15] For example, in addition to the doll ‘My friend Cayla’, which was classified as illegal in 2017,[16] section 90 of the TKG also bans some children’s smartwatches which have a remote monitoring function.[17] The ban has eliminated these devices from the market in Germany. However, since section 90 TKG is primarily aimed at restricting the distribution of spy devices, the Act in this form is not enough to provide IT security for any IoT device.
Conclusion
The effective enforcement of IT security requirements for IoT devices is difficult under current legislation. This is problematic not only for consumers, but also for companies which adhere to the applicable law due to higher development costs. It is to be expected, however, that IT security requirements will, in future, be increasingly linked directly to products, so that in the event of infringements, direct action can be taken against them, for instance with sales bans. Against this background, manufacturers and developers of such products are advised to pay greater attention to the security requirements of IoT devices and to seek legal advice, for example to identify relevant legal requirements.
Notes
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[2] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
[3] An overview of the state of the art of IoT security can be found at NISTIR 8259 (Draft), Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline, January 2020, available at: https://doi.org/10.6028/NIST.IR.8259-draft2, last accessed, 23 February 2020.
[4] SonicWall, Cyber Threat Report 2020, p 34, www.sonicwall.com/resources/2020-cyber-threat-report-pdf/, last downloaded on 13 February 2020.
[5] Bayerisches Landesamt für Datenschutzaufsicht, 9 Tätigkeitsbericht, 2019, S 10 ff, available at: www.zaftda.de/tb-bundeslaender/bayern/aufsichtsbehoerde-1/718-9-tb-noeb-bayern-2019-keine-landtagsdrucksache-28-01-2020/file, last accessed, 13 February 2020 (in German).
[6] Engels/Scheufen, Wettbewerbseffekte der Europäischen Datenschutzgrundverordnung, IW-Report 1/20, 15 January 2020, available at: www.iwkoeln.de/fileadmin/user_upload/Studien/Report/PDF/2020/IW-Report_2020_DSGVO_und_Wettbewerb.pdf, last accessed 13 February 2020 (in German).
[7] Erfahrungsbericht der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder zur Anwendung der DS-GVO, November 2019, available at: www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2019/12/20191209_Erfahrungsbericht-zur-Anwendung-der-DS-GVO.pdf, last accessed 13 February 2020 (in German).
[8] Silva/Rodrigues/Saleem/Kozlov/Rabelo, M4DN.IoT – A Networks and Devices Management Platform for Internet of Things, IEEE Access, 2019.
[9] Ibid.
[10] Ibid.
[11] Ibid.
[12] EU Commission, Guide to the Radio Equipment Directive 2014/53/EU, version dated 19 December 2018, p 10f, available at: https://ec.europa.eu/docsroom/documents/29782, last accessed 23 February 2020.
[13] EU Commission, Radio Equipment Directive (RED), available at: https://ec.europa.eu/growth/sectors/electrical-engineering/red-directive_en, last accessed, 23 February 2020.
[14] Section 90(1) sentence 1 TKG can be translated as:
‘It shall be prohibited to own, manufacture, market, import or otherwise bring in the area of application of this Act transmitting equipment or other telecommunications equipment which, by virtue of their form, simulate another object or which are covered with objects of everyday use and which, by reason of these circumstances or by virtue of their mode of operation, are particularly suitable and intended for listening to the non-publicly spoken word of another person unnoticed by the latter or for recording the image of another person unnoticed by the latter.’
[15] Bundesnetzagentur, Hinweise zu einzelnen Produktkategorien, available at: www.bundesnetzagentur.de/DE/Sachgebiete/Telekommunikation/Unternehmen_Institutionen/Anbieterpflichten/Datenschutz/MissbrauchSendeanlagen/HinweiseProduktkategorien/hinweiseproduktkategorien.html, last accessed, 13 February 2020 (in German).
[16] ‘German parents told to destroy Cayla dolls over hacking fears’, BBC news website, 17 February 2017, available at: www.bbc.com/news/world-europe-39002142, last accessed 23 February 2020.
[17] Bundesnetzagentur, Hinweise zu einzelnen Produktkategorien, available at: www.bundesnetzagentur.de/DE/Sachgebiete/Telekommunikation/Unternehmen_Institutionen/Anbieterpflichten/Datenschutz/MissbrauchSendeanlagen/HinweiseProduktkategorien/hinweiseproduktkategorien.html, last accessed, 13 February 2020 (in German).