Академический Документы
Профессиональный Документы
Культура Документы
Internet of Things
Monopolisation
- (b) At the moment, many companies are still cautious when it comes to the IoT
and Industry 4.0 implementation as it may involve radical structural changes
and radical shift in value creation. This could explain why established large
players often find it difficult to adapt to new business models and engage in
new types of alliances. In that respect, agile players like SMEs, especially
entrepreneurs and start-ups, are considered to have the potential to seize new
opportunities brought up by the IoT.
SWD(2016) 110 - Advancing the Internet of Things in Europe
5 RISK
1) Risks of fragmentation and a need to address a coordination failure between
Member States.
5 RISK
4) Risk of users being forced to compliance and data sharing instead of developing
a human-centred IoT where users can trust that the IoT systems around them
operate according to understood principles and guarantees for their integrity,
privacy and security.
5) Risk that the uncertainty about business models and standards could generate
information asymmetries and market failures, preventing investment and risk-
taking.
Legal Perspectives
- Security
- Privacy
- Liability
- Contract & Consumer Protection
Security
ENISA considered the security of Industry 4.0 devices and services throughout their
lifecycle (from conception to end-of-life and decommissioning) and paid close
attention to issues that are particular to the requirements of Industry 4.0. Accordingly,
the study highlights security measures in three dimensions:
- Policies
- Organisational measures
- Technical measures
Security
IoT End Devices – These devices have various capabilities, such as sensing, actuating, storing
and/or processing information.
ICS (Industrial Control Systems) – Supervisory control and data acquisition, as well as other
control system elements and devices human machine interfaces.
Manufacturing and business processes – This group consists of activities that lead to achieving a
certain goal, in this case obtaining a final product from raw materials or components.
Artificial Intelligence and Machine Learning – In Smart Manufacturing, due to the collection of
enormous amounts of data from industrial process, various ML and AI algorithms are utilised for
analysis.
Control systems communication networks and their components – This group includes
networks, network devices and industrial protocols.
Security Challenges
Vulnerable components – Along with the fourth industrial revolution, the new Internet
of Things (IoT) landscape has emerged with millions of connected devices globally.
Management of processes – A multitude of complex processes involved in Smart
Manufacturing should also be considered.
Increased connectivity – Manufacturing processes need to interact with objects and
environments on a global scale and systems used in Smart Manufacturing need to enable
collaboration across multiple organisations.
IT/OT convergence – Industrial control systems ceased to be isolated once the
incorporation of IT components in the ICS domain become a common practice.
Security Challenges
Legacy industrial control systems - Adding new IoT devices to outdated hardware raises
concerns that it may allow attackers to find a new way to compromise systems.
Insecure protocols – Manufacturing components communicate over private industrial
networks using specific protocols. In modern network environments, these protocols
often fail to ensure proper protection against cyber-threats.
Human factors – Adopting new technologies means that factory workers and engineers
have to work with new types of data, networks and systems in novel ways. They are
unaware of the risks associated.
Security Challenges
Security updates – Applying security updates to IoT is extremely challenging, since the
particularity of the user interfaces available to users does not allow traditional update
mechanisms. Securing those mechanisms is in itself a daunting task, especially
considering Over-The-Air updates. In OT environments in particular, applying updates
may be challenging since this operation needs to be scheduled and performed during
downtime.
Secure product lifecycle – Device security should be a subject of consideration through
the product’s entire lifecycle, even end-of-life/end-of-support of the machine.
Privacy
IoT stakeholders aim at offering new applications and services through the collection and
the further combination of this data about individuals – whether in order to measure the
user’s environment-specific data “only”, or to specifically observe and analyse his/her
habits.
In other words, the IoT usually implies the processing of data that relate to identified or
identifiable natural persons, and therefore qualifies as personal data.
Privacy
The processing of such data in this context relies on the coordinated intervention of a
significant number of stakeholders (i.e. device manufacturers – sometimes also acting as
data platforms; data aggregators or brokers; application developers; social platforms;
device lenders or renters, etc.).
These different stakeholders may be involved for various reasons, namely to provide
additional functionalities or easy-to-use control interfaces that allow the management of
technical and privacy settings, or because the user will commonly have access to his/her
collected data is via a distinct web interface.
Privacy
Furthermore, once the data is remotely stored, it may be shared with other parties,
sometimes without the individual concerned being aware of it.
In these cases, the further transmission of his/her data is thus imposed on the user who
cannot prevent it without disabling most of the functionalities of the device.
As a result of this chain of actions, the IoT can put device manufacturers and their
commercial partners in a position to build or have access to very detailed user profiles.
Privacy Challenges
Nonetheless, as far as they constitute 'movable' items, IoT devices and any other
items containing intangible elements or presenting connectivity features qualify as
'products' and defects in these products are covered by the Product Liability
Directive.
Extra-contractual liability
In the EU, consumers can claim compensation for damage caused by defective products.
If a defective product causes any physical or material damage to consumers or their property, the
producer has to provide compensation irrespectively of whether there is negligence or fault on their
part.
Rights of producers
Producers can be cleared of liability under certain conditions, notably, if they prove that:
● they did not put the product into circulation
● the defect was due to the compliance of the product with mandatory regulations issued by public
authorities
● the state of scientific or technical knowledge at the time the product was put into circulation could
not detect the defect.
Liability Challenge
The producer needs to ensure the safety of the final product, and in turn,
producers and sellers are responsible for any liability arising from the products
placed on the market or sold to customers regardless of whether they include third
party components.
However, based on the specific characteristics of these emerging digital
technologies, it should be examined whether, when products and services are
increasingly connected and complex both in the design and the system integration,
effective redress mechanisms for victims and legal certainty for producers are still
ensured.
Liability Challenge
Further, digital technology products are open to software extensions, updates and
patches after they have been put into circulation. Any change to the software of
the system may affect the behaviour of the entire system or of individual
components or may extend its functionality.
Contractual liability of a software provider depends to a large extent on its
contractual obligations (e.g. to supply applications which provide a certain level of
safety and cybersecurity as well as updates for a certain period of time). A failure
to comply with these obligations may trigger contractual liability claims. […]The
contractual liability of a software provider may be limited to the extent its
customer contributed to the actual damage, e.g. because he did not install an
available update.
Liability Challenge
For example, a smart smoke detector can be produced by manufacturer A and sold
to the homeowner by seller B, a smart thermostat can be produced by
manufacturer C and sold to the homeowner by seller D, the data analysis
application could be provided by provider E or by one of the manufacturers of the
smart appliances and the connectivity dimension is provided by internet provider
F. The smart smoke detector can detect a source of fire and alert the homeowner
or the fire department. In addition, the smoke detector can also communicate with
other smart home appliances in the ecosystem, such as smart doors, instructing
them to unlock in order to allow access to the fire fighters.
Liability Challenge
In case of a fire, not sending an alert to the fire department may ultimately result
in the destruction of the house and/or damage to a neighbour's house. This may
be due to various causes: a malfunctioning of the smoke detector, a faulty data
processing by the application, a failure of electronic communication services or an
autonomous decision to switch off the smoke detector, e.g. because of high energy
consumption levels of the smoke detector.
The more sophisticated an ecosystem gets, the more difficult it may be for the
home owner to trace back any upcoming problem to its origin.
Liability Challenges at the EU level
The Directive defines products as movable items. Even though most producers
consulted during the evaluation claimed that they did not encounter problems in
distinguishing products from services so far, a number of open questions were
identified related to software be it embedded or non-embedded, that will have to
be further explored.
Liability Challenges at the EU level
Concerning the concept of producer, the question arises to what extent the
producer maintains control over the features of a product in the context of
emerging digital technologies and can therefore be held liable for them. While in
many cases the final product and producer may be easy to identify, regardless of
whether it includes software or other digital elements, or whether different
manufacturers have been involved in the production process, other cases may be
less straightforward.
Liability Challenges at the EU level
The notions of defectiveness and burden of proof of the Directive are fairly wide
and refer to the safety levels that a consumer is entitled to expect.
The defectiveness must be assessed based on an objective analysis of the
expectations of an average consumer rather than on subjective expectations or
predisposition of one person -> objective criteria.
Liability Challenges at the EU level
- Contract B2C
- Contract B2B
- Information
- Control
- Security
- Privacy
Consumer
- Directive (EU) 2019/771 should apply to contracts for the sale of goods,
including goods with digital elements. The notion of goods with digital elements
should refer to goods that incorporate or are inter-connected with digital
content or a digital service in such a way that the absence of that digital content
or digital service would prevent the goods from performing their functions.
Consumer: Sales of Goods or Digital Content?
- It should also include those sales contracts which can be understood as covering
the supply of specific digital content or a specific digital service because they are
normal for goods of the same type and the consumer could reasonably expect
them given the nature of the goods and taking into account any public
statement made by or on behalf of the seller or other persons in previous links
of the chain of transactions, including the producer.
- In order to avoid uncertainty for both traders and consumers, in the event of
doubt as to whether the supply of the digital content or the digital service forms
part of the sales contract, Directive (EU) 2019/771 should apply.
- For instance, if the consumer downloads a game application from an app store
onto a smart phone, the contract for the supply of the game application is
separate from the contract for the sale of the smart phone itself. Directive (EU)
2019/771 should therefore only apply to the sales contract concerning the smart
phone, while the supply of the game application could fall under this Directive, if
the conditions of this Directive are met.
Consumer: Sales of Goods or Digital Content?
- Another example would be where it is expressly agreed that the consumer buys
a smart phone without a specific operating system and the consumer
subsequently concludes a contract for the supply of an operating system from a
third party. In such a case, the supply of the separately bought operating system
would not form part of the sales contract and therefore would not fall within the
scope of Directive (EU) 2019/771, but could fall within the scope of this
Directive, if the conditions of this Directive are met.
IoT Challenges
- Goods or services?
Grazie per l’attenzione
silviamartinelli89@gmail.com
s.martinelli@crclex.com