Università degli Studi di Milano, 24 October 2019

Internet of Things

Avv. Silvia Martinelli

Legal & Technology Research Team Manager at CRC Lex
PhD Candidate - University of Turin
Affiliate Scholar at the Information Society Law Center
https://www.youtube.com/watch?v=LlhmzVL5bm8
 What is «Internet of Things»?

- We use the term “Internet of Things” (IoT) to indicate objects or

devices with embedded electronics that can transfer data over a
network without any human interaction.

- It refers to an ecosystem in which applications and services are

driven by data collected from devices that sense and interface with
the physical world.
 Everything became connected

- Almost everything became connected and combining IoT data with

cognitive computing, business can extract valuable insights to
improve virtually every aspect of their operations and enable
innovative, new business models.

- Important IoT application domains span almost all major economic

sectors: health, education, agriculture, transportation,
manufacturing, electric grids, and many more.
 Internet of Everything

- In some ways, the term Internet of Everything is the most accurate,

as the Internet-connected sensors and actuators are not just linked
to things, but also monitor health, location and activities of people
and animals, monitor the state of the natural environment, the
quality of food and much else that would not be considered a thing
per se.
 Large Amounts of Data

- The combination of network connectivity, widespread sensor

placement, and sophisticated data analysis techniques now enables
applications to aggregate and act on large amounts of data
generated by IoT devices in homes, public spaces, industry and the
natural world.
- This aggregated data can drive innovation, research, and marketing,
as well as optimise the services that generated it.
 SWD(2016) 110 - Advancing the Internet of Things in Europe

Different steps of evolution of the Internet of Things

- 1. Data driven innovation in vertical sectors
- Connected sensors collect data from objects (e.g. a car, a phone etc.) These
data are analysed either through embedded systems or through cloud-based
and Internet systems enabling the creation of new services and big data
analytics. Wearables, sensors, equipment parts in business and smart city
environments are examples of solutions put forward in this step. Innovation is
data- and product-driven and provides better decision making, increased
efficiency and more convenience. This happens at the level of vertical sectors,
but cross-cutting exchanges remain limited.
 SWD(2016) 110 - Advancing the Internet of Things in Europe

Different steps of evolution of the Internet of Things

- 2. Industrial IoT: actuation and semi-autonomous behaviour based
on smart connected objects
- The data provided by connected sensors and objects allows single and
networked objects to perform specific functions derived from sensing, analysis
and intelligence gathered. This operates normally within the boundaries of
given applications but it is expected, with increasing computing power and
sophistication to gain high levels of autonomy in their behaviour and “life”.
Examples include factory automation, logistics and robotics.
 SWD(2016) 110 - Advancing the Internet of Things in Europe

Different steps of evolution of the Internet of Things

- 3. Programmable world: data exchange and service creation across
large vertical applications
- The third step combines steps one and two by using complex systems,
intelligence and actuation. Sensors and Smart connected objects become part
of a bigger connectivity network which creates new opportunities to combine
more intelligence and actuation across vertical markets […]It enables the
programming of complex systems to integrate a number of device- and service
providers to deliver complete IoT solutions e.g. at home, in cities, between
industries.
 SWD(2016) 110 - Advancing the Internet of Things in Europe

Different steps of evolution of the Internet of Things

- 4. The age of the digital nature
- Connected objects of all sorts become autonomous, using artificial intelligence
to learn and self-improve. Natural and cyborg interfaces link people with their
hyper-connected environments and optimise these objects' functionalities
seamlessly, like in a new stage of nature. This stage implies objects making
decisions on their own to simplify our everyday life. The basic design is
intended to meet the needs and preferences of individuals and society.
 SWD(2016) 110 - Advancing the Internet of Things in Europe

Challenges for the implementation of the Internet of Things

- (a) Monopolisation.
- (b) Radical structural changes and radical shift in value creation.
- (c) Lack of common standards and interoperable solutions.
- (d) Lack of consensus on EU policy coordination
 SWD(2016) 110 - Advancing the Internet of Things in Europe

Monopolisation

- (a) In many industrial sectors, digital transformations are leading to radical

changes in companies' roles and beneficiaries throughout the value chain and
to the creation of new markets. Monopolising or ring-fencing of new IoT areas
may be an obstacle to the development of these markets, and to the
development of open digital platforms.
 SWD(2016) 110 - Advancing the Internet of Things in Europe

Radical structural changes and radical shift in value creation

- (b) At the moment, many companies are still cautious when it comes to the IoT
and Industry 4.0 implementation as it may involve radical structural changes
and radical shift in value creation. This could explain why established large
players often find it difficult to adapt to new business models and engage in
new types of alliances. In that respect, agile players like SMEs, especially
entrepreneurs and start-ups, are considered to have the potential to seize new
opportunities brought up by the IoT.
 SWD(2016) 110 - Advancing the Internet of Things in Europe

Lack of common standards and interoperable solutions.

- (c) There is a lack of common standards and interoperable solutions throughout

the products and services life cycles . Interoperability will be essential for the
deployment of the IoT and for ensuring seamless flow of data across sectors
and value chains.
 SWD(2016) 110 - Advancing the Internet of Things in Europe
(d) Lack of consensus on EU policy coordination

5 RISK
1) Risks of fragmentation and a need to address a coordination failure between
Member States.

2) Risks of fragmentation between industries.

3) Risk of lock-in in proprietary ecosystems, through restraint interoperability and

access to data and applications.
 SWD(2016) 110 - Advancing the Internet of Things in Europe
(d) Lack of consensus on EU policy coordination

5 RISK
4) Risk of users being forced to compliance and data sharing instead of developing
a human-centred IoT where users can trust that the IoT systems around them
operate according to understood principles and guarantees for their integrity,
privacy and security.

5) Risk that the uncertainty about business models and standards could generate
information asymmetries and market failures, preventing investment and risk-
taking.
 Legal Perspectives

- Security
- Privacy
- Liability
- Contract & Consumer Protection
 Security

ENISA, Good Practices for Security of Internet of Things (November 2018)

ENISA considered the security of Industry 4.0 devices and services throughout their
lifecycle (from conception to end-of-life and decommissioning) and paid close
attention to issues that are particular to the requirements of Industry 4.0. Accordingly,
the study highlights security measures in three dimensions:

- Policies
- Organisational measures
- Technical measures
 Security

IoT End Devices – These devices have various capabilities, such as sensing, actuating, storing
and/or processing information.

ICS (Industrial Control Systems) – Supervisory control and data acquisition, as well as other
control system elements and devices human machine interfaces.

Manufacturing and business processes – This group consists of activities that lead to achieving a
certain goal, in this case obtaining a final product from raw materials or components.

Artificial Intelligence and Machine Learning – In Smart Manufacturing, due to the collection of
enormous amounts of data from industrial process, various ML and AI algorithms are utilised for
analysis.

Control systems communication networks and their components – This group includes
networks, network devices and industrial protocols.
 Security Challenges

Vulnerable components – Along with the fourth industrial revolution, the new Internet
of Things (IoT) landscape has emerged with millions of connected devices globally.
Management of processes – A multitude of complex processes involved in Smart
Manufacturing should also be considered.
Increased connectivity – Manufacturing processes need to interact with objects and
environments on a global scale and systems used in Smart Manufacturing need to enable
collaboration across multiple organisations.
IT/OT convergence – Industrial control systems ceased to be isolated once the
incorporation of IT components in the ICS domain become a common practice.
 Security Challenges

Supply chain complexity

Companies that manufacture products or solutions are very rarely able to produce every
part of the product itself and usually need to rely on third parties’ components.
Developing technologically sophisticated products results in an extremely complex supply
chain with a large number of people and organisations involved, thereby making it highly
demanding in terms of management. Not being able to track every component to its
source means not being able to ensure product security, which is only as secure as its
weakest link.
 Security Challenges

Legacy industrial control systems - Adding new IoT devices to outdated hardware raises
concerns that it may allow attackers to find a new way to compromise systems.
Insecure protocols – Manufacturing components communicate over private industrial
networks using specific protocols. In modern network environments, these protocols
often fail to ensure proper protection against cyber-threats.
Human factors – Adopting new technologies means that factory workers and engineers
have to work with new types of data, networks and systems in novel ways. They are
unaware of the risks associated.
 Security Challenges

Unused functionalities – Industrial machines are designed to offer a large number of

functions and services, many of which may not be necessary for operation. In industrial
environments, machines or their selected components often have access to unused
functionalities that may considerably expand the potential attack area and become
gateways for the attackers.
Safety aspects – The presence of actuators that act on the physical world makes safety
aspects very relevant in IoT and Smart Manufacturing. Security for safety emerges as an
objective of paramount importance.
 Security Challenges

Security updates – Applying security updates to IoT is extremely challenging, since the
particularity of the user interfaces available to users does not allow traditional update
mechanisms. Securing those mechanisms is in itself a daunting task, especially
considering Over-The-Air updates. In OT environments in particular, applying updates
may be challenging since this operation needs to be scheduled and performed during
downtime.
Secure product lifecycle – Device security should be a subject of consideration through
the product’s entire lifecycle, even end-of-life/end-of-support of the machine.
 Privacy

29WP, Opinion 8/2014 on the on Recent Developments on the Internet of Things

IoT stakeholders aim at offering new applications and services through the collection and
the further combination of this data about individuals – whether in order to measure the
user’s environment-specific data “only”, or to specifically observe and analyse his/her
habits.
In other words, the IoT usually implies the processing of data that relate to identified or
identifiable natural persons, and therefore qualifies as personal data.
 Privacy

29WP, Opinion 8/2014 on the on Recent Developments on the Internet of Things

The processing of such data in this context relies on the coordinated intervention of a
significant number of stakeholders (i.e. device manufacturers – sometimes also acting as
data platforms; data aggregators or brokers; application developers; social platforms;
device lenders or renters, etc.).
These different stakeholders may be involved for various reasons, namely to provide
additional functionalities or easy-to-use control interfaces that allow the management of
technical and privacy settings, or because the user will commonly have access to his/her
collected data is via a distinct web interface.
 Privacy

29WP, Opinion 8/2014 on the on Recent Developments on the Internet of Things

Furthermore, once the data is remotely stored, it may be shared with other parties,
sometimes without the individual concerned being aware of it.
In these cases, the further transmission of his/her data is thus imposed on the user who
cannot prevent it without disabling most of the functionalities of the device.
As a result of this chain of actions, the IoT can put device manufacturers and their
commercial partners in a position to build or have access to very detailed user profiles.
 Privacy Challenges

1. Lack of control and information asymmetry

2. Quality of the user’s consent
3. Inferences derived from data and repurposing of original processing
4. Intrusive bringing out of behaviour patterns and profiling
5. Limitations on the possibility to remain anonymous when using services
6. (Security risks: security vs. efficiency).
 Privacy Challenges

1. Lack of control and information asymmetry

As a result of the need to provide pervasive services in an unobtrusive manner, users
might in practice find themselves under third-party monitoring. The user can lose all
control on the dissemination of his/her data.
Communication between objects can be triggered automatically as well as by default,
without the individual being aware of it. In the absence of the possibility to effectively
control how objects interact or to be able to define virtual boundaries by defining active
or non-active zones for specific things, it will become extraordinarily difficult to control
the generated flow of data. It will be even more difficult to control its subsequent use,
and thereby prevent potential function creep.
 Privacy Challenges

2. Quality of the user’s consent

In many cases, the user may not be aware of the data processing carried out by specific
objects. Moreover, at least in some cases, the possibility to renounce certain services or
features of an IoT device is more a theoretical concept than a real alternative. Such
situations lead to the question of whether the user’s consent to the underlying data
processing can then be considered as free, hence valid under EU law.
In addition, classical mechanisms used to obtain individuals’ consent may be difficult to
apply in the IoT, resulting in a “low-quality” consent based in a lack of information or in
the factual impossibility to provide fine-tuned consent in line with the preferences
expressed by individuals.
 Privacy Challenges

3. Inferences derived from data and repurposing of original processing

The increase of the amount of data generated by the IoT in combination with modern
techniques related to data analysis and cross-matching may lend this data to secondary
uses, whether related or not to the purpose assigned to the original processing. Third
parties requesting access to data collected by other parties may thus want to make use
of this data for totally different purposes.
Apparently insignificant data originally collected through a device (e.g. the accelerometer
and the gyroscope of a smartphone) can then be used to infer other information with a
totally different meaning (e.g. the individual’s driving habits).
 Privacy Challenges

4. Intrusive bringing out of behaviour patterns and profiling

Even though different objects will separately collect isolated pieces of information, a
sufficient amount of data collected and further analysed can reveal specific aspects of
individual’s habits, behaviours and preferences. Analytics based on information caught in
an IoT environment might enable the detection of an individual’s even more detailed and
complete life and behaviour patterns.
With the IoT, such potential surveillance might now reach the most private sphere of the
individuals’ life, including homes. This will put a pressure on the individual to avoid non-
usual behaviour so as to prevent the detection of what might be perceived as anomalies.
Such a trend would be very intrusive on the private life and the intimacy of individuals
and should be very closely monitored.
 Privacy Challenges

5. Limitations on the possibility to remain anonymous when using services

Full development of IoT capabilities may put a strain on the current possibilities of
anonymous use of services and generally limit the possibility of remaining unnoticed.
For instance, wearable things kept in close proximity of data subjects result in the
availability of a range of other identifiers, such as the MAC addresses of other devices
which could be useful to generate a fingerprint allowing data subject location tracking.
The collection of multiple MAC addresses of multiple sensor devices will help create
unique fingerprints and more stable identifiers which IoT stakeholders will be able to
attribute to specific individuals.
 Liability

SWD(2018) 137 - Liability for emerging digital technologies

These new products and services are not inherently less safe than traditional
products.
Consumers' trust and the uptake of these technologies will depend on whether
they are perceived to be safe and on whether the legal framework is considered
clear and effective to provide remedies to victims.
The liability framework that is currently existing in the European Union is a stable
framework that incites investment, innovation and risk-taking.
 Liability

SWD(2018) 137 - Liability for emerging digital technologies

Nevertheless, a reflection on future needs and developments is needed, not only

from the perspective of the victim i.e. in order to ensure equitable remedies,
compensation and allocation of responsibility, but also from the perspective of the
innovators and companies operating in the EU as legal certainty is a key element
for good business development.
 Liability

SWD(2018) 137 - Liability for emerging digital technologies

Emerging digital technologies show certain levels of complexity due to the

interdependency between the different components and layers: i) the tangible
parts/devices (sensors, actuators, hardware), ii) the different software
components and applications, to iii) the data itself, iv) the data services (i.e.
collection, processing, curating, analysing), and v) the connectivity features.
As it has also been the case in the past, any interdependency gives rise to a
number of questions, among which, who should be held liable in case the
technology causes a damage or how to identify the root cause of the problem.
 Liability

SWD(2018) 137 - Liability for emerging digital technologies

Nonetheless, as far as they constitute 'movable' items, IoT devices and any other
items containing intangible elements or presenting connectivity features qualify as
'products' and defects in these products are covered by the Product Liability
Directive.
 Extra-contractual liability

- As a general rule in most jurisdictions, extra-contractual liability

regimes are fault-based. This means that the fault of the
author of the wrongful behaviour leading to a damage (which
could be an act or an omission whether intentional or by
negligence) is a necessary element to be proven for the liability
claim to be successful.
2043 cc: Any negligent or negligent event, which causes unjust
harm to others, obliges the perpetrator to pay damages
 Extra-contractual liability

- It is typically up to the victim submitting a claim to provide the evidence

needed to support his liability claim. There are situations, however, where
national law introduces variations to facilitate the burden of proof of the
victim. Such variations may consist in a presumption of fault by the wrongdoer
(or a reversal of the burden of proof), whereby the wrongdoer is liable unless
he proves that he was not in fault. The variations may respond to the logic that
the general rule on the burden of proof needs to be altered so as to increase
the possibility of compensation for the victim or at least balance the situation
of disadvantage in which the victim would be pursuant to the ordinary regime.
 Extra-contractual liability

- The reversal of the burden of proof in the context of a fault-based extra-

contractual liability and the principle of strict liability typically respond to a
common rationale. They both aim overall at facilitating the compensation of
the victim of damages in situations where the legislator considers it too
burdensome or unbalanced to apply the general fault-based liability rule.
- Special regimes of strict liability may apply to a diverse set of factual situations
generating different types of risks and damages, such as the liability of the
owners of animals for the damages caused by the animals under their custody;
the strict liability of the person responsible for carrying out an unspecified or
specified dangerous activity (for example the operation of nuclear power
plants, aircrafts or motor vehicles), etc..
 Product liability - Directive 85/374

In the EU, consumers can claim compensation for damage caused by defective products.
If a defective product causes any physical or material damage to consumers or their property, the
producer has to provide compensation irrespectively of whether there is negligence or fault on their
part.

Rights of producers
Producers can be cleared of liability under certain conditions, notably, if they prove that:
● they did not put the product into circulation
● the defect was due to the compliance of the product with mandatory regulations issued by public
authorities
● the state of scientific or technical knowledge at the time the product was put into circulation could
not detect the defect.
 Liability Challenge

The producer needs to ensure the safety of the final product, and in turn,
producers and sellers are responsible for any liability arising from the products
placed on the market or sold to customers regardless of whether they include third
party components.
However, based on the specific characteristics of these emerging digital
technologies, it should be examined whether, when products and services are
increasingly connected and complex both in the design and the system integration,
effective redress mechanisms for victims and legal certainty for producers are still
ensured.
 Liability Challenge

Further, digital technology products are open to software extensions, updates and
patches after they have been put into circulation. Any change to the software of
the system may affect the behaviour of the entire system or of individual
components or may extend its functionality.
Contractual liability of a software provider depends to a large extent on its
contractual obligations (e.g. to supply applications which provide a certain level of
safety and cybersecurity as well as updates for a certain period of time). A failure
to comply with these obligations may trigger contractual liability claims. […]The
contractual liability of a software provider may be limited to the extent its
customer contributed to the actual damage, e.g. because he did not install an
available update.
 Liability Challenge

For example, a smart smoke detector can be produced by manufacturer A and sold
to the homeowner by seller B, a smart thermostat can be produced by
manufacturer C and sold to the homeowner by seller D, the data analysis
application could be provided by provider E or by one of the manufacturers of the
smart appliances and the connectivity dimension is provided by internet provider
F. The smart smoke detector can detect a source of fire and alert the homeowner
or the fire department. In addition, the smoke detector can also communicate with
other smart home appliances in the ecosystem, such as smart doors, instructing
them to unlock in order to allow access to the fire fighters.
 Liability Challenge

In case of a fire, not sending an alert to the fire department may ultimately result
in the destruction of the house and/or damage to a neighbour's house. This may
be due to various causes: a malfunctioning of the smoke detector, a faulty data
processing by the application, a failure of electronic communication services or an
autonomous decision to switch off the smoke detector, e.g. because of high energy
consumption levels of the smoke detector.
The more sophisticated an ecosystem gets, the more difficult it may be for the
home owner to trace back any upcoming problem to its origin.
 Liability Challenges at the EU level

A new Product Liability Directive?

The evaluation process included a preliminary assessment of the continued

relevance of the Product Liability’s concepts, such as product, producer, defect,
damage and the burden of proof.
 Liability Challenges at the EU level

A new Product Liability Directive?

The Directive defines products as movable items. Even though most producers
consulted during the evaluation claimed that they did not encounter problems in
distinguishing products from services so far, a number of open questions were
identified related to software be it embedded or non-embedded, that will have to
be further explored.
 Liability Challenges at the EU level

A new Product Liability Directive?

Concerning the concept of producer, the question arises to what extent the
producer maintains control over the features of a product in the context of
emerging digital technologies and can therefore be held liable for them. While in
many cases the final product and producer may be easy to identify, regardless of
whether it includes software or other digital elements, or whether different
manufacturers have been involved in the production process, other cases may be
less straightforward.
 Liability Challenges at the EU level

A new Product Liability Directive?

The notions of defectiveness and burden of proof of the Directive are fairly wide
and refer to the safety levels that a consumer is entitled to expect.
The defectiveness must be assessed based on an objective analysis of the
expectations of an average consumer rather than on subjective expectations or
predisposition of one person -> objective criteria.
 Liability Challenges at the EU level

A new Product Liability Directive?

At present, damages are limited to either physical or material damages to property

that is intended for private use. While this distinction between private and
professional use has not appeared to cause major problems in practice, some
stakeholders have raised questions as to the continued relevance of this
distinction in this day and age. Furthermore, issues related to the infringement of
privacy and cybersecurity were also raised.
 Contract & Consumer

- Contract B2C
- Contract B2B

- Contract between “producers”

- Contract with the end-user
 Contract between producers

- Risk Management and liability

 Contract with the end-user

- Information
- Control
- Security
- Privacy
 Consumer

- Sales of Goods (Directive 771/2019)

- Digital Content (Directive 770/2019)

 Consumer

- Sales of Goods (Directive 771/2019)

- Digital Content (Directive 770/2019)

- Directive (EU) 2019/771 should apply to contracts for the sale of goods,
including goods with digital elements. The notion of goods with digital elements
should refer to goods that incorporate or are inter-connected with digital
content or a digital service in such a way that the absence of that digital content
or digital service would prevent the goods from performing their functions.
 Consumer: Sales of Goods or Digital Content?

- Digital content or a digital service that is incorporated in or inter-connected with

goods in that manner should fall within the scope of Directive (EU) 2019/771 if it
is provided with the goods under a sales contract concerning those goods.

- Whether the supply of the incorporated or inter-connected digital content or

digital service forms part of the sales contract with the seller should depend on
the content of this contract. This should include incorporated or inter-connected
digital content or digital services the supply of which is explicitly required by the
contract.
 Consumer: Sales of Goods or Digital Content?

- It should also include those sales contracts which can be understood as covering
the supply of specific digital content or a specific digital service because they are
normal for goods of the same type and the consumer could reasonably expect
them given the nature of the goods and taking into account any public
statement made by or on behalf of the seller or other persons in previous links
of the chain of transactions, including the producer.

- If, for example, a smart TV were advertised as including a particular video

application, that video application would be considered to be part of the sales
contract. This should apply regardless of whether the digital content or digital
service is pre-installed in the good itself or has to be downloaded subsequently
on another device and is only inter-connected to the good.
 Consumer: Sales of Goods or Digital Content?

- For example, a smart phone could come with a standardised pre-installed

application provided under the sales contract, such as an alarm application or a
camera application. Another possible example is that of a smart watch. In such a
case, the watch itself would be considered to be the good with digital elements,
which can perform its functions only with an application that is provided under
the sales contract but has to be downloaded by the consumer onto a smart
phone; the application would then be the inter-connected digital element.

- This should also apply if the incorporated or inter-connected digital content or

digital service is not supplied by the seller itself but is supplied, under the sales
contract, by a third party.
 Consumer: Sales of Goods or Digital Content?

- In order to avoid uncertainty for both traders and consumers, in the event of
doubt as to whether the supply of the digital content or the digital service forms
part of the sales contract, Directive (EU) 2019/771 should apply.

- Furthermore, ascertaining a bilateral contractual relationship, between the

seller and the consumer, of which the supply of the incorporated or inter-
connected digital content or digital service forms part should not be affected by
the mere fact that the consumer has to consent to a licensing agreement with a
third party in order to benefit from the digital content or the digital service.
 Consumer: Sales of Goods or Digital Content?

- In contrast, if the absence of the incorporated or inter-connected digital content

or digital service does not prevent the goods from performing their functions, or
if the consumer concludes a contract for the supply of digital content or a digital
service which does not form part of a sales contract concerning goods with
digital elements, that contract should be considered to be separate from the
contract for the sale of the goods, even if the seller acts as an intermediary of
that second contract with the third-party supplier, and could fall within the
scope of this Directive.
 Consumer: Sales of Goods or Digital Content?

- For instance, if the consumer downloads a game application from an app store
onto a smart phone, the contract for the supply of the game application is
separate from the contract for the sale of the smart phone itself. Directive (EU)
2019/771 should therefore only apply to the sales contract concerning the smart
phone, while the supply of the game application could fall under this Directive, if
the conditions of this Directive are met.
 Consumer: Sales of Goods or Digital Content?

- Another example would be where it is expressly agreed that the consumer buys
a smart phone without a specific operating system and the consumer
subsequently concludes a contract for the supply of an operating system from a
third party. In such a case, the supply of the separately bought operating system
would not form part of the sales contract and therefore would not fall within the
scope of Directive (EU) 2019/771, but could fall within the scope of this
Directive, if the conditions of this Directive are met.
IoT Challenges

- Security: new standards

- Privacy: loose control

- Liability: protection of victims

- Liability: producers contract and risk

management

- End-Users protection in contract law

- Goods or services?
 Grazie per l’attenzione

silviamartinelli89@gmail.com
s.martinelli@crclex.com