Internet of Things (Good and Bad)

In one of our previous posts, we pointed out that personal data represents the new fuel powering the digital economy, in a context where modern society is experiencing an unprecedented data boom which is changing the paradigm of many businesses. While some years ago we only searched for information using low-speed internet connection on a home computer, the internet has now become a familiar and indispensable presence at home and work alike. We can access the internet virtually anywhere – in our cars, on the train, on the plane or even in a tent while camping. We have the internet in our pockets and around our wrists.

Unnoticeably, under our very eyes, an information database has taken over a significant portion of our modern lives and turned into the “internet of things”  (IOT). According to a report released by the U.S. Federal Trade Commission in 2015, the IOT refers to the ability of everyday objects to connect to the internet and send and receive data. These objects – so-called “smart devices” – are all around us: internet-connected cameras allowing the user to share pictures or movies instantly; bracelets recording and processing information about our physical condition, diet and workout routines, etc.[1] The number of devices connected to the internet has already exceeded the number of people. And there is more to come. According to the same report, by 2020 there will probably be around 50 billion internet-connected devices.

It is beyond any doubt that we are more and more addicted to internet-connected devices. In the first place, they are making our lives easier: we can shop for our favourite clothes with a swipe and a few taps on our phone screen; we can avoid traffic jams with the help of an app; we can switch on the lights in our homes even from thousands of kilometres away.

Then, the IOT seems to open a new era in medicine. Internet-connected devices may help patients work with their physicians to manage their diseases. There are already IT solutions which, through the processing of Big Data and Smart Data, provide added value in medical research: Watson, the super-computer created by IBM, managed to accurately diagnose a rare form of cancer in 10 minutes.[2] And these are just a few examples; the IOT has the ability to offer many other potentially revolutionary benefits.

But, while the benefits cannot be disputed, the attached risks are more elusive and difficult for the individual user to counter. Unauthorised access to personal data, misuse of the same and malicious software attacks constantly make headlines in the media. This is where the statutory principles in the data protection laws – transparency, legitimate use, proportionality, security and confidentiality of data processing – should step in to keep consumers safe from unauthorised access to and misuse of their personal data.

Notably, in July 2016, the European Parliament adopted the Directive on security of network and information systems (the NIS Directive), which is designed to enhance security in the Digital Single Market by ensuring a common level of network and information security in the EU. This Directive sets forth obligations both for the authorities and the industry. Member States must adopt national strategies on the security of network and information systems, and set up computer security incident response teams entrusted with monitoring incidents and providing an appropriate response. Moreover, each Member State is expected to identify operators of essential services in the sectors that are vital for the economy and society, such as energy, transport, water, banking, financial market infrastructure, healthcare and digital infrastructure. These operators of essential services, as well as digital service providers (search engines, cloud computing services and online marketplaces), will have to take measures to manage the risks posed to the security of their network and information systems and notify the national authorities of serious incidents.

Given the increased number and ever greater sophistication of cyber-attacks, a reasonable question to put to legislators is: Are consumers kept safe by these measures? According to The Economist, computer security is a myth, and computers will never be safe while there is no significant change in the way consumers and industry treat the vulnerabilities of software programmes.[3]

The Economist suggests that while users should be incentivised to pay more attention to security – e.g., by regularly changing user names and passwords – governments should focus on changing the rules of the game in the software industry. Increased liability for software products, together with professional insurance schemes software developers should adhere to may be good incentives for increasing developers’ interest in software security. It remains to be seen how the industry will react If that approach is taken. The lack of intervention in this industry was the backbone of its growth, so companies in the field might claim that increasing responsibility for their products will slow the growth of an industry which has proved capable of offering many revolutionary benefits over a small period of time.

In its press release on the NIS Directive, the Commission acknowledges that the Directive is the first step in a series of new initiatives to better equip Europe against cyber-attacks and to strengthen the competitiveness of its cybersecurity sector.[4] It remains to be seen what approach will be taken in the future and how efficiently we can secure the remarkable benefits associated with the IOT