The Internet of Things (IoT) is leading to a revolution for the business of companies and still has massive potentials of growth, but such change reveals legal risks never experienced by many of them.
The comment from the former CEO of Nokia during the press release of announcement of the acquisition of their smartphone division by Microsoft is very interesting. He said:
“We didn’t do anything wrong, but somehow, we lost…“
Nokia was one of the largest manufacturers of mobile phones in the past. In the 3rd quarter of 2007 almost half of mobile phones worldwide were Nokia phones. However in the 3rd quarter of 2012, Nokia’s market share had dramatically dropped to slightly more than 3%.
The decline of the company was not due to mistakes by its management. But the world had changed too quickly, while Nokia had not been able to keep up with it. Therefore not only had it lost revenues, but also the opportunity to survive…
New IoT business models crate a stronger LINK with customers
The same type of change is now happening with the Internet of Things (IoT). For instance Pirelli and Michelin are embedding their tyres with sensors able to collect data about vehicle performance and road conditions. Such data is then conveyed to the driver as well as to the car’s electronics, helping to improve safety and efficiency.
The data collected through the tyres enabled such companies to introduce the concept of tyres as a service.
Up until yesterday, the relationship with our tyres dealer was “one-off” every 4/5 years, while now customers can enter into a long term contract in which not only the price is turned into a periodic fee, but also a number of value added services are provided as consideration for the required fee.
Such value added services are possible because of the information collected about the performance of the tyres as well as the driver, his habits, his style of driving, the places where he more frequently goes etc..
A business that from its creation had never known anything about its customers, all of sudden can start to receive a huge amount of personal data about them with associated privacy related obligations and potential liabilities.
And the timing of this shift could not be “worse”…
The EU Data Protection Regulation has just been adopted. The Regulation will not only add a considerable load of new privacy obligations, but also increase the applicable fines which will become up to 4% of the global turnover of the breaching entity.
This is a historical change if it is considered that one of the largest fines issued in the European Union for privacy breaches was of € 1 million issued in Italy against Google for the data collected through their Street View service.
And this is not an issue only for companies based in the European union. Wherever the business is based, it shall comply with European data protection law if it offers its services to people located in Europe or monitors their behavior by means for instance of cookies and fingerprinting.
The so called “privacy by design” and “security by design” are not only obligations, but are the main current tools available to limit potential liabilities. However, the exact scope of these obligations and of a large part of the obligations imposed by the Regulation shall be “negotiated” with privacy authorities to find solutions able to ensure privacy compliance preserving at the same time the potentials of businesses.
The regulation will come into force in May 2018, but such major changes need to be implemented that I don’t think to be wrong in saying that the majority of companies worldwide risk not to be ready by that deadline!
The IoT is not only about privacy…
Cyber security risks are amplified with Internet of Things technologies. The connected cars hacked last year in the US show the size of the risk, and the risk exposure will further increase with sensors able to communicate with other devices, detect items and trigger automatic actions. There were 48.8 million cyber-attacks in 2014 and such figures will exponentially increase with the adoption of IoT technologies.
The occurrence of a cyber-attack is not a question of if, but of when…
Companies need to get ready adopting adequate internal policies and liability protections in order to be able to minimise the risk of occurrence of cyber-attacks and being able to react at a cyber-attack reducing the potential liabilities in case of their occurrence.
Giulio Coraggio is a partner at the global law firm DLA Piper where he co-heads the global Internet of Things group and chairs the Italian Technology sector. Giulio is listed by the major legal directories and among the top global Internet of Things influencers by Onalytica and is the co-founder of the Italian association on the Internet of Things, IoTItaly. Finally, he is the blogmaster of www.gamingtechlaw.com where he covers technology law matters and can be reached at email@example.com and on Twitter at @GiulioCoraggio