The Internet of Things: A World of Compliance Challenges
When it comes to the brave new world of the Internet of Things (IoT) and cyber-physical systems (CPS), regulatory and compliance challenges are likely to grow in importance. As the National Institute of Standards and Technology (NIST) has noted:
[CPS] or "smart" systems are co-engineered interacting networks of physical and computational components. These systems will provide the foundation of our critical infrastructure, form the basis of emerging and future smart services, and improve our quality of life in many areas. Cyber-physical systems will bring advances in personalized health care, emergency response, traffic flow management, and electric power generation and delivery, as well as in many other areas now just being envisioned.
These advances bring with them new and different regulatory and legal challenges, such as compliance with privacy and data security requirements, critical infrastructure considerations, product safety, energy efficiency, medical device obligations, advertising, and extended producer responsibility requirements, to name just a few. And then there are a myriad of discovery and document management considerations should regulatory investigations or private litigation touch data collected via these devices. Activities in 2015 have set the stage for developments that will affect the technical, policy, and legal landscape in 2016 and beyond.
Privacy and data security concerns associated with CPS garnered much attention in 2015. The Federal Trade Commission (FTC) started the year off with publication of a staff report, Internet of Things: Privacy & Security in a Connected World, in January 2015. Later in the spring, the Department of Commerce (DOC) Internet Policy Task Force (IPTF), under the leadership of the National Telecommunications and Information Administration (NTIA), asked for public comments to identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers. NIST, which has tackled CPS issues through one of its public working groups, released a Draft Framework for Cyber-Physical Systems for public comment on September 18, 2015. That draft set the stage for release of a final NIST framework in 2016.
Actions by U.S. regulators such as the FTC early in 2016 reinforce the 2015 trend. Already, the FTC raised additional concerns about the Internet of Things in the staff's Big Data: A Tool for Inclusion or Exclusion?, released January 2016. The report calls for companies that collect sets of data on millions of customers through online tracking, mobile tracking, and the Internet of Things, among other sources to be aware of inherent data biases that could implicate a variety of consumer protection laws and requirements. At a separate January 14 event, PrivacyCon, researchers and academics presented findings ranging from the current state of online privacy and "big data" to the origins of data security vulnerabilities and the incentives behind data security practices. FTC Chairwoman Edith Ramirez asked researchers to continue to share their privacy-related work with the FTC to bolster the Commission's understanding of data practices.
European institutions have also been considering general IoT questions. For example, the European Parliament released a Briefing Paper entitled The Internet of Things Opportunities and Challenges, in May 2015. Data transfers to countries lacking an adequate regime of privacy are top of mind since the Court of Justice of the European Union (CJEU) ruled on the role of the European Commission and national data protection supervisory authorities on data transfer adequacy mechanisms in the seminal decision in Schrems v. Data Protection Commissioner announced in October 2015. The decision addressed specifically the U.S./EU Safe Harbor, but potentially calls into question all data transfer mechanisms, including standard contractual clauses and binding corporate rules.
Most recently, agreement was reached by all the EU institutions on the content of the EU General Data Privacy Regulation (GDPR), the instrument that will replace the EU Data Directive. Many open questions exist regarding what types of processing comport with a businesses' legitimate interest, how to define - and treat - data collected from "children," procedures for developing and approving codes of conduct, harmonizing decisions across Member States, and determining procedures for imposing the gargantuan fines available under the GDPR. While the GDPR still must be officially translated and published, so will not likely enter into force until spring of 2018, now is the time to consider how to integrate privacy by design into IoT products, ways to obtain consent (including in the high-growth market for connected children's products), identifying controllers and processors with IoT products, managing data transfers, and more.
Data security and privacy are also central questions for specific CPS product categories, like the burgeoning wearables sector. Devices may not only allow the wearer to track calories, heart rate, workouts and fitness levels, but may potentially be able to diagnose certain mental or physical health conditions. The Food and Drug Administration (FDA) issued a draft guidance document, "General Wellness: Policy for Low Risk Devices," on January 20, 2015, outlining its enforcement policy regarding devices making "general wellness" claims that present a low risk to users' safety. In January 2016, the FDA released draft guidance on managing cybersecurity vulnerabilities for products already on the market. For certain vulnerabilities and exploits, the FDA proposes requiring manufacturers to notify the agency, a proposal that recognizes the relationship between safety and data security. When the line between general wellness and health is crossed, Health Insurance Portability and Accountability Act (HIPAA) privacy and security requirements are triggered. Even when HIPAA requirements are not triggered, health-related data collection and use, including via connected devices, is growing in a way that is not covered by HIPAA. This is leading to more pressure for regulatory and self-regulatory measures to allow or enhance consumer control and prevent misuse.
Data security and cybersecurity lapses, however, can have serious consequences beyond exposing consumer data to hackers and identity thieves. From product recalls involving home products1 and fitness devices2 to recent lawsuits alleging that data security lapses create potential safety hazards in products like cars (consider Fiat Chrysler's woes after a media report highlighted hacking vulnerabilities, including a class action3), data security is now an increasingly important design consideration that must be considered from a product safety perspective. How to do that when risks to interconnected devices can come from so many sources will garner growing attention. More recently, reports that hackers were able to take over control of a car prompted an immediate call for legislation, and raises questions about when a data security issue implicates safety and triggers that might prompt a recall.
The IoT promises some great safety benefits. Perhaps the connected thermostat can diagnose a fault in the home heating system, turning if off before it catches fire. The wearable sensor might help a doctor diagnose a heart condition early enough for treatment to make a difference. But as we can see from just a few recalls, as more connected devices enter the marketplace, more safety questions will arise, and at the same time, product restrictions, like limits on chemicals that may be essential to safety performance, could increase costs and potentially reduce safety of a growing category of electronic devices.
Connected devices may also create new regulatory challenges, with producers potentially not even recognizing that their products are subject to oversight from agencies they may not have considered. For example, Federal Communications Commission (FCC) and similar requirements may apply to Wi-Fi-enabled products, and spectrum availability and interoperability questions are likely to grow. Advertising claims about performance, effectiveness, safety, and privacy will also require oversight. For example, not only has Fitbit faced a recall for safety reasons, but now is being challenged for claims about the effectiveness of its heart rate monitor.4
This short snapshot is just a high level overview of just some of the challenges to come.
2 See CPSC, Fitbit Recalls Force Activity-Tracking Wristband Due to Risk of Skin Irritation (Mar. 12, 2014)
3 See Complaint, Flynn v. FCA US LLC, No. 3:15-cv-00855 (S.D. Ill. Aug. 4, 2015).
4 See Complaint, McClellan v. Fitbit, Inc., No. 16-cv-36 (N.D. Cal. Jan. 5, 2016); Complaint, Robb v. Fitbit, Inc., No. 3:16-cv-00151 (N.D. Cal. Jan. 7, 2016).