Thursday, January 5, 2017

The EU's Privacy by Default 2.0

Last December, a draft of the new European e-Privacy rules leaked. It contained a number of interesting insights in the ways the EU will regulate privacy in electronic networks. The new e-Privacy law will supplement the General Data Protection Regulation (GDPR), which was enacted last May and which will enter into application on May 25, 2018.

From Directive to Regulation
Apart from re-shaping existing rules on spam, cookies and location-based services, the most important change is that the Directive will become a Regulation. I fully agree with this change. Internet-based services do not stop at the border. Services of the 4th Industrial Revolution will be powered by the cloud. E.g., self-driving cars will heavily rely on cloud connections. You can't have a different law relating to how your car communicates with the cloud each time you cross a border. Therefore, a clear and fully-harmonized legal framework across the EU is needed to facilitate the uptake of internet-connected products. This includes the rules on e-Privacy.

Hardware manufacturers and retail also covered
The second most important proposal in the draft e-Privacy Regulation is article 10, which reads:

"The settings of all the component of the terminal equipment placed on the market shall be configured to, by default, prevent third parties from storing information, processing information already stored in the terminal equipment and preventing the use by third parties of the equipment's processing capabilities."

By using the wording "placed on the market", this provision is targeted at the retail sector as well as the manufacturers of internet-connected products, such as smart TV's, smart energy meters, smart watches, smartphones, connected cars, computers, smart Barbies, and smart consumer products collectively known as 'IoT devices'.

The draft GDPR contained a similar provision, which required producers of devices to comply with the Data Protection by Design requirement. That provision was subsequently deleted, as it did not make sense in the context of the other provisions of the GDPR. The provision of the e-Privacy Regulation complements art. 25 GDPR.

Nevertheless, personal information collected by the device manufacturers themselves is already covered by the privacy-by-design & default requirements of the GDPR, as they are the controllers of the data processing. So, the settings of smart devices must be configured to ensure the rights of the consumers and to ensure the processing meets the requirements of the GDPR. But the e-Privacy Regulation will require those manufacturers to also configure those devices to prevent third parties from processing user information without the user's choice to do so. This is a duty-of-care requirement on the part of the manufacturer and retailer, which art. 10 translates into a prohibition to sell products in the EU which do not meet this requirement.

Obviously, the retail and wholesale sector in the EU will be covered by this provision. But as most devices are manufactured outside Europe and the settings of the pre-installed software would have to be taken care of already in the factory, this provision will also cover non-European manufacturers of electronic devices. Their products may not be shipped to the EU without the proper privacy and security settings.

EU to set the standard?
Depending on whether those factories choose to produce their products for regional demand or not, by requiring that no products are placed on the market that do not meet the privacy by default requirement, the EU may effectively set the standard for a more secure range of consumer products across the world. Of course, the requirement does not (primarily) cover the hardware itself, but mainly the software pre-installed on the devices, up to the embedded software in the chips used in the device. Ergo, chip manufacturers may be required to ensure that only secure chips are used. On the other hand, device manufacturers, including EMS, ODM and OEM manufacturers, will be required to install software pre-configured to protect user privacy. This pertains to the operating systems used as well as to the apps pre-installed on the device. For example, pre-installed apps and browers should all be installed with Do-Not-Track (DNT) enabled by default. All this under the direction of the companies under whose brand the product is sold. But the ultimate responsibility for compliance with this rule lies with the (web)shop selling the device.

It should be noted that the wording of article 10 limits the requirement to the import and retail phase. There is no legal obligation in the e-Privacy Regulation to keep supporting the device and its software on privacy and security once it has been sold. Ergo, keeping the device free from malware and patching the software will remain the responsibility of the user.

Note that the rule does not give the consumer a reasonable expectation of security nor a warranty that the device is secure at the moment of purchase, as the moment that the product was 'placed on the market' may lie weeks, months - or in some cases even years - before the moment of purchase. So, the faster the retailer moves his inventory, the more likely it is that the product is (still) secure. But nevertheless, this new rule, if enacted, would be a major step forward to ensure that end-user products will be secure.

Enforcement
Although the e-Privacy Regulation will, for the most part, be enforced by privacy and data protection authorities, the enforcement of article 10 would be the primary responsibility of customs (preventing non-compliant products from being imported) and product safety and consumer protection authorities (preventing non-compliant products from being sold).

This requires thorough and up-to-date knowledge of privacy and information security at those agencies; knowledge that they currently are not required to have. The same is true for the procurement departments of retail stores and webshops. The level of knowledge about privacy and information security with those agencies and retailers, or lack thereof, may proof to be the Achilles' Heel of this proposal.

No comments: