In a 2013 report by International Data Corporation (IDC), it was predicted that there would be 50 billion devices connected to the Internet. With 2020 still not over, the figures for this year are still a prediction and what experts say is that if not 50 billion, the ending figure for 2020 would be at least 31 billion IoT devices with 127 new devices being added to the Internet world every second.
IoT or the Internet of Things is the interconnection of devices that uses either the mobile network, satellite coverage, or the Internet itself. The most common items of IoT, that every layman would recognize are the RFID (Radio Frequency Identification), Bluetooth, Wi-Fi, and the 3G/4G or the 5G phones that are in use these days – they all are IoT devices. ‘Thing’ in IoT actually means objects of everyday life – TV, phones, air conditioners, coffee makers – connected over the Internet.
IoT related regulations
IoT related regulations have been scarce, to say the least. In the last few years, steps have been taken by many countries to keep a check on the IoT companies as well as on the use their products are being put to but the regulators worldwide still cannot keep pace with the speed with which IoT is undergoing innovation. UK, Japan, Thailand, all are working towards IoT regulations.
EU Takes The Initiative Regarding Regulations
In this regard, the EU took the initiative of introducing regulations way back in 2005 when it released its report titled ‘i2010 – A European Information Society for growth and employment’. In this report, it proposed that there is a need to advance the regulatory framework with the advancement in digital technology to have a timely response to the changes in the technological world.
However, current trends show that the changes in the regulatory framework have not been at pace with the advancements in technology, least of all in the realm of IoT.
There is a growing number of calls for enhanced IoT regulations, in particular for the areas related to the use of personal data and security for internet-connected devices. However, the burden of regulatory shortcomings is at times placed on the manufacturer for cost-cutting purposes and sometimes on the ignorance of the buyer as well.
IoT and the EU regulations
Over the years, the EU as a responsible region has approved and released directives regulating the Internet and IoT. These regulations have generally covered the areas of research and development, standardization, cybersecurity, infrastructure, privacy and data protection, and cybercrime.
General Data Protection Regulation (GDPR), Directive 2013/40/EU, Connected Communities Initiative, Europe 2020 “Innovation Europe,” Framework Programme Funding, The Cyber Security Act – (EU) No 526/2013, 2014/53/EU – The Radio Equipment Directive, Directive (EU) 2016/1148 – NIS Directive 2016, ePrivacy Regulation and ENISA Regulation (EU) 2019/881 are some of the EU regulatory directives covering one or the other aspect of IoT. Here, the three most important directives and legislations related to IoT will be discussed.
GDPR and IoT
GDPR is all about protecting the personal data of individuals. IoT is a bunch of interconnected and interrelated technologies, GDPR takes a holistic approach as it says in Article 2(1) of GDPR and the scope of applicability of GDPR is beyond the EU. Under Article 32(1) of GDPR, the agency controlling the IoT device is responsible for applying technical and organizational measures to protect personal data and these measures are to be applied while the device is being developed, making it ‘secure by design’ security measure. GDPR, however, excludes manufacturers, importers, sellers, and suppliers, and only regulates controllers. In this way, GDPR becomes complicated in its applicability.
The Cyber Security Act – (EU) No 526/2013
The Cyber Security Act is promulgated by ENISA, the European Union Agency for Cybersecurity. This Act covers Information and Communication Technology (ICT) and since IoT is classified as one of the ICTs, hence applies to it. The areas covered in this Act are mostly related to the server infrastructures which are not only for controlling the IoT devices but also for data evaluations. The problem with this Act is that it does not bind an IoT device to be secure towards the data of the end-user. Under this Act, voluntary certification is enough to cover the security concerns coming about on part of the manufacturer of IoT.
2014/53/EU – The Radio Equipment Directive
Article 2(1) No 1 RED states that as IoT devices are used for radio communication, using Bluetooth and Wi-Fi for instance, hence they are radio equipment under the scope of this Directive. More stringent regulations on IoT are to be adopted under this Directive as Article 3(3)(e) and (f) RED are promulgated enhancing the security measures.
Overall, there are no binding requirements for IoT manufacturers in any EU legislation as far as the security of IoT is concerned. The good news is that regulators have recognized the urgency and need for solving this issue. EU, no doubt has the most advanced and up-to-date regulatory framework on IoT. ePrivacy Regulations are expected to become the next big step in dealing with IoT and are expected to cover important areas of data security, privacy controls, cookies, and confidentiality of communication.