The Internet of Things (IoT) is a revolution for the business of companies with massive potentials, but such change reveals legal risks never experienced by many of them.
The comment from the former CEO of Nokia during the press release of announcement of the acquisition of their smartphone division by Microsoft is very interesting. He said:
“We didn’t do anything wrong, but somehow, we lost…“
Nokia was one of the largest manufacturers of mobile phones in the past. In the 3rd quarter of 2007 almost half of mobile phones worldwide were Nokia phones. However in the 3rd quarter of 2012, Nokia’s market share had dramatically dropped to slightly more than 3%. The decline of the company was not due to mistakes by its management. But the world had changed too quickly, while Nokia had not been able to keep up with it. Therefore not only had it lost revenues, but also the opportunity to survive…
The new models of business of the IoT
The same type of change is now happening with the Internet of Things (IoT). For instance Pirelli and Michelin are embedding their tyres with sensors able to collect data about vehicle performance and road conditions. Such data is then conveyed to the driver as well as to the car’s electronics, helping to improve safety and efficiency.
The data collected through the tyres enabled such companies to introduce the concept of
tyres as a service
Up until yesterday, the relationship with our tyres dealer was “one-off” every 4/5 years, while now customers can enter into a long term contract in which not only the price is turned into a periodic fee, but also a number of value added services are provided as consideration for the required fee.
Such value added services are possible because of the information collected about the performance of the tyres as well as the driver, his habits, his style of driving, the places where he more frequently goes etc..
A business that from its creation had never known anything about its customers, all of sudden can start to receive a huge amount of personal data about them with associated privacy related obligations and potential liabilities.
And the timing of this shift could not be “worse”…
The EU Data Protection Regulation has just been adopted. The Regulation will not only add a considerable load of new privacy obligations, but also increase the applicable fines which will become up to 4% of the global turnover of the breaching entity. This is a historical change if it is considered that one of the largest fines issued in the European Union for privacy breaches was of € 1 million issued in Italy against Google for the data collected through their Street View service.
And this is not an issue only for companies based in the European union. Wherever the business is based, it shall comply with European data protection law if it offers its services to people located in Europe or monitors their behavior by means for instance of cookies and fingerprinting.
The so called “privacy by design” and “security by design” are not only obligations, but are the sole current tools available to limit potential liabilities. However, the exact scope of these obligations and of a large part of the obligations imposed by the Regulation shall be “negotiated” with privacy authorities to find solutions able to ensure privacy compliance preserving at the same time the potentials of businesses.
The IoT is not only about privacy…
Cyber security risks are amplified with Internet of Things technologies. The connected cars hacked last year in the US show the size of the risk, and the risk exposure will further increase with sensors able to communicate with other devices, detect items and trigger automatic actions. There were 48.8 million cyber-attacks in 2014 and such figures will exponentially increase with the adoption of IoT technologies.
The occurrance of a cyber-attack is not a question of if, but of when…
Companies need to get ready adopting adequate internal policies and liability protections in order to be able to minimize the risk of occurrence of cyber-attacks and being able to react at a cyber-attack reducing the potential liabilities in case of their occurrence.
These are among the topics that we will discuss at the even of IoTItaly on the 31st of May 2016, you can register to the event HERE.