Germany: How data and IT security is regulated within IoT
Due to the volume and variety of new Internet of Things ('IoT') devices that are being produced and innovated, the cyber threat landscape and the risks to the privacy of end-users are of equal measure. There is debate as to how to ensure that high standards of IT security are maintained in IoT devices, either via the implementation of regulations, or through the publication of softer industry standards that entities will be expected to comply with. Dr Nils Rauer, Partner at Pinsent Masons, delves into this debate by looking at how regulation and industry standards are applied to IoT in Germany and at EU level.
It is common ground that, in Germany as well as in many other countries, smart home devices are, step by step, conquering households. Fridges, televisions, lighting systems, thermostats, and even barbecues become connected devices. IoT is already a reality.
As a preliminary remark, one has to note that there are various levels of connectivity. Whilst a number of electronic devices come with an accompanying app (shavers, power toothbrushes, etc.) allowing the consumer to collect, store and analyse their own user data, other devices focus on interactive communication between each other (e.g. lighting/security applications). The term IoT is insofar ambivalent. People mean different things when using the expression. We understand IoT as a device featuring a technical function that allows for the exchange of data by means of electronic communication. Whether this communication is based on autonomous circuits or whether the user must trigger the exchange of data, is irrelevant for our purpose. Equally, we speak of IoT regardless of the quantity, quality or nature of the data communicated. An IoT device may collect, store and share purely machine-generated statistical data or personal data. The regulatory regime to be adhered to might very well differ, but the device still falls within the category of IoT.
Two general observations should be added upfront. Firstly, connected devices all require a digital network [emphasis added] to plug in. Ideally, there is a steady over-the-air connectivity allowing for constant exchange of data. However, there are also situations where devices need to be plugged into a base or otherwise read out manually in order to allow access to the stored data. Secondly, IoT and cybersecurity are, and have to be, two sides of the same coin. The economic benefits, as well as the convenience of digital connectivity, can only prevail if IoT is grounded on an adequate level of IT and data security [emphasis added]. Otherwise, the respective devices and services will lack the needed threshold of confidence amongst consumers and enterprises. A good example for this phenomenon is the well-known botnet malware 'Mirai' which has been keeping the IoT industry busy for the last three years at minimum.
The status quo of statutory regulation
IoT triggers manifold regulatory questions. Various areas of law are affected. Still, when screening the legislative landscape and taking stock of what has been done so far in terms of building a regulatory framework for IoT, one has to note that only little has been enacted. In September 2018, the US State of California adopted a so-called 'Internet of Things Cybersecurity Act1.' In Europe, the UK Department of Digital, Culture, Media and Sport recently consulted on regulatory proposals on consumer IoT security2. So far, the UK has a voluntary Code of Practice in place.
Legislators commonly struggle to keep pace with technical developments. Often, the initial question to be answered is whether new laws are actually required or whether already existing stipulations may be interpreted in a way offering legal solutions to emerging technologies. Germany seems to follow the latter route at the time being. No new IoT law has been enacted yet. However, looking at the legislative side would evidently be falling short of grasping the full picture. There is some guidance on how IoT ought to be implemented.
A closer look at Germany
Regarding Germany, one has to first distinguish between mandatory statutory law and approaches that settle upon voluntary compliance with codified guidelines developed by private bodies. Both can achieve and lead to an adequate playing field, and both can provide a fair amount of legal certainty and security. However, the latter requires sufficient acceptance by the market players, whereas legislative authority has to be adhered to by nature.
Two relevant areas that have received comprehensive regulation are data privacy and IT security. In both sectors we see detailed statutory guidance. With regard to collecting and using personal data, which is often the case with IoT devices which are used by consumers (e.g. location data), the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') applies, along with the national data protection rules. Basically, any processing of personal data requires adequate legal basis in accordance with Article 6(1) of the GDPR. Depending on the industry sector we look at, there may be additional sector-specific rules to be adhered to (e.g. in the telecommunications sector).
The legal basis most commonly available to IoT service providers will be either the fulfilment of a contractual obligation (service agreement) or the obtaining of data subject's consent. If both are not an option, the collection and analysis of data should be limited to purely statistical data. The latter allows for keeping away from the scope of application of privacy laws.
The German IT Security Act 20153 has a clear focus on telecommunications and media companies, as well as service providers operating so-called 'critical infrastructure.' Such infrastructure relates to the provision of energy, information technology, telecommunications, health and water. Any such market player is obliged to take effective measures in order to prevent IT security issues. The Federal Office for Information Security ('BSI') is the competent supervisory authority. Bi-annual reports need to be handed in to the BSI proving the service provider complies with the state-of-the-art standards of IT security.
The IT Security Act 2015 is currently under review. A first draft of the IT Security Act 2.0 was published on 27 March 20194. Inter alia, the BSI's competences and powers would be extended. For instance, the BSI shall be allowed to investigate unsecure devices (explicitly mentioning IoT) by means of 'port scan' and 'sinkholes.' In practice, this will increase the liability for inadequacies such as the continued use of outdated software or the acceptance of inadequate passwords.
Since 1994, the BSI has been publishing an annual catalogue holding over 1,600 recommendations and best practices on how to secure IT infrastructure ('the Grundschutz Catalogue')5. Upon demonstrating compliance with the Grundschutz Catalogue, enterprises may obtain certification under BSI Standards 200-1 to 200-3. One of the chapters relates explicitly to IoT devices. Even though they are not legally binding, the Grundschutz Catalogue has gained quite some relevance since a number of statutory provisions refer to its content and thresholds.
Moreover, the German Institute for Standardization published in May 2019 a new standard called 'Information Technology - IoT capable devices - Minimum requirements for Information security' ('DIN SPEC 27072'). The advantage of this vehicle of standardisation is that this type of 'prenorm' allows for adoption in a fairly short period of time. Also, it allows for continued adjustments mirroring future technical development in the respective sector.
The scope of DIN SPEC 27072 is limited to the IT security in the field of IoT involving a consumer (e.g. a smart home infrastructure). Accordingly, it does not cover the entirety of IoT-related aspects. For instance, communication channelled through an app that the IoT operator offers is not subject to DIN SPEC 27072. To the contrary, the IoT device as such is governed in its entire lifecycle (delivery, use and decommissioning). Moreover, the provisions are quite detailed. The requirement to change the standard password during the initial use, the authentication requirements and the dedicated update mechanism are only examples of the in-depth standardisation we see.
The BSI already indicated that it will soon offer certification procedures under DIN SPEC 27072. The BSI President, Arne Schönbohn, also mentioned that DIN SPEC 27072 is likely to be transposed into a European standard at some point6.
What is happening at the European level?
In May 2015, the European Commission, as part of the Digital Single Market Strategy, proposed 'to define missing technological standards that are essential for supporting the digitisation of our industrial and services sectors7.' In this context, reference was made to a number of IoT-related aspects. Some of those have meanwhile been picked up at various ends.
Like Germany, the EU seems to prefer standardisation over new mandatory IoT laws. In particular, the European Telecommunications Standards Institute ('ETSI') in February 2019 published the standard ETSI TS 103 645 on 'Cybersecurity for Consumer [IoT].' Just like DIN SPEC 27072, this new ETSI standard is limited to consumer devices.
Moreover, on 12 March 2019, the European Parliament adopted the draft Legislative Resolution of 12 March 2019 on the Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Network and Information Security, the 'EU Cybersecurity Agency,' and Repealing Regulation (EU) 526/2013, and on Information and Communication Technology Cybersecurity Certification8 ('the Draft Cybersecurity Act'). In essence, the Draft Cybersecurity Act shall introduce a voluntary EU-wide certification framework for IT products, including IoT. This framework will involve three different levels of security. The minimum requirements include, for example, secure out-of-the-box configuration and secure updates.
Finally, the EU is currently in the process of finalising the proposed Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) ('the Draft ePrivacy Regulation')9. The Directive covered electronic communications in the sense of emails and text messages. The scope of the upcoming Draft ePrivacy Regulation, however, shall be extended to machine-to-machine communication. Thus, it will apply to IoT, irrespective of whether consumers or other humans are involved. Since the Draft ePrivacy Regulation covers personal as well as non-personal data, the scope goes further than the GDPR.
Not all technical development automatically triggers the need for new legislation. The national legislators, as well as the EU, need to apply a balanced approach and to diligently assess whether the existing statutory provisions can provide adequate legal certainty. With regard to IoT, this process has not been completed yet. This is partly due to the great diversity of connected devices which fall within the scope of IoT. However, it may be anticipated that new IoT laws will be enacted over time.
Starting with technical standards, regulating the field of IoT seems to be a sensible approach. Security aspects, in particular, can be dealt with by setting the right standards. However, purely legal aspects such as liability or ownership of data require legal regulation. Therefore, standardisation and legislation must go hand in hand.
Dr Nils Rauer Partner
Pinsent Masons, Frankfurt
1. The Amendment of the California Civil Code in Sections 1798.91.04-06.
2. Available at: https://www.gov.uk/government/consultations/consultation-on-regulatory-proposals-on-consumer-iot-security
3. Available (only in German) at: https://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&start=//*%[email protected]_id=%27bgbl115s1324.pdf%27%255D#__bgbl__%2F%2F*%5B%40attr_id%3D%27bgbl115s1324.pdf%27%5D__1560284036659
4. Available (only in German) at: http://intrapol.org/wp-content/uploads/2019/04/IT-Sicherheitsgesetz-2.0-_-IT-SiG-2.0.pdf
5. Available for download (in German and English) at: https://www.bsi.bund.de/EN/Topics/ITGrundschutz/ITGrundschutzCatalogues/itgrundschutzcatalogues_node.html
6. Press release available (only in German) at: https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Basissicherheit-Smart-Home-060519.html
7. Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A Digital Single Market Strategy for Europe, COM(2015) 192 final, p15, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2015%3A192%3AFIN
8. Press release available at: https://ec.europa.eu/digital-single-market/en/news/cybersecurity-act-strengthens-europes-cybersecurity
9. Proposal for a Regulation of the European Parliament and of the Council Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) COM/2017/010 final – 2017/03 (COD), available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52017PC0010