European Union: IoT In The EU: Lessons From COVID-19, And Next Steps For Liability And Regulation

The IoT sector has exploded over the past few years, and, even taking into account the globally inhibitive effects of COVID-19, this growth shows few long-term signs of abating. The buoyant, fast-paced IoT industry was the subject of a webinar, involving a panel of four partners from Hogan Lovells: Valerie Kenyon, Christelle Coslin, Matthias Schweiger, and Salomé Cisnal de Ugarte. Each gave their take on the state of play of IoT across the EU and explored the liability issues that potentially are coming down the line for IoT products.

In this article, we follow up on that webinar by setting out some of the key discussion points from the session. You can find a link to the recording of the webinar here.

The impact of COVID-19 on the IoT space

While the IoT industry has grown year-on-year with impressive regularity, 2020 research suggested that a combination of COVID-related factors (including supply chain disruptions and manufacturing issues, as well as consumer and business needs changing in the short term) could instigate a decrease in the net addition of IoT devices in the short term. For example, it was estimated that IoT in the automotive sector could be especially impacted, as well as people refreshing their mobile devices less frequently due to economic uncertainties and job losses.

Encouragingly, however, we've seen many companies in the IoT space, particularly those in the life sciences sector, embracing their role in the fight against COVID-19. The issues arising from the health crisis have been a real innovation trigger for the IoT space, both with respect to new products being created in direct response to the pandemic and for existing products where usage and growth has increased.

Telehealth has moved more into focus. Since the crisis, a considerable number of doctors have integrated telehealth into their regular practice; for example, online video consultations being offered through different apps or platforms. The COVID-19 pandemic has given a boost to the digitalization of the healthcare system, which can only be for the benefit of patients. It is expected that telehealth will experience a long-term growth through COVID-19.

From a general perspective, in terms of non-COVID-related IoT products, most expect a bounce back to anticipated levels of supply and demand. A surge in demand, even, seems likely as our homes and lives become even more connected in response to the ongoing amount of social distancing we need to live with, at least in the short to medium term.

IoT in the time of COVID and beyond - An increased risk of litigation or regulatory action?

As a consequence of the pandemic, a significant number of products have come to market very quickly. Companies have been producing products they've never produced before - given the exigency of the situation and the resulting necessary speed of development, it's possible that product standards bodies and regulators have experienced difficulties in keeping pace. Looking at one industry sector, the life sciences space is a particularly highly regulated environment. Digital health products must meet stringent product safety criteria, as well as data privacy and security requirements. Data issues can be both a safety and a privacy risk. Product compliance and safety is critical, and many features need to exist by design.

In general, it is likely that we will see an increase in litigation relating to IoT products: product liability issues, data litigation, cyber litigation, and issues relating to ethics. With the exponential growth of the IoT space comes a number of questions around liability that still are yet to be answered, not least: who should be liable? Should apps be covered within strict liability regimes for product liability? To what extent are we ready for connected devices to use our data to improve our lives?

IoT companies also need to pay particular attention to designing products in a way that does not restrict competition on the market. The European Commission has IoT in its sights from a competition perspective. It recently launched an antitrust sector inquiry, having reached out to more than 400 companies active in the sector, and requested information as to the way IoT products are designed, how they operate and interact with other products, and how they are sold on the market. Should the inquiry lead to the identification of specific competition concerns, further investigations may be opened by the Commission.

Data - the critical overlap between product liability and cybersecurity

We have already seen examples of connected devices being classed by the EU as presenting a "serious" risk, as a result of privacy-related issues. If a given device has vulnerabilities in how it communicates, for example, it opens up the possibility that a malicious actor could obtain unauthenticated access to the user's data, such as their location history and saved phone numbers. Given that a number of IoT devices are being marketed to children, this could present a very serious risk to safety.

All product manufacturers face potential liability from a number of corners. Manufacturers of consumer IoT face potential dual liability - under privacy and products law - as well as regulatory scrutiny under the two regimes if something goes wrong with their product.

As more devices become connected - from smart watches, to smart speakers, and device trackers - the risk of cyber-attacks by malicious actors increases. Data security and privacy considerations should be front and centre for any product launches in the IoT space.

What can clients do to plan and avert risk?

• Develop a plan for engagement with regulators. Regulators have been inundated with a significantly higher than normal number of queries. Where you are planning the launch of a product, particularly one that is heavily regulated, identify your key markets and consider the merits of early engagement with relevant bodies (potentially on a no-names basis) to identify the varying policy and legislative priorities now and in the pipeline.
• In the life sciences space, patient safety is of course of the essence but the storage and use of health data also has its implications. Safety and privacy by design should be very high on the to-do-list when engaging with IoT devices.
• New guidance on data processes and transfers is always around the corner, particularly for IoT devices which represent new use cases. Monitor how this evolving soft or hard law can affect the products you manufacture and the use of users' data.
• Many of our consumer devices today are on the border of lifestyle and medical device products. Give close attention to the regulatory and products law regime that is governing your product.
• For those IoT companies affected by the Commission's sector inquiry into the effects of the IoT industry on competition, careful strategic consideration will be required around their behaviour. IoT companies should prepare for competition law enforcement in this area, even while the Commission is gathering more information and learning more about this sector. Accordingly, competition by design, as we say in antitrust circles, will be key.
• Even in the rush to cure a global pandemic, be mindful of getting the basics right: planning and anticipating risks, but also keeping the right track records to document what your company has done and (importantly) why. The regulatory environment is changing fast and what you do and decide today might be challenged down the road.

Originally published 12 February 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.