Canada: Lois canadiennes, américaines, britanniques et européennes entourant l'Internet des objets (Video)

Edona Vila

Welcome everyone and thank you for joining us in our emerging webinar series with today's discussion focussed on the developing IoT law across jurisdictions. For today's discussion we're joined by two product liability and product safety lawyers, Rachel Raphael of Crowell & Moring to provide the U.S. perspective and Katie Chandler of Taylor Wessing to provide the U.K. and EU perspectives. I'd like to introduce both panelists formally but I see, or you see, also, on your screen, you'll have their contact information as well. My name is Edona Vila, and I'm a partner in the Toronto office at BLG, focussing on product liability and product safety generally, although most of the time I'm a litigator in relation to product disputes.

But in terms of our panelists today, I did want to say a few words, so you get to know them a little better. Rachel is a Partner at Crowell & Moring where she's a member of the firm's Mass Tort Product and Consumer Litigation and Product Risk Management groups. Rachel advises clients on a range of consumer products' issues with focus on product safety and regulatory compliance. Rachel's practice focuses on a broad spectrum of complex commercial, consumer and retail litigation, including defending class actions and multi-district litigation.

Now I'd like to introduce you, Katie. Katie is a Partner, as I said, at Taylor Wessing. She's based out in London, U.K. She leads the Product Liability and Product Safety team in the U.K. at Taylor Wessing. She's a litigator with broad experience in the technology, life sciences, automotive, consumer and retail, and food and drink sectors. Katie regularly works with clients in the technology sector with a focus on emerging technology such as automated vehicles. That's one connected asset that we have in common, Katie; 3D printing and Internet of Things, that's very apropos for today's discussion.

So just to provide a bit a roadmap of our discussion today, we'll canvass two segments. In the first segment, we'll discuss a little bit the current state of IoT law across jurisdictions in the U.S., U.K., EU and Canada and for the second segment, we'll focus on compliance issues, compliance challenges and best practices for businesses deploying IoT solutions across borders.

So without further ado, we'll start off with our first segment on the current state of IoT law. We'll engage in a level setting, if you will. So perhaps Rachel, we'll start off with you, our neighbours to the south, who are the recipient of much of the Canadian smoke issues right now with the wildfires (laughing). Switching gears in terms of the current state of IoT laws, what's brewing in your jurisdiction?

Rachel Raphael

Sure. So, in the US there are not many policies at the Federal or State level that are focussing on regulation of IoT devices more generally. There are some states that have adopted IoT specific security laws. One of the first adopters of those, frankly not surprising, is California. California's IoT law was enacted at the beginning of 2020 and imposed a security requirement for manufacturers' of connected devices. Requires those devices to be equipped with certain security features, all tailored to the nature and function of the device and the information it collects. And there are also several industry standards out there that provide guidance. You have ASTM, the standard guide for ensuring the safety of connected consumer products which provides guidelines for different things like remote updates or software and firmware, configuration risk and certain cybersecurity controls. You also have an organization called Underwriters' Laboratories here in the US that have an IoT security rating. So it's an evaluation process that rates certain smart products on common attack methodology with various levels of security ratings.

So, you know, despite the kind of relative lack of regulation, there are some industry actors as well as some states that kind of set the floor when it comes to the standard of care here.

Edona Vila

Very helpful. Moving across the Atlantic, we'll go to Katie with sort of the state of play in the U.K. and EU in respect of IoT law generally and specific regulation or legislation around IoT.

Katie Chandler

Sure, so, I mean at the moment, it does still derive from EU law predominantly and post Brexit, you know, there have been some changes and there are some new laws coming which will separate the sort of U.K. regime from the EU regime. But, for the purposes of this, I'll sort of broadly talk about them as, you know, a marriage, still a marriage. This really, it's a hodgepodge of laws and regulations that come from the sort of general umbrella legislation for data protection. So many of the safe processing activities involved in IoT will fall within the space of the general data protection regulation and you know, IoT devices can process personal data, so you know, IoT providers have to ensure that they are complying with those requirements under the GDPR. Cybersecurity is obviously another key feature and there's a whole raft of legislation and EU legislation and that which then is commenced in the U.K. to, you know, try and regulate the cybersecurity risks in relation to IoT products outside the Security Act. Ummm we've got the NIS2 Directive which sets out particular cybersecurity standards and obligations on instant reporting and other particular obligations on digital service providers and then we've got some proposals coming down the pipe for the Cyber Resilience Act which is on the horizon and it's aiming to focus security on hardware and software and particularly the software with digital elements. So we are talking about smart home devices as well. Not entirely clear at the moment when that will come into force but, you know, we're probably looking at the next couple of years.

And then on the sort of product safety side, there has been a very recent development which is the introduction of the new proposed General Product Safety Directive. Now, this is European legislation. Post Brexit it won't be directly applicable in the U.K., but basically it's a re-work of the General Product Safety Regulations which are currently in force to bring it up to date with the digital age and advancements in technology and to expressly refer to and cover those products where a physical product meets a software and connected element to it. The text of the new General Product Safety Directive was approved only a couple of weeks ago and it is now admitted into EU law and will be applicable by the end of next year. And just sort of at a very high level and I know we've got lots to discuss today, it covers those products that are not caught by sector specific products. And so you've got medical devices that fall under the European Legislation of the Medical Devices Regulation, you've got toys that fall under the Toy Safety Regulation, cosmetics, other products. The General Product Safety Regulations and now the new General Product Safety Directive is a sort of over-arching protection in respect of the general consumer product. But why it's interesting, is it has now, you know, sort of grapple with some sort of framework around the safety of IoT products. The Medical Devices Regulation has done that as well and the updates to that in 2021 were to make it clear that any conformity assessment and marketing authorization for a sort of digital health product that was incorporating IoT, was going to fall within that regime and, but as I say, some of the other legislation hasn't quite caught up.

But just really briefly, what the General Product Safety Directive is now expressly providing for is, you know, interconnected products. So where there is a product that is interconnected to other items and then, you know, it falls under this regime and it also seeks to expand aspects of how you assess the general safety of that product. So you would look at the warnings, the labels, the instructions for use. But now this new legislation is specifically including the effects on other products where it's reasonably foreseeable that it will be used in other products. So again this is going to the interconnection point, the effect that other products might have on that product where it's you know, being used or, you know, including sort of, the effect of non-embedded items, what's the effect of cybersecurity features and potential malicious third party risks, what's required to protect the product and it's safety, if there are evolving learning and predictive functionalities, so this is of relevance, to it's AI system. And really importantly, what's the state of the art and technology that is sort of applicable for the opinion in terms of understanding the safety of that product. So a real shift and move towards getting it up to date. And I'll just say very briefly, it's not going to apply in the U.K. because of Brexit. But our product safety, our product of safety standards is conducting its own assessment and review of the current regime because the general understanding and view is that these existing laws are very old and that this particular legislation is 20 years old. We've got product liability legislation that is 35 years old. Doesn't necessarily cover IoTs.

Edona Vila

That's very interesting and a perfect segway into my next question and just briefly for those tuning in and certainly from a Canadian perspective, we don't have IoT specific legislation yet. Very much of us are of a piece meal approach of regulating IoT solutions across Canada, but we do have an interesting development when it comes to AI specific legislation that dissipated to also cause some amendments to our consumer product legislative framework when it does it come into force. It's not anticipated to come into force any time soon. Any time soon being this year, it's just making its way through our federal system right now. I think its just passed second reading and so it will be interesting to see in terms how we move in our jurisdiction, but certainly our AI regulatory framework is anticipated to impact those IoT solutions that are AI empowered, and have those AI features through them. In terms of positioning it seems like we are positioned at least for the proposed AI regulatory scheme, somewhere in between where the EU is and where some U.S. States are. very much how Canada moves in this space, so perhaps not completely surprising. So just tagging along in terms of the next piece, Katie you touched on this, so maybe I'll switch gears with U.S. perspective with Rachel, but is there a gap, Rachel, in the current regulatory framework in the U.S. in regulating IoT and if so, how is it being addressed?

Rachel Raphael

Sure and I'll say, you know that I'm obviously speaking given my background from the interconnective products' product safety lense, when I talk about this and that kind of informed my prior answer which you know, was the point that like Canada I think it's really been left up to the States thus far and it's a bit of a patch work. So given the lack of some kind of uniform regulation there are some gaps to fill. I do think that IoT products and the risk associated with those products are certainly on the radar of many U.S. regulatory agencies and that includes the Consumer Product Safety Commission and the Federal Trade Commission, the National Highway Traffic Safety Administration and the FTC in the U.S. remains, kind of the nation's lead data security and private enforcer at the federal level, and its view of those issues has significant ramifications for the companies that make, distribute and sell internet connective products but companies are kind of largely left to cobble together much of the guidance by looking at what States have done and looking at you know, past enforcement actions for example. I think we are slowly working towards something that is considered universally acceptable and that's where kind of filling in the gap fits in. Very recently in April, guidance was published by the Cybersecurity and Infrastructure Security Agency along with FBI, NSA and other cybersecurity authorities around the world that are a step in that direction. This guidance is called shifting the balance of cybersecurity risk and it's the first of its kind. It outlines several core principles to guide software manufacturers when they are building software security into their design processes prior to developing, configuring and shipping their products. I think historically it's often been kind of thought on as an add on or an after thought and the idea of this guidance is to make integral, kind of an each stage of the development process. And there are a couple of core principles that I will just mention briefly. The first is kind of taking ownership of the security outcome. So you know, security should be the baseline, is the idea, and products should automatically enable the most important security controls that are needed to protect, you know the product, the information that they collect, etc. from kind of malicious cyber actors. Another principle has to do with embracing transparency and accountability and also building the right organizational structure even from the executive level on down, that prioritizes software security as a critical element of product development. And then as mentioned kind of the theme of the guide codes that this new guidance sets out is integrating security as early as possible into that design process for IoT connected products.

Edona Vila

Thanks Rachel, and Katie I know you touched briefly on this but what are you seeing in terms of gaps in your jurisdictions. I appreciate you covering the EU perspective as well, and whether it is ... are you seeing sort of a more siloed approached to regulating different types of connected assets in terms of what's, what's currently circling?

Katie Chandler

So EU is pretty, well it's moving pretty fast, I would say and the U.K. is slower. In terms of the gap, there is, I'm just leaving data protection aside and potentially cybersecurity there's quite a lot coming down the pipe on that. But like the liability framework is where there has been real gap and the uncertainty that comes with whether or not they can see the safety laws as they currently stood applies to IoTs and you know what sort of liability regime would they fall within, because of course, the question of liability are complex. You know there's the risk of third-party involvement, who can hack and access the IoT and cause a problem which might lead to harm. There's the design defects and design security flaws that Rachel was just discussing and there's also potentially what the customer and user might do that might lead to any sorts of damage and or any sort of failure and of course you know the updates that the software developers provide of course. So all of these sort of questions of liability really haven't been dealt with and whilst the general product safety directive that I mentioned goes some way to addressing the sort of safety regime, the liability regime is still very much unclear and the product liability directive which is the EU legislation and is implemented in or locally among the member states and in the U.K. is implemented under the Consumer Protection Act and does not necessarily, as it currently stands and it's five years old, cover IoTs because the IoTs are, they are not mutable tangible goods, so you've got IoTs that are ecosystems, that you know have got a lot of range of elements and you know some embedded into hardware, some not. So the big question around software and what the software falls within the existing product liability regime, has been one that has been debated heavily. But just very briefly, being conscious time, what has happened in the EU is that they are taking this very centralized approach to the liability framework for IoTs, for AI integrated systems and looking ahead for whatever the future may hold in relation to advanced technologies. They have currently going through the European parliament is the AI Act and I won't talk about that in detail today because we are focusing on IoTs, but there's the AI Act, there's the AI liability and directive which is being proposed which is the first of its kind and then there is a entirely new draft of the Product Liability Directive. That will not apply to the U.K. post-Brexit but it's very important for any company who is placing products in the EU market, its currently going through the European parliament for debate, and there might be some changes, but the general mood is that it will probably stay as proposed in the draft, by and large ... there might be some amendments, but that could come into place as soon as sort of the next 18 months to 2 years, but getting the crux of why that's important is that that's a strict liability regime so a consumer who suffers harm from a product, doesn't have to establish faults or negligence on the parts of the manufacturer or, now in the new case, in the new draft, the software developer or other third party that has been involved in the design of the product, and they just need to establish that it was defective and some key changes that the new PLD by way of update, are bringing in, will put IoTs and tech and companies firmly into the scope of that strict liability regime. Digital products are going to be, you know now in scope by way of widened definition of product, so software will be caught and it's defined and includes embedded or standalone, it includes AI systems, digital manufacturing, like 3D printing, digital services such as navigation services in autonomous vehicles for example. So that's going to be proposed because the definition of products is going to be widened to some real extent. The expanding definition of what damage is covered is really relevant as well because at the moment, you're liable if your defective product causes death or personal injury. The proposed amendments are suggesting that that should be widened to include losses that arise after the loss or corruption of data. Personal injury could also include some sort of psychological health, some sort of impact that it might have had on your mental health, and that sort of brings into debate some interesting questions around children's products, for example, where you've got a connected toy device of some sort or something where there is some element of loss of data that also causes some sort of physical health impact. And there's a massive question mark as to whether or not that's going to cross over with the GDPR and what really is this regime going to look like, which route is this regime is going to take. And then finally there's a new definition of "defectiveness" which is going to firmly bring in an assessment of whether complex systems like IoT devices were safe as a consumer was entitled to expect. It's an objective sort of safety test at the moment but it's really challenging in the context of IoT's because the consumers do not know much about the software behind the IoT's. It's really difficult to decide whether there are devices functioning properly and these can sometimes act autonomously, make it really hard to describe what sort of level of safety is that should be expected. And then because of all these difficulties with trying to establish for the consumer to bring their claim, because we're talking about complex products, they are suggesting a radical change, and this is quite significant for European clients and European companies because they don't have the regime of disclosure and discovery like we do in the U.K. and the U.S. There's going to be an obligation on manufacturers to give disclosure of some documents around the solutions and potentially trade secrets, confidential information that they will have to be protected for in some way, but the legislation is currently drafted. It's not at all clear on that, but this is, in a way it's a really important questions about the party data, other sort of potential data that's embedded in the IoT, so that is a real change and that's really sort of caused a lot of debate from stakeholders, so it's a bit of watch this space on that, but the liability framework which is being developed by the EU and the European Commission is really sort of moving at some pace so everybody who have products that they market in the EU market should be well aware of those.

Edona Vila

That's fascinating in terms of comparing different jurisdictions because for our next segment, we'd really like to focus on really these compliance challenges for certainly companies that have products that pass borders and in this particular regulatory framework and developing liability frameworks, what's your... we'll go to Rachel first. Rachel, what are the top sort of, maybe I wonder if you can combine both sort of the challenges but also the best practices in terms of how to best solve for those challenges for companies that operate across various borders?

Rachel Raphael

Of course, of course. So I guess being consistent with what I've spoken about today. You know, the biggest challenge for companies really is where to look. Right? We have some developing standards out there related to IoT products, its the one I've just described but there are, really the lack of anything that's considered universally acceptable, is I think the biggest challenge and it leaves companies guessing a little bit as to the best path forward and it presents a unique risk, particularly, in my mind, as a litigator, for product liability base claims that are probably next on the list. For those that are premised on some violation of a duty or the inability to satisfy some standard of care, not knowing what that standard of care is, presents some really unique problems for companies. And we're seeing some real indications coming out of some of our sources of guidance like the recent FTC enforcement, that agencies are serious about putting the onus on the actor who's in the best possible position to ensure the safety of these devices. And kind of in the same spirit as the recent guidance that I mentioned earlier, these themes of transparency and accountability and structuring your organization around prioritizing security in your products. You have the FTC holding executives of companies, kind of individually and personally responsible for failure to implement certain security practices. Requiring them to comply with certain obligations whether they stay at that company where there was that data breach or not. One helpful example, is not in a IoT specific context, but in October, FTC took action against an online alcohol marketplace called Drizly and its CEO for violations of the FTC Act that prohibits unfair deceptive practices because the allegation was that the company was making false statements about certain practices when it actually had inadequate security that has led to prior data breaches. And what was really unique about this recent enforcement action was that Mr. Rellas, the CEO, is being named personally, and it alleged that he was responsible because he was the one who could have implemented or delegated the responsibility to implement security practices and he failed to do so. He didn't hire anyone at a senior level to kind of implement these steps. And so the FTC proposed in its order, the order would require not just the company to implement and maintain security programs but actually for Mr. Rellas personally to do that, and these obligations would travel with him even if he left Drizly which I thought was really interesting. So it's clear that this is a priority and the idea being of who's best situated, that's who should bear the brunt of the liability and the obligation to kind of bring products into this next generation and secure them. Again, the vulnerability that we now face in this evolving environment, and I'll just say really briefly because I know we're really short on time, but in terms of best practices to solve these challenges, I think there are a number of ways that companies can try and stay one step ahead in what really is kind of a constantly evolving environment, both in terms of the technologies and the products that are being developed, and in terms of the regulatory landscape. But it has to do with, first it's your compliance and litigation readiness effort, it's enhancing compliance programs to account for kind of evolving product liability. There really is a potential for more product liability lawsuits. We haven't seen a lot of that in the US, and everyone from the in house legal team to the folks who design the products need to know from a design perspective what the potential failure modes are to products and be able to show that the company went through those issues prior to launching. And the legal department also needs to stay in the loop about product design and maintenance decisions because it's working together that the company, kind of more holistically can try and ensure that safety and liability issues are understood and then if possible, dealt with. I think adapting written information security policies that incorporate IoT products are incredibly important. Taking advantage of the technology, everyone from the legal team to your engineer should understand exactly how these products collect and disseminate data. Be prepared. Have an internet response plan that spells out exactly what folks should do and train your employees as to how to carry that out. Keep learning. So companies should be playing devil's advocate, putting themselves in the bad actor's shoes. Who would be interested in that? What would they be looking for? And just better understand the risks that you face. And also learn from experience of others, your peers. Maybe take a little pleasure at others' misery but try and keep up, right, with other breaches that are publicized and learn from what went wrong there, even if you haven't ... if you've been lucky so far. It's frankly only a matter of time in some circumstances.

Edona Vila

Thanks Rachel, because that summarizes what I would say from a Canadian perspective. Katie, any parting thoughts in 30 seconds or less?

Katie Chandler

Yeah, I would really agree with all of that and it's also highly relevant to EU and U.K. as well. Yes, its just I think simply ... I mean warnings and IFU's and just thinking about your labelling and all of that, it's just the difficulty is obviously in making sure that it's consistent to meet regulations and standards across the different jurisdictions if you are a global product, fine and your product is being placed in different jurisdictions. There are different levels and as you've seen the EU has got some quite stringent regulation now that may affect some of your IFU's and instructions and warnings.

Edona Vila

Thank you both of you. I really enjoyed our discussion today. I think we could go longer. Thank you to everyone joining us today and the BLG crew for facilitating this third webinar series. For those of you that have missed the AI and the Metaverse webinars, let us know, we'll make sure you get the recordings. And sorry we didn't have time to address questions but if you have any, feel free to reach out. Thank you all, have a great day.

Katie Chandler

Bye.

Edona Vila

Bye-bye.