This article is written by Jyotiranja Mallick, pursuing a Diploma in Cyber Law, Fintech Regulations, and Technology Contracts from Lawsikho.com.

Introduction

On 21 April 2021, the UK Government published its response to last year’s call for views on the cybersecurity of consumer smart devices and announced its intention to introduce new legislation to regulate the security of consumer smart devices, including phones, televisions, speakers, toys, wearables, doorbells and other consumer internet of things (IOT) devices. The draft legislation hasn’t been published yet but the initial announcement has been made with the intent to give a gap period for the businesses operating in the field of smart devices to transition towards the compliances. The law would also mandate the businesses of smart devices and the Internet of Things(“IOT”) to ensure that no unreliable/insecure products are there in the jurisdiction of the UK. This has been a major development in the data protection regime of the UK post-Brexit and the Code of Practice for Consumer IOT Security released by the Department of the Digital Media, Culture, and Sports of the United Kingdom. 

The implementation of the UK law paves the new era of digital security considering the serious security lapses that the consumer might face with the increasing reach of products connected to the IOT. The Government notes that, based on some forecasts, by 2025 there will be 75 billion internet-connected devices worldwide and 10-15 devices per UK household. The EU General Data Protection Regulation (GDPR) mandates the implementation of data protection by design and default. The UK government’s legislation would thus, be facilitating this aspect of legislation by assuring a minimum level of securities for consumers. 

What are smart devices and IOT?

One of the crucial digital concepts that has emerged over the years with the introduction of smart devices is the IOT. The IOT represents the net revolutionary technology which has the similar disruptive characteristics to the Blockchain, in that it represents a massive opportunity in analysing and distributing the data through sophisticated connection of devices. The connection over a massive network system would enable mass synchrony and can help in achievement of tasks in shorter time. The prime example of IOT based smart devices are smart watches, smart speakers such as Nest by Google and Alexa by Amazon. This is the reason behind framing a uniform legislation being initiated by the UK to streamline its progress. In its essence, the IOT is a general term that represents a cohort of networks connected via the internet and each of them being embedded in technology. With the advent of the IOT various objects that we see on an everyday basis can be connected to each other via the internet including home devices, vehicles, manufacturing devices, light bulbs, computers, tech systems etc. In the upper technicalities the IOT finds its application in machine to machine (M2M) technology which enables devices of the same type to communicate and in mobile connections where data can be transmitted via Internet Protocol networks.

Growing importance of IOT and smart devices

Over the years the IOT application has accelerated over years which has been compounded by wide access to the internet and increasing connectivity to the network system. Wi-Fi and broadband connectivity are now much more widely available which allows efficient management of data transfer. It has been predicted that there would be exponential growth of internet users which would compound the growth of smart device applications. The increased advancement of sensor technologies would catapult the growth as lower costs, would make it cheap enough to deploy in any remote location and pre installed in any devices. One of the prime contributions is made by the growing sector of smartphone devices which has a strong foothold of 5.6 billion people connected to smartphone ownership in 2019-20. This is pegged to increase by a billion more units within the next five years. Technology intelligence firm IDC predicts that in 2015, more than $1.7 trillion will be spent on the Internet of Things industry, up 15% by 2025.

What are the issues and challenges associated with the applicability of IOT-Smart devices?

The applicability of IOT Smart devices similar to any technology has its own challenges and issues in its application. These challenges are being addressed by the UK legislation utilised to implement data security of the individuals. The rapid advancement of smart devices would result in more complications in having difficulty understanding and operate such devices. This would make such consumers prone to cyber-attacks and mishandlings. For example, Google’s smart home system NEST was one of the first household systems that had serious problems in terms of the application of its thermostats. This raises the issue of imposition of liability in terms of service default, as the final product of smart devices has a complex system of operators. The smart devices are operated by a number of stakeholders such as the ISP, the hardware operator, a manufacturing company, etc. This raises major questions for how consumers, or regulatory authorities, can work out what has gone wrong, who is accountable, and how to put it right.

The sheer amount of the data that would be aggregated and collected by smart device operators poses a serious challenge in terms of the protection of data privacy and security. With the implementation of the GDPR strong data protection mandates have been imposed in the EU-UK region, however, the risk is still viable which depends upon the applicability of strong legislation in the area. The difficulties of complying with the principles of privacy and data protection, such as informed consent and data minimisation, are likely to grow considerably. Data research shows numerous loopholes in smart devices and IOT applied technology that can be easily accessed by hackers. The popular example was shown in the case in the USA where various incidents were reported of Alexa being hacked and accessed by hacker’s recipient Internet Protocol. Samsung was heavily criticized in 2015 for using its voice-activated software to record private conversations at home and share them with a third party. “Samsung… may capture voice commands and associated text.” One of the serious risks that stem from the operators of the smart devices is communication ability with each other and transfer data autonomously to an external partner (such as a device manufacturer). With these complications, it becomes extremely complex to determine as to when and how processing takes place, and the ability for data subjects to exercise their data privacy/protection rights may therefore be substantially limited. The study conducted by cybersecurity agencies has suggested that almost 80% of the smart devices pose serious vulnerabilities that can be easily hacked and accessed by mischievous users. This would not only result in exposing consumers to serious data frauds but also have the potential of impacting sensitive personal data information.

Applicability of UK legislation to smart and IOT devices 

The draft legislation governing the smart devices would require manufacturers to comply with new security requirements for any smart device product being distributed in the UK. The aim of the draft legislation is to prepare standard security protocols that would withstand massive changes in the sector without disrupting innovation. In October 2018, the UK Government introduced a Code of Practice for IOT security which aimed to provide manufacturers of IOT devices with a harmonised set of guidelines to ensure product security for consumers who often aren’t aware of potential cybersecurity issues when using smart products. In May 2019, the Department for Digital, Culture, Media, and Sport (DCMS) held a consultation on proposals for potential regulation in this area, considering that the self-regulating guidelines had not gone far enough to ensure consumer security. 

On 21 April 2021, the UK Government published its draft legislation governing smart devices and other IOT related products. The legislation would impact any network-connectable devices (i.e., those connected through Wi-Fi, Bluetooth, data cable, etc.) and their associated services that are made available primarily to consumers in the UK. The legislation has kept some of the devices actively out of the scope under the law such as laptops, tablets without a cellular connection, and second-hand devices. The legislation has been defined in its scope to be applicable to all “relevant economic actors” involved in the transmission of smart devices to UK consumers including manufacturers, importers, and distributors.

The legislation has mandated the compulsory compliance to three important guidelines that were earlier replicated in the Code of Practice for Consumer IOT Security and key provisions in the standard EN 303 645 which are –

1. Banning the applicability of universal default passwords that usually are easy to decipher and are preinstalled in factory reset mode when the device is installed.
2. Timely sending of security updates and guaranteeing the consumers as to how long a product will be guaranteed to receive security updates. However, the legislation is likely to allow the UK Government to update the security requirements through secondary legislation to keep pace with technological and threat developments.
3. The manufacturers will be required to publish a publicly available declaration of conformity. They would be mandated to take action if the smart device is not compliant with the legislation and cooperate with enforcement agencies. For operators having business headquarter outside the UK, region will be represented by their authorities in the UK  and will be responsible for ensuring compliance with the proposed legislation.
4. Distributors of smart devices to UK consumers, including wholesalers and retailers, are expected to be required to verify the manufacturers have published a declaration of conformity and cooperate with any enforcement authority.

The draft law stipulates that the enforcement authority will have the power to investigate and take action in relation to any non-compliance. However, there has been no clear policy as to which authority will be tasked with enforcement and what its enforcement powers will be.

Conclusion 

The UK Government has planned to enforce the draft legislation “as soon as parliamentary time allows” which due to the disruption caused by the covid pandemic will be postponed till the end of 2021. While the data protection legislation post Brexit will be supplemented by such legislation, however, the problem still remains as to whether there is a need for framing separate legislation for each and every aspect of technology. This would raise the debate for the need for uniform data protection and efficacy legislation. Specific legislation such as this law should be comprehensive in enacting or redesigning consumer law to adopt more flexible approaches to protect the rights of their citizens.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.