When does the GDPR apply to manufacturers?
Politics, business, society – they are all calling for more digitisation. More digitisation of work, schools, administration and private life. Frequently mentioned buzzwords are Internet of Things (IoT), smart home and autonomous driving. However, if manufacturers overshoot the mark by failing to comply with the legal framework for digital products, especially in cybersecurity and data protection, the (regulatory) authorities react strictly, sometimes even with product bans. These can cause significant difficulties for manufacturers.
A very well-known example is the ban of the play doll “My friend Cayla” by the Federal Network Agency in 2017. The doll was Internet-enabled and could thus communicate with the playing child in simple sentences. The expansion of the product’s functions with the help of the Internet is characteristic of the IoT. However, a Bluetooth connection that the doll required was not state of the art and it was possible for third parties to listen in on conversations and also access the doll’s speaker. Hence, it lacked sufficient cybersecurity and thus also sufficient data protection. The doll was quickly regarded as a “spy in a child’s room” and the German Federal Network Agency - after receiving a corresponding notice - classified it as a “prohibited transmitter” in accordance with § 90 of the German Telecommunications Act (TKG) and issued a sales ban. The General Data Protection Regulation (GDPR), which sets the EU-wide legal framework for data protection, has now been in force since 2018. How can regulators now address data privacy breaches by manufacturers, including in IoT? Does the GDPR address and oblige manufacturers at all?
I. How does the GDPR address manufacturers?
1. What data may manufacturers collect and process?
The regulations of the GDPR primarily serve to protect personal data through processing. Personal data is any information relating to an identified or identifiable natural person. Machine and device data must be distinguished from this. Since machine-generated data regularly originate from production processes or the machines used there and relate exclusively to these processes, there is usually no reference to individuals. Manufacturers do not have to pay attention to the legal framework of the GDPR for such data.
2. Are manufacturers also controllers within the meaning of the GDPR?
The body that ultimately carries out the processing of the data by deciding on the purpose and means of the processing is also responsible for it. The GDPR addresses data controllers directly and obliges them to comply with data protection principles. But manufacturers often do not carry out this processing of personal data themselves. They “only” provide the product or technology on the basis of which the processing is carried out by the controller at a later stage. Therefore, they do not fall directly within the scope of the GDPR and, from a strictly formal point of view, do not have to fulfill its obligations. Nevertheless, manufacturers should take a close look at data protection principles and requirements and, ideally, comply with them. This is because a user of their product will ultimately have to choose not to use the product if they cannot comply with data protection principles because of the product. Therefore, the GDPR “encourages” manufacturers to “take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations” (Recital 78 of the GDPR). This “obligation” then indirectly affects the manufacturer of a product even if the manufacturer itself does not process any data, but the user is subject to the GDPR. Meanwhile, a manufacturer has a direct obligation even if it becomes responsible under data protection law as an operator at a later point in time, e.g. when operating backend servers for IoT devices.
II. The obligation to design products that can be used in compliance with data protection requirements
The GDPR may not directly address manufacturers, but there is nevertheless an obligation to design products in line with data protection due to potential civil liability claims.
1. Warranty for defects and manufacturer’s liability in the event of errors in data protection
Firstly, liability can arise in accordance with the law governing purchase contracts and contracts for work and services. This is because the breach of data protection can constitute a defect that leads to liability if the manufacturer knows that personal data will be processed at a later point in time. Secondly, manufacturers must observe data protection principles because of potential manufacturer liability. This arises from § 823(1) of the German Civil Code (Bürgerliches Gesetzbuch – BGB) in conjunction with the right to protection of personal data (e.g. pursuant to Article 8 of the EU Charter of Fundamental Rights and Article 16 TFEU), the fundamental right to informational self-determination and the general right to privacy. Manufacturers should place particular emphasis on two points: compliance with the required safety standard (state of the art in science and technology) and the justified safety expectations of the anticipated user group. This also results in an indirect binding of the manufacturer to the requirements of the GDPR.
2. Substantive requirements of the GDPR
The subsequent product should comply with the substantive requirements of the GDPR. These include, in particular, the principle of data erasure and data minimisation, the implementation of technical and organisational measures in accordance with Article 32 GDPR, and compliance with and fulfillment of data subject rights (transparency, information, etc.). In addition, manufacturers should be aware of the possibility of job data processing and transfers of data to non-EU countries through the product, especially in the field of IoT, and take this into account during development. Currently, data protection supervisory authorities are focusing primarily on third-country transfers.
III. Powers of the supervisory authorities in accordance with the GDPR
The measures taken against data controllers are manifold. They range from the obligation to provide information and the obligation to implement data subjects’ rights to the instruction and prohibition of processing operations and, in the case of serious data protection violations, to fines. The Damocles sword of fines is well known to most: the amount can be up to EUR 20 million or, in the case of a company, up to 4% of its total annual global turnover for the previous financial year (Article 83 GDPR). However, these measures usually affect the data controllers, who ultimately process the data according to their own specifications. The manufacturer is not addressed in the measures by the supervisory authorities in the GDPR. Nevertheless, the authorities are of the opinion that provision obligations and inspection powers also exist vis-à-vis third parties and thus also vis-à-vis manufacturers. In addition, they derive an authority for product warnings from their public relations task (Article 57(1)(b) GDPR). In May 2021, for example, the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg advised against the use of Microsoft Office 365 in schools due to data protection risks. However, whether the GDPR really empowers the supervisory authorities to warn against products is – rightly – controversial and will probably ultimately have to be clarified by the courts. However, there is likely to be agreement that the data protection supervisory authorities are not entitled to ban products as they did with the “Cayla” doll.
IV. Challenges and strategic implementation
The GDPR and its implementation by the data protection supervisory authorities sometimes pose major challenges for manufacturers, resulting in particular from legal ambiguities and a high level of dynamism in technical development. Manufacturers are therefore urgently advised to implement the regulations strategically and as early as possible by means of a suitable management system. In doing so, they should first identify the applicable regulations, derive the concrete specifications and then implement these in the development and production process. Due to the dynamics involved, regular control and continuous monitoring are essential.
To date, the GDPR has not imposed any direct obligation on manufacturers. Only if manufacturers later become data controllers themselves or if the product is later to process personal data and the manufacturer is aware of this, are they indirectly obliged to comply with the GDPR and observe data protection requirements. The extent to which regulators can take action against third parties, such as manufacturers, is controversial. In practice, however, there is a threat of information requests, external audits and product warnings. To be well prepared for this, manufacturers need a suitable management system to implement the requirements of the GDPR and other cybersecurity and data protection regulations in a legally secure fashion.back