Inter­net of Things (IoT) & Co.

When does the GDPR app­ly to manufacturers?

Poli­tics, busi­ness, socie­ty – they are all cal­ling for more digi­ti­sa­ti­on. More digi­ti­sa­ti­on of work, schools, admi­nis­tra­ti­on and pri­va­te life. Fre­quent­ly men­tio­ned buz­zwords are Inter­net of Things (IoT), smart home and auto­no­mous dri­ving. Howe­ver, if manu­fac­tu­r­ers over­shoot the mark by fai­ling to com­ply with the legal frame­work for digi­tal pro­ducts, espe­ci­al­ly in cyber­se­cu­ri­ty and data pro­tec­tion, the (regu­la­to­ry) aut­ho­ri­ties react strict­ly, some­ti­mes even with pro­duct bans. The­se can cau­se signi­fi­cant dif­fi­cul­ties for manufacturers.

A very well-known exam­p­le is the ban of the play doll “My fri­end Cayla” by the Fede­ral Net­work Agen­cy in 2017. The doll was Internet-enabled and could thus com­mu­ni­ca­te with the play­ing child in simp­le sen­ten­ces. The expan­si­on of the product’s func­tions with the help of the Inter­net is cha­rac­te­ristic of the IoT. Howe­ver, a Blue­tooth con­nec­tion that the doll requi­red was not sta­te of the art and it was pos­si­ble for third par­ties to lis­ten in on con­ver­sa­ti­ons and also access the doll’s spea­k­er. Hence, it lacked suf­fi­ci­ent cyber­se­cu­ri­ty and thus also suf­fi­ci­ent data pro­tec­tion. The doll was quick­ly regard­ed as a “spy in a child’s room” and the Ger­man Fede­ral Net­work Agen­cy - after recei­ving a cor­re­spon­ding noti­ce - clas­si­fied it as a “pro­hi­bi­ted trans­mit­ter” in accordance with § 90 of the Ger­man Tele­com­mu­ni­ca­ti­ons Act (TKG) and issued a sales ban. The Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR), which sets the EU-wide legal frame­work for data pro­tec­tion, has now been in force sin­ce 2018. How can regu­la­tors now address data pri­va­cy brea­ches by manu­fac­tu­r­ers, inclu­ding in IoT? Does the GDPR address and obli­ge manu­fac­tu­r­ers at all?

I. How does the GDPR address manufacturers?

1. What data may manu­fac­tu­r­ers coll­ect and process?

The regu­la­ti­ons of the GDPR pri­ma­ri­ly ser­ve to pro­tect per­so­nal data through pro­ces­sing. Per­so­nal data is any infor­ma­ti­on rela­ting to an iden­ti­fied or iden­ti­fia­ble natu­ral per­son. Machi­ne and device data must be distin­gu­is­hed from this. Sin­ce machine-generated data regu­lar­ly ori­gi­na­te from pro­duc­tion pro­ces­ses or the machi­nes used the­re and rela­te exclu­si­ve­ly to the­se pro­ces­ses, the­re is usual­ly no refe­rence to indi­vi­du­als. Manu­fac­tu­r­ers do not have to pay atten­ti­on to the legal frame­work of the GDPR for such data.

2. Are manu­fac­tu­r­ers also con­trol­lers within the mea­ning of the GDPR?

The body that ulti­m­ate­ly car­ri­es out the pro­ces­sing of the data by deci­ding on the pur­po­se and means of the pro­ces­sing is also respon­si­ble for it. The GDPR addres­ses data con­trol­lers direct­ly and obli­ges them to com­ply with data pro­tec­tion prin­ci­ples. But manu­fac­tu­r­ers often do not car­ry out this pro­ces­sing of per­so­nal data them­sel­ves. They “only” pro­vi­de the pro­duct or tech­no­lo­gy on the basis of which the pro­ces­sing is car­ri­ed out by the con­trol­ler at a later stage. The­r­e­fo­re, they do not fall direct­ly within the scope of the GDPR and, from a strict­ly for­mal point of view, do not have to ful­fill its obli­ga­ti­ons. Nevert­hel­ess, manu­fac­tu­r­ers should take a clo­se look at data pro­tec­tion prin­ci­ples and requi­re­ments and, ide­al­ly, com­ply with them. This is becau­se a user of their pro­duct will ulti­m­ate­ly have to choo­se not to use the pro­duct if they can­not com­ply with data pro­tec­tion prin­ci­ples becau­se of the pro­duct. The­r­e­fo­re, the GDPR “encou­ra­ges” manu­fac­tu­r­ers to “take into account the right to data pro­tec­tion when deve­lo­ping and desig­ning such pro­ducts, ser­vices and appli­ca­ti­ons and, with due regard to the sta­te of the art, to make sure that con­trol­lers and pro­ces­sors are able to ful­fil their data pro­tec­tion obli­ga­ti­ons” (Reci­tal 78 of the GDPR). This “obli­ga­ti­on” then indi­rect­ly affects the manu­fac­tu­rer of a  pro­duct even if the manu­fac­tu­rer its­elf does not pro­cess any data, but the user is sub­ject to the GDPR. Mean­while, a manu­fac­tu­rer has a direct obli­ga­ti­on even if it beco­mes respon­si­ble under data pro­tec­tion law as an ope­ra­tor at a later point in time, e.g. when ope­ra­ting backend ser­vers for IoT devices.

II. The obli­ga­ti­on to design pro­ducts that can be used in com­pli­ance with data pro­tec­tion requirements

The GDPR may not direct­ly address manu­fac­tu­r­ers, but the­re is nevert­hel­ess an obli­ga­ti­on to design pro­ducts in line with data pro­tec­tion due to poten­ti­al civil lia­bi­li­ty claims.

1. War­ran­ty for defects and manufacturer’s lia­bi­li­ty in the event of errors in data protection

First­ly, lia­bi­li­ty can ari­se in accordance with the law gover­ning purcha­se con­tracts and con­tracts for work and ser­vices. This is becau­se the breach of data pro­tec­tion can con­sti­tu­te a defect that leads to lia­bi­li­ty if the manu­fac­tu­rer knows that per­so­nal data will be pro­ces­sed at a later point in time. Second­ly, manu­fac­tu­r­ers must obser­ve data pro­tec­tion prin­ci­ples becau­se of poten­ti­al manu­fac­tu­rer lia­bi­li­ty. This ari­ses from § 823(1) of the Ger­man Civil Code (Bür­ger­li­ches Gesetz­buch – BGB) in con­junc­tion with the right to pro­tec­tion of per­so­nal data (e.g. pur­su­ant to Artic­le 8 of the EU Char­ter of Fun­da­men­tal Rights and Artic­le 16 TFEU), the fun­da­men­tal right to infor­ma­tio­nal self-determination and the gene­ral right to pri­va­cy. Manu­fac­tu­r­ers should place par­ti­cu­lar empha­sis on two points: com­pli­ance with the requi­red safe­ty stan­dard (sta­te of the art in sci­ence and tech­no­lo­gy) and the jus­ti­fied safe­ty expec­ta­ti­ons of the anti­ci­pa­ted user group. This also results in an indi­rect bin­ding of the manu­fac­tu­rer to the requi­re­ments of the GDPR.

2. Sub­stan­ti­ve requi­re­ments of the GDPR

The sub­se­quent pro­duct should com­ply with the sub­stan­ti­ve requi­re­ments of the GDPR. The­se include, in par­ti­cu­lar, the prin­ci­ple of data era­su­re and data mini­mi­sa­ti­on, the imple­men­ta­ti­on of tech­ni­cal and orga­ni­sa­tio­nal mea­su­res in accordance with Artic­le 32 GDPR, and com­pli­ance with and ful­fill­ment of data sub­ject rights (trans­pa­ren­cy, infor­ma­ti­on, etc.). In addi­ti­on, manu­fac­tu­r­ers should be awa­re of the pos­si­bi­li­ty of job data pro­ces­sing and trans­fers of data to non-EU count­ries through the pro­duct, espe­ci­al­ly in the field of IoT, and take this into account during deve­lo­p­ment. Curr­ent­ly, data pro­tec­tion super­vi­so­ry aut­ho­ri­ties are focu­sing pri­ma­ri­ly on third-country transfers.

III. Powers of the super­vi­so­ry aut­ho­ri­ties in accordance with the GDPR

The mea­su­res taken against data con­trol­lers are mani­fold. They ran­ge from the obli­ga­ti­on to pro­vi­de infor­ma­ti­on and the obli­ga­ti­on to imple­ment data sub­jects’ rights to the ins­truc­tion and pro­hi­bi­ti­on of pro­ces­sing ope­ra­ti­ons and, in the case of serious data pro­tec­tion vio­la­ti­ons, to fines. The Dam­o­cles sword of fines is well known to most: the amount can be up to EUR 20 mil­li­on or, in the case of a com­pa­ny, up to 4% of its total annu­al glo­bal tur­no­ver for the pre­vious finan­cial year (Artic­le 83 GDPR). Howe­ver, the­se mea­su­res usual­ly affect the data con­trol­lers, who ulti­m­ate­ly pro­cess the data accor­ding to their own spe­ci­fi­ca­ti­ons. The manu­fac­tu­rer is not addres­sed in the mea­su­res by the super­vi­so­ry aut­ho­ri­ties in the GDPR. Nevert­hel­ess, the aut­ho­ri­ties are of the opi­ni­on that pro­vi­si­on obli­ga­ti­ons and inspec­tion powers also exist vis-à-vis third par­ties and thus also vis-à-vis manu­fac­tu­r­ers. In addi­ti­on, they deri­ve an aut­ho­ri­ty for pro­duct war­nings from their public rela­ti­ons task (Artic­le 57(1)(b) GDPR). In May 2021, for exam­p­le, the Sta­te Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on of Baden-Württemberg advi­sed against the use of Micro­soft Office 365 in schools due to data pro­tec­tion risks. Howe­ver, whe­ther the GDPR real­ly empowers the super­vi­so­ry aut­ho­ri­ties to warn against pro­ducts is – right­ly – con­tro­ver­si­al and will pro­ba­b­ly ulti­m­ate­ly have to be cla­ri­fied by the courts. Howe­ver, the­re is likely to be agree­ment that the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties are not entit­led to ban pro­ducts as they did with the “Cayla” doll.

IV. Chal­lenges and stra­te­gic implementation

The GDPR and its imple­men­ta­ti­on by the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties some­ti­mes pose major chal­lenges for manu­fac­tu­r­ers, resul­ting in par­ti­cu­lar from legal ambi­gui­ties and a high level of dyna­mism in tech­ni­cal deve­lo­p­ment. Manu­fac­tu­r­ers are the­r­e­fo­re urgen­tly advi­sed to imple­ment the regu­la­ti­ons stra­te­gi­cal­ly and as ear­ly as pos­si­ble by means of a sui­ta­ble manage­ment sys­tem. In doing so, they should first iden­ti­fy the appli­ca­ble regu­la­ti­ons, deri­ve the con­cre­te spe­ci­fi­ca­ti­ons and then imple­ment the­se in the deve­lo­p­ment and pro­duc­tion pro­cess. Due to the dyna­mics invol­ved, regu­lar con­trol and con­ti­nuous moni­to­ring are essential.

V. Sum­ma­ry

To date, the GDPR has not impo­sed any direct obli­ga­ti­on on manu­fac­tu­r­ers. Only if manu­fac­tu­r­ers later beco­me data con­trol­lers them­sel­ves or if the pro­duct is later to pro­cess per­so­nal data and the manu­fac­tu­rer is awa­re of this, are they indi­rect­ly obli­ged to com­ply with the GDPR and obser­ve data pro­tec­tion requi­re­ments. The ext­ent to which regu­la­tors can take action against third par­ties, such as manu­fac­tu­r­ers, is con­tro­ver­si­al. In prac­ti­ce, howe­ver, the­re is a thre­at of infor­ma­ti­on requests, exter­nal audits and pro­duct war­nings. To be well pre­pared for this, manu­fac­tu­r­ers need a sui­ta­ble manage­ment sys­tem to imple­ment the requi­re­ments of the GDPR and other cyber­se­cu­ri­ty and data pro­tec­tion regu­la­ti­ons in a legal­ly secu­re fashion.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.