Underestimated risks: the significance of the GDPR for product development

Stefan Hessel

Analog products seem to be a thing of the past. In any case, there is a massive trend towards digital products and IoT devices and, for many manufacturers, this means retooling production with a greater focus on digital technologies. But whenever a manufacturer develops a product which is designed to process data for users, that product must conform to the present legal framework for digital products, in terms of IT security and data protection. Contrary to widespread opinion, manufacturers do need to adhere to the requirements of the General Data Protection Regulation (GDPR) if their products will be used to process personal data, i.e. information relating to an identified or identifiable natural person.

I.    The GDPR from the viewpoint of manufacturers

In theory, the GDPR applies only to controllers, i.e. those who determine the purposes and means for the processing of personal data. The role of manufacturers, on the other hand, is typically limited to supplying the product to consumers: in many cases, manufacturers do not process data on their own.  Accordingly, the GDPR does not impose requirements on manufacturers directly, but only "encourages" them "to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations" (Recital 78 to the GDPR).

The idea behind this is simple: the GDPR does not have to require manufacturers to comply, because the market will regulate them on its own: users will ultimately decide against a product if using it means that they, as controllers, will be unable to adhere to data protection requirements. This creates an indirect "requirement" for manufacturers to design their products in such a way that users will be able to adhere to the requirements of the GDPR when processing data in the future. In the event that manufacturers are involved in the future operation of digital products as well, the requirements of the GDPR will also frequently apply to them directly. This may be the case, for example, if the manufacturer operates back-end systems or platforms for IoT devices where personal data is processed. It is therefore in the manufacturer's own interest to adhere to the GDPR in such a case, beginning in the product development phase.

II.    Requirement to design products which can be used in conformance with data protection requirements

Manufacturers who fail to adhere to data protection requirements for their products do not necessarily face penalties under the GDPR. But this does not mean that they shouldn't heed the requirements of data protection law; after all, such violations may trigger liability in accordance with the laws governing contracts of sale and contracts for works and services. If the manufacturer knows that its product will be used to process personal data and fails to adhere to the legal requirements so as to enable the product to be used in conformance with data protection law, such a failure may constitute a defect in the product and result in liability for the manufacturer. Moreover, we cannot rule out the risk of manufacturer's liability in accordance with § 823(1) of the Civil Code in conjunction with the right to privacy, e.g. pursuant to Article 8 of the EU Charter of Fundamental Rights and Article 16 of the TFEU, the fundamental right to informational self-determination and the general right of privacy. Therefore, manufacturers should absolutely adhere to the required data protection and cybersecurity standards and familiarize themselves with the legitimate security expectations of the expected user group. In particular, manufacturers should perform a critical assessment as to the lawfulness of any transfers of personal data to non-EU countries, particularly the US, given the present challenges associated with data transfers to third countries arising from the ECJ's "Schrems II" ruling and the ongoing investigations by data protection authorities.

III.    Strategic implementation

Strategic implementation of these requirements at the earliest possible date reduces the risks for manufacturers enormously. A suitable management system will allow you to identify applicable regulations, derive specific requirements and then implement them in your development and manufacturing process. We would be glad to help you in this regard.

[July 2021]