The European Union is reviewing measures that would increase protections for the Internet of Things. The potential legislation is geared towards requiring more stringent certifications for smart products and enhancing cybersecurity protections across the 28-nation bloc.
The European Parliament Committee on Industry, Research, Telecoms, & Energy (ITRE) voted to advance a report on a proposed law that would fortify weaknesses in cybersecurity, but it is unclear the extent to which it will affect connected objects.
The law is being reviewed in light of the recently enacted General Data Protection Regulation (GDPR), a regulation passed to protect consumers inside the European Union (EU) and European Economic Area (EEA). However, the size of the European market and the fluidity of modern international commerce meant that the new protections affected consumers and businesses around the world. The GDPR focused on data protection and privacy for citizens and gave consumers more control over who could access their personal information. GDPR regulations also standardized the legal landscape regarding privacy for businesses serving the EU and EEA.
With the adoption of the GDPR, the EU has shown itself capable of introducing sweeping change into its regulatory landscape regardless of cost. The introduction of the GDPR cost the top 500 global corporations alone at least $7.5 billion.
Legislating the Internet of Things in Europe
The vote by the ITRE is only the first step in introducing new certifications, but is generally representative of the stance that the European Parliament will take upon entering negotiations. Next, the law will be voted on by the European Parliament in the summer session and, if passed, will be negotiated among member states before finally resulting in new EU-wide regulation.
There is a tug-of-war in Europe between EU consumer protection organizations and the organizations representing the technology industry. Consumer advocacy groups seek to include connected objects in the proposed certifications stating that those devices need to be regulated like cars, appliances, and other consumer goods. The Director General of the European Consumer Organization (BEUC) Monique Goyens tweeted in December 2017, “It is indeed key to upgrade and future proof regulatory framework for connected products.”
— monique goyens (@moniquegoyens) December 13, 2017
The BEUC has outlined the privacy dangers of connected devices, including as they relate to smart products used by children. Additionally, connected devices are particularly vulnerable to be employed as bots in massive ransomware cyberattacks like the one that affected most of Europe in June 2017.
While the BEUC advocates for European consumers, the Computer & Communications Industry Association (CCIA) represents the interests of the smart home industry. CCIA Senior Manager Alexandre Rohre has welcomed the new regulations stating “we commend MEPs for addressing software vulnerability disclosure to prevent cyber criminals from harming Europe’s economy and wider society. We urge Member States to support Parliament’s position on this matter in the final negotiations.”
What This Means for the Consumer
A comprehensive overhaul of the current security regulations for smart devices could make smart devices less vulnerable. However, such a robust rebuild would require tech manufacturers to invest more in meeting certifications and could lead to more expensive connected objects.