At first glance, empty terms, the German Michel and unprofessional referees have little in common. One man who nevertheless skillfully combines them is data protection expert Peter Hense. The founder of the law firm "Spirit Legal" explains to us where the problem lies and what it takes to reconcile data protection and the networked home.
A quick look around your own four walls reveals many things. Are you tidy or a proud advocate of healthy chaos, are you interested in interior design or is Ikea furniture sufficient, and finally, do you belong to the ever-growing group of people who want to make their homes smart with intelligent devices. According to Hense, smart home is "initially an empty term" that, like many others, originates from marketing. It simply means that devices used for control are connected to the Internet. This loose definition includes Google's Virtual Private Assistant for the entire house as well as a simple intelligent shutter control.
Loose definitions and empty terms, however, do not change the wealth of data that is created and collected in connected homes. According to Hense, the decisive factor is always whether the collected data can be used to make a statement about a person. "And there you have to say that everything that happens in the smart home can be a statement about me as a resident or about the group of residents." The type of data collected, he said, ranges from the frequency of door openings to the temperature associated with an address to the detergent in the dishwasher. Especially when combined with sensor technology such as cameras or infrared sensors, the amount of personal data is large, he said.
Personal data makes it possible to identify natural persons and, consequently, to make statements about them. The processing of this type of data is strictly regulated in the European Union in the GDPR. According to Hense, the GDPR is also essentially responsible for data protection law in smart homes, in addition to applicable national laws. Other important regulations for the expert are the ePrivacy Directive and civil law. Civil law is important because in smart homes there are service contracts between the parties involved that define rights and obligations. These clearly define what the product in question, such as a smart home installation by Deutsche Telekom, has to do. Data protection would be regulated in civil law by, among other things, update obligations.
The ePrivacy Directive, on the other hand, is relevant because products connected to the Internet are end equipment that is regulated in terms of data protection and privacy. However, Hense makes it clear that directives have to be implemented specifically at national level. With few exceptions, there is a harmonized legal landscape in Europe with regard to ePrivacy. In Germany, this was implemented in December 2021 under the name Telecommunications Telemedia Data Protection Act (TTDSG). Germany was thus at the bottom of the league in a European comparison.
Michel lacks awareness
According to Hense, German authorities are still lagging behind not only in implementation, but also in enforcement. Currently, they are focusing on useless and misleading consent banners on websites, but the Internet of Things and smart homes are largely left out. In addition, the authorities are currently not sufficiently professionally positioned to be able to compete against the army of lawyers on the corporate side. What is needed, Hense said, is a centralization of authorities that are set up in a competent manner and have an enforcement department that is experienced in law enforcement. However, this incomplete fulfillment of the referee role cannot be expected for much longer, he said, which is why the first unprepared companies could soon be hit.
The U.S. already excels in selective enforcement. Therefore, the lawyer suspects that a coming privacy movement in the area of consumer IoT would start as a wave in the US. For stronger enforcement in Germany, on the other hand, in addition to the aforementioned solution approaches, "the sleeping giant must first be awakened: the German Michel."
For the data protection expert, waking up the German Michel means raising awareness among users of smart devices. Awareness is currently still individual and sparse, which is why many are not aware of what personal data is processed in the networked home. As a solution, the lawyer cites transparent information about what actually happens with the data. This leads to shock and disillusionment among many people, who believe that the state already provides sufficient protection. It is precisely this kind of shock and disillusionment, however, that is important in order for a data subject to feel sufficiently damaged to file a lawsuit. And plaintiffs are needed to enforce the protection of privacy under European and national law.
Bans for single payments
One way for consumers to protect their rights is through collective action instruments. The lawyer believes it is likely that these will be used in the smart home sector over the next one to three years. Currently, he sees lawsuits filed in the Netherlands against Oracle and Salesforce for cookies and unauthorized access to end devices.
In contrast to many other lawyers, Hense favors prohibition orders rather than fines for the penalties resulting from lawsuits, as these would be tantamount to a ban on use. For example, a ban on processing certain data could cause a company to lose an entire business sector or market share, which would have far more drastic effects than a one-time fine. In addition, the injunction could be enforced immediately despite being challenged in court. In addition to fines and cease-and-desist orders, there would also be the possibility of returning products with data protection deficiencies. According to European Union sales law, it is possible to demand a reduction in price, reversal or withdrawal from the purchase in the case of products with material defects. Companies with defective devices would therefore still have to pay back the full purchase price years after the contract was concluded.
Data protection 101
In order to prevent the above penalties, important data protection cornerstones would have to be in place in the company first and foremost. For Hense, the number one pillar is accountability. Companies would have to account for which data processing processes were involved in their business activities. If their data sources are external, they need Pillar 2: Consent Management. Consent management describes the process of obtaining, enforcing and documenting user consent for specific processing operations. This would make it possible to demonstrate that data may actually be collected. A consent management platform is therefore the "on/off switch for the light. [...] data stream on, data stream off." Pillar 3 is about the principles of privacy by design and privacy by default, which must be taken into account when designing the devices.
A look into the future
Data protection expert Hense is convinced that there will be a number of laws at both national and European level that will join those already mentioned. These include laws on cyber resilience, the Data Act, the Data Governance Act and the AI Act. This "regulatory thicket" is difficult for companies to navigate, which is why it is essential to build up internal knowledge, processes and management systems. The major challenge associated with this is winning over committed employees who are passionate about the subject. Those who do not invest in the "war for talent" will have to spend the money they supposedly save later on defending themselves against lawsuits. According to Hense, companies that are unable to build up internal knowledge can fall back on good consultants and service providers.
In addition to internal expertise on the part of companies, referees in data protection law will be needed in the future to hand out red cards and send teams off the field. Currently, the referees, or the authorities Hense is referring to, spend too much time advising and too little time enforcing the law. Therefore, he said, there needs to be far more legal pressure from the authorities, and until then, the industry would still be slacking. "As a company, I wouldn't count on this going on for very long," he said.
Partner & Sales Manager: Paul Jelenik
Mobile: +43 676 4636255