smart textiles a new world of data€¦ · performance days 9 november 2017, munich dr. alexander...

Smart Textiles – a new world of data

PERFORMANCE DAYS

9 November 2017, Munich

Dr. Alexander Duisberg, Bird & Bird LLP

Overview

● Weaving into the data economy

● My data – your data?

● Privacy and consent – opt-in or opt-out?

● Data in the cloud – anything goes?

● Smart textiles and health data – really …?

● Data security – what are you talking about?

● How about the other stuff?

● Conclusion

Weaving into the data economy

© Bird & Bird LLP 2017

The oil of the 21st century? Well,…

"Images are used for educational and study purposes only"

… it's getting more and more…


… with the unknown potential under the surface!


Smart textiles – connecting fabrics and people

Devices & Apps

End users Operators

Cloud, Big

Data, Cognitive

Computing/AILocal servers &

connectivity

SensorsAutomation and

remote access

Wifi

Embedded Systems or

separate components

Owners/

End users

Platform

providers

Provider / B2B

suppliers

Operator/ B2B

supplier

Platform

providers

Manufacturer

and service

provider

My data – your data?

Who "owns" the data?

"Our data", "my data", "your data", "their data"?

No civil-law ownership

● No tangible good

● No ownership, no transfer of ownership

● Sui generis database rights do not protect unstructured raw data

A flaw in the system?

● Exclusivity rights inappropriate

● Sharing and innovation - proprietary vs. open

Contractual arrangements

● Database rights a key element (sui generis right)

● Challenge how to handle unstructured data


Building the European Data Economy

Consultation by EU Commission (10 Jan 2017)

● Free flow of data (localisation barriers)

● Data access and transfer

• Freedom of contract – fair contract terms

• Facilitating down-stream access to raw machine-data

● "New approach" of experimenting and testing

Free flow of non-personal data (13 Sept 2017)

● Bring down geo-blocking

● Portability of data


Privacy and consent – opt-in or opt-out?

Data protection – the basics (1)

Personal data● Wide definition (can include IP addresses)● Personally identifiable individuals● Sensitive data (incl. ethnic origin, religion, health, sexual orientation)● Anonymization no privacy laws apply

• Can you irreversibly delete all identifiers?

Consent or statutory justification● Purpose limitation multi-purpose analytics● Performing contract with data subject● "Informed consent"

• In writing or electronically? • Opt-in or opt-out?

● Cookies ePrivacy Regulation

Opt-in oder Opt-out?

Data protection – the basics (2)

Data subject's rights● Access /information, correction, deletion● "Right to be forgotten"?● Data portability (new!)

Commissioned data processing● Data controller service provider● Requires data processing agreement check your service providers!● Relevant for cloud services

Data transfers● No group privilege (i.e. within corporations)● Remote access = transfer● Specific requirements on ex-EU/EEA transfers

This GDPR thing – what's up? (1)

Objectives

● EU-wide, harmonised set of rules

● Directly applicable, less differences between the Member States

● Modernising data protection law

● Stronger rights for data subjects

● Improve enforcement

Timing

● 25 May 2018

● Time to prepare is now


This GDPR thing - a quick comparison…

291% increase

240 % increase

240 % increase

From local to global

From member states to Europe

DP Directive 95/46/EC

General DP Regulation

34 articles 99 articles

72 recitals 173 recitals

8 definitions 26 definitions

scope extends tolocal processing

scope extends toglobal processing

effective throughnational DP Acts

directly effective

varied national guidance & enforcement

centralized enforcement and guidance

enforcement patchy

fines of 4% worldwide turnover

From little enforcement to a lot

Subject matter | Client Details

This GDPR thing – what's up? (3)

What's new?● Increased penalties for non-compliance (4% of worldwide turnover)● Security breach rules

● Records of Processing and Privacy Impact Assessment (PIA)● Pseudonymisation – criteria tbc● Right of erasure, portability

● Privacy by design● Direct liability of data processors

● Codes of Conduct● Certification


ePrivacy Regulation – are you serious?

ePrivacy Regulation replacing ePrivacy Directive (2002)

● Relevant for ecommerce related activities● Electronic communication service (e.g WhatsApp, Facebook etc.)● Content and metadata● Cookies (simpler rules, control through browser settings)● M2M scenarios – Wearables!● Stronger emphasis on consent● Limited legal justifications● Privacy by design requirements● Protection against spam● Enforcement as per GDPR!

Not finalized – watch out for next 3-5 months!


Data in the cloud – anything goes?

To Cloud or not to Cloud?

Seite 19

Business strategy

● From cap-ex to op-ex ● New business models or process optimization?● Leveraging better IT security

Don’t outsource a mess into the Cloud

Technical necessity App-based processing, no local storage in textiles

Choose your vendors Not all are the same – scalability limits flexibilityDue diligence – technical, commercial, legal

Use case and international transfer (health data in fitness apps?)

Audit and certification

Data protection challenge around auditibility

● Consider scaled and multi-layered processing operations

● Running or using a platform

NEW framework for certifications under GDPR

● Art. 42, 43 GDPR goes back to "Trusted Cloud" (www.trusted-cloud.de)

● Certification of processing operations

● Criteria to be developed by European Data Protection Board

● Will help any controller and processor demonstrate compliance

Seite 20

http://www.trusted-cloud.de/

Smart textiles and health data – really …?

Lifestyle textiles and health data (1)

Special categories of personal data● Health, religion, sexual orientation, etc.● Limitations on processing, stricter requirements (mostly: consent)

Health data● Data on physical or mental status of an individual

• E.g. blood pressure, pulse• Step counter? Could depend on the context

● Fitness trackers, integrated with textiles

To Does● No straight forward statutory justification (not: legitimate interest) Exception: "vital interests"

● Normally: Consent required

Seite 22

Lifestyle textiles and health data (2)

Protecting data through● Privacy by Design and Default● Processing and transfer only based in law or through consent

• Informed and unambigous consent• Through apps?

● Issues around unbalance of negotiation powers• Terms and conditions law • Special situations (e.g. employment, insurance)

● Technical and organisational measures security by design?● Providers of Wearables responsible for quality standards● Questions from consumer protection perspective

Combining consent with commercial advantages / discounts Position of market dominant players / brands

91st Conference of German Data Protection Authorities– Deceision of April 2016 –

(check under : www.datenschutz-bayern.de/dsbk-ent/DSK_91-wearables.pdf)

Seite 23

Data security – what are you talking about?

Security is key – for senior management

Board / managing directors liability (Section 91 para. 2 AktG)● "The management board shall take suitable measures, in particular

surveillance measures, to ensure that developments threatening the continuation of the company are detected."

● Breaches can trigger board liability

IT Security Act (July 2015)● Addresses operators of critical infrastructure – relevant to textile

industry? ● BSI sets standards● Impact on suppliers (textile in automotive?)● Notification of security breaches

Seite 25

Security breach – prepare!

Don’t start your learn curve during a crisis

● Resource planning• Topic of senior management• Remedial action plan• Train crisis management

● Knowing what happened● Risk-based approach (Art. 33 GDPR)● Notification within 72 hours● International dimension

• "Document retention" und "litigation hold" (USA)!

Seite 26

How about the other stuff?

Have you come across these?

Seite 28© Bird & Bird LLP 2016

ProductConformityandCE markingrequirements

REACH

WEEE

RoHS

CE-Marking

Conformity & CE-markingBased on EU Regulation on accreditation and surveillance regarding marketing of products (765/2008)

● Condition for market entry / begin of operation● Requires conformity with certification criteria● Producer is responsible for confirmation of product with all related

EU requirements● Applies EU wide


WEEE

Waste of Electrical and Electronic Equipment (Directive 2003)● Liability based on causation● Prevention, reduction and waste disposal of electrical/electronic

equipment● Where's the chip in your fabric?

• No de minimis threshold• Top end: anything under 1,000 / 1,500 voltage (co-

flow/alternating current) is acceptable – don't try that out!● Where's the chip in your fabric?● Elektro- and Elektronikgerätegesetz (ElektroG) ● Registration obligations● Waste disposal and recovery of raw materials

Don't breach – sanctions up to EUR 100k!


RoHS & REACH

RoHS – Restriction of certain Hazardous Substances

● Don't use in smart textiles (chips, or electrical and electronic equipment): Led, mercury, cadmium, chrom-VI or certain flame protection substances containing bromine

REACH – Registration, Evaluation, Authorisation and Restriction of Chemicals● We believe you already knew what you're doing, but think again about

additional substances in your smart textiles


Conclusion

Conclusion

● It's all about the data – that nobody owns

● Privacy – top of the pyramide

● GDPR and ePR – get ready now!

● Platforms and contractual eco-systems

● Security is key!

● WEEE and RoHS – think about it and action it!


About Bird & Bird

About Bird & Bird LLP

● A truly international firm

● 28 offices and over 1,200 fee earners worldwide

● Deep industry knowledge –leaders in Tech & Comms

● Advisors to government on shaping the data economy

● Excellence in client service


Aarhus, Abu Dhabi, Beijing, Bratislava, Brussels, Budapest, Copenhaguen, Dubai, Duesseldorf, Frankfort, The Hague, Hamburg, Helsinki, Hong Kong, London, Luxembourg, Lyon, Madrid, Milan, Munich, Paris, Prague, Rome, Shanghai, Singapore, Stockholm, Sydney und Warsaw

Leaders in what's new

“At the forefront of developments in the sector,

advising on issues such as cloud services, big data,

spectrum, mobile payment and network sharing. “They

are great – really modern with a great level of

expertise and very fast responses.”

Chambers Global 2015


The lawyers are customer-oriented, and they are at the cutting edge of

TMT thanks to their long-term experience and deep industry

knowledge.”

Chambers Europe (Germany) 2016

Dr. Alexander Duisberg

+49 89 3581 6239

[email protected]

Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses.

Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP

and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.

twobirds.com

Thank you!

„…the „world-class“ Alexander Duisberg who deals with both contentious and non-contentious matters pertaining to the field.“

Who’s Who Legal 2016

A 'guru" on matters involving online commerce, cloud computing, bigdata, data protection and softwareand services distribution"

Who's Who Legal 2015

smart textiles a new world of data€¦ · performance days 9 november 2017, munich dr. alexander...

Documents