smart textiles a new world of data€¦ · performance days 9 november 2017, munich dr. alexander...
TRANSCRIPT
Smart Textiles – a new world of data
PERFORMANCE DAYS
9 November 2017, Munich
Dr. Alexander Duisberg, Bird & Bird LLP
Overview
● Weaving into the data economy
● My data – your data?
● Privacy and consent – opt-in or opt-out?
● Data in the cloud – anything goes?
● Smart textiles and health data – really …?
● Data security – what are you talking about?
● How about the other stuff?
● Conclusion
Page 2
Weaving into the data economy
© Bird & Bird LLP 2017
The oil of the 21st century? Well,…
Page 4"Images are used for educational and study purposes only"
Page 5
… it's getting more and more…
"Images are used for educational and study purposes only"
Page 6
… with the unknown potential under the surface!
"Images are used for educational and study purposes only"
Page 7
Smart textiles – connecting fabrics and people
Devices & Apps
End users Operators
Cloud, Big
Data, Cognitive
Computing/AILocal servers &
connectivity
SensorsAutomation and
remote access
Wifi
Embedded Systems or
separate components
Owners/
End users
Platform
providers
Provider / B2B
suppliers
Operator/ B2B
supplier
Platform
providers
Manufacturer
and service
provider
My data – your data?
Who "owns" the data?
"Our data", "my data", "your data", "their data"?
No civil-law ownership
● No tangible good
● No ownership, no transfer of ownership
● Sui generis database rights do not protect unstructured raw data
A flaw in the system?
● Exclusivity rights inappropriate
● Sharing and innovation - proprietary vs. open
Contractual arrangements
● Database rights a key element (sui generis right)
● Challenge how to handle unstructured data
Page 9"Images are used for educational and study purposes only"
Page 10
Building the European Data Economy
Consultation by EU Commission (10 Jan 2017)
● Free flow of data (localisation barriers)
● Data access and transfer
• Freedom of contract – fair contract terms
• Facilitating down-stream access to raw machine-data
● "New approach" of experimenting and testing
Free flow of non-personal data (13 Sept 2017)
● Bring down geo-blocking
● Portability of data
"Images are used for educational and study purposes only"
Privacy and consent – opt-in or opt-out?
Data protection – the basics (1)
Personal data● Wide definition (can include IP addresses)● Personally identifiable individuals● Sensitive data (incl. ethnic origin, religion, health, sexual orientation)● Anonymization no privacy laws apply
• Can you irreversibly delete all identifiers?
Consent or statutory justification● Purpose limitation multi-purpose analytics● Performing contract with data subject● "Informed consent"
• In writing or electronically? • Opt-in or opt-out?
● Cookies ePrivacy Regulation
Page 12
Opt-in oder Opt-out?
Data protection – the basics (2)
Data subject's rights● Access /information, correction, deletion● "Right to be forgotten"?● Data portability (new!)
Commissioned data processing● Data controller service provider● Requires data processing agreement check your service providers!● Relevant for cloud services
Data transfers● No group privilege (i.e. within corporations)● Remote access = transfer● Specific requirements on ex-EU/EEA transfers
Page 13
This GDPR thing – what's up? (1)
Objectives
● EU-wide, harmonised set of rules
● Directly applicable, less differences between the Member States
● Modernising data protection law
● Stronger rights for data subjects
● Improve enforcement
Timing
● 25 May 2018
● Time to prepare is now
Page 14© Bird & Bird LLP 2016
This GDPR thing - a quick comparison…
Page 15
291% increase
240 % increase
240 % increase
From local to global
From member states to Europe
DP Directive 95/46/EC
General DP Regulation
34 articles 99 articles
72 recitals 173 recitals
8 definitions 26 definitions
scope extends tolocal processing
scope extends toglobal processing
effective throughnational DP Acts
directly effective
varied national guidance & enforcement
centralized enforcement and guidance
enforcement patchy
fines of 4% worldwide turnover
From little enforcement to a lot
Subject matter | Client Details
This GDPR thing – what's up? (3)
What's new?● Increased penalties for non-compliance (4% of worldwide turnover)● Security breach rules
● Records of Processing and Privacy Impact Assessment (PIA)● Pseudonymisation – criteria tbc● Right of erasure, portability
● Privacy by design● Direct liability of data processors
● Codes of Conduct● Certification
Page 16© Bird & Bird LLP 2016
ePrivacy Regulation – are you serious?
ePrivacy Regulation replacing ePrivacy Directive (2002)
● Relevant for ecommerce related activities● Electronic communication service (e.g WhatsApp, Facebook etc.)● Content and metadata● Cookies (simpler rules, control through browser settings)● M2M scenarios – Wearables!● Stronger emphasis on consent● Limited legal justifications● Privacy by design requirements● Protection against spam● Enforcement as per GDPR!
Not finalized – watch out for next 3-5 months!
Page 17© Bird & Bird LLP 2016
Data in the cloud – anything goes?
To Cloud or not to Cloud?
Seite 19
Business strategy
● From cap-ex to op-ex ● New business models or process optimization?● Leveraging better IT security
Don’t outsource a mess into the Cloud
Technical necessity App-based processing, no local storage in textiles
Choose your vendors Not all are the same – scalability limits flexibilityDue diligence – technical, commercial, legal
Use case and international transfer (health data in fitness apps?)
Audit and certification
Data protection challenge around auditibility
● Consider scaled and multi-layered processing operations
● Running or using a platform
NEW framework for certifications under GDPR
● Art. 42, 43 GDPR goes back to "Trusted Cloud" (www.trusted-cloud.de)
● Certification of processing operations
● Criteria to be developed by European Data Protection Board
● Will help any controller and processor demonstrate compliance
Seite 20
Smart textiles and health data – really …?
Lifestyle textiles and health data (1)
Special categories of personal data● Health, religion, sexual orientation, etc.● Limitations on processing, stricter requirements (mostly: consent)
Health data● Data on physical or mental status of an individual
• E.g. blood pressure, pulse• Step counter? Could depend on the context
● Fitness trackers, integrated with textiles
To Does● No straight forward statutory justification (not: legitimate interest) Exception: "vital interests"
● Normally: Consent required
Seite 22
Lifestyle textiles and health data (2)
Protecting data through● Privacy by Design and Default● Processing and transfer only based in law or through consent
• Informed and unambigous consent• Through apps?
● Issues around unbalance of negotiation powers• Terms and conditions law • Special situations (e.g. employment, insurance)
● Technical and organisational measures security by design?● Providers of Wearables responsible for quality standards● Questions from consumer protection perspective
Combining consent with commercial advantages / discounts Position of market dominant players / brands
91st Conference of German Data Protection Authorities– Deceision of April 2016 –
(check under : www.datenschutz-bayern.de/dsbk-ent/DSK_91-wearables.pdf)
Seite 23
Data security – what are you talking about?
Security is key – for senior management
Board / managing directors liability (Section 91 para. 2 AktG)● "The management board shall take suitable measures, in particular
surveillance measures, to ensure that developments threatening the continuation of the company are detected."
● Breaches can trigger board liability
IT Security Act (July 2015)● Addresses operators of critical infrastructure – relevant to textile
industry? ● BSI sets standards● Impact on suppliers (textile in automotive?)● Notification of security breaches
Seite 25
Security breach – prepare!
Don’t start your learn curve during a crisis
● Resource planning• Topic of senior management• Remedial action plan• Train crisis management
● Knowing what happened● Risk-based approach (Art. 33 GDPR)● Notification within 72 hours● International dimension
• "Document retention" und "litigation hold" (USA)!
Seite 26
How about the other stuff?
Have you come across these?
Seite 28© Bird & Bird LLP 2016
ProductConformityandCE markingrequirements
REACH
WEEE
RoHS
CE-Marking
Conformity & CE-markingBased on EU Regulation on accreditation and surveillance regarding marketing of products (765/2008)
● Condition for market entry / begin of operation● Requires conformity with certification criteria● Producer is responsible for confirmation of product with all related
EU requirements● Applies EU wide
Seite 29© Bird & Bird LLP 2016
WEEE
Waste of Electrical and Electronic Equipment (Directive 2003)● Liability based on causation● Prevention, reduction and waste disposal of electrical/electronic
equipment● Where's the chip in your fabric?
• No de minimis threshold• Top end: anything under 1,000 / 1,500 voltage (co-
flow/alternating current) is acceptable – don't try that out!● Where's the chip in your fabric?● Elektro- and Elektronikgerätegesetz (ElektroG) ● Registration obligations● Waste disposal and recovery of raw materials
Don't breach – sanctions up to EUR 100k!
Seite 30© Bird & Bird LLP 2016
RoHS & REACH
RoHS – Restriction of certain Hazardous Substances
● Don't use in smart textiles (chips, or electrical and electronic equipment): Led, mercury, cadmium, chrom-VI or certain flame protection substances containing bromine
REACH – Registration, Evaluation, Authorisation and Restriction of Chemicals● We believe you already knew what you're doing, but think again about
additional substances in your smart textiles
Seite 31© Bird & Bird LLP 2016
Conclusion
Conclusion
● It's all about the data – that nobody owns
● Privacy – top of the pyramide
● GDPR and ePR – get ready now!
● Platforms and contractual eco-systems
● Security is key!
● WEEE and RoHS – think about it and action it!
"Images are used for educational and study purposes only"
Page 33
About Bird & Bird
About Bird & Bird LLP
● A truly international firm
● 28 offices and over 1,200 fee earners worldwide
● Deep industry knowledge –leaders in Tech & Comms
● Advisors to government on shaping the data economy
● Excellence in client service
"Images are used for educational and study purposes only"
Page 35
Aarhus, Abu Dhabi, Beijing, Bratislava, Brussels, Budapest, Copenhaguen, Dubai, Duesseldorf, Frankfort, The Hague, Hamburg, Helsinki, Hong Kong, London, Luxembourg, Lyon, Madrid, Milan, Munich, Paris, Prague, Rome, Shanghai, Singapore, Stockholm, Sydney und Warsaw
Leaders in what's new
“At the forefront of developments in the sector,
advising on issues such as cloud services, big data,
spectrum, mobile payment and network sharing. “They
are great – really modern with a great level of
expertise and very fast responses.”
Chambers Global 2015
Page 36
"Images are used for educational and study purposes only"
The lawyers are customer-oriented, and they are at the cutting edge of
TMT thanks to their long-term experience and deep industry
knowledge.”
Chambers Europe (Germany) 2016
Dr. Alexander Duisberg
+49 89 3581 6239
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses.
Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP
and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.
twobirds.com
Thank you!
„…the „world-class“ Alexander Duisberg who deals with both contentious and non-contentious matters pertaining to the field.“
Who’s Who Legal 2016
A 'guru" on matters involving online commerce, cloud computing, bigdata, data protection and softwareand services distribution"
Who's Who Legal 2015