The European Union is expecting great benefits from the Internet of Things, but the online connection of physical devices via sensors is also a potential head-scratcher for policymakers.

There is a multitude of possibly disruptive ways in which the Internet of Things (IoT) may affect European legislation.

Student or retired? Then this plan is for you.

“IoT will revolutionise, like the mobile technology has done a few years ago, business models,” said Mario Campolargo, director of the Net Futures unit of the commission. (Photo: Cyrus Farivar)

“It's easy to get a headache. Where do you start?”, said the European Commission's Thibaut Kleiner recently.

Kleiner, head of the commission unit that deals with network technologies, moderated a panel session on IoT policy last Thursday (26 November), at a Brussels conference titled 'The Future of Internet of Things in Europe', organised by the Digital Enlightenment Forum, Huawei, and the European Parliament's magazine.

There is no universal definition of the Internet of Things, but it generally refers to the increasing digital interconnection of objects, rather than computers.

A well-known example is the smart meter, which allows its owner to remotely control energy use. As emphasised at the conference, there may be IoT applications that we cannot imagine yet right now.

Estimations of how many objects will be connected vary, but in a background paper accompanying its Digital Single Market strategy, published last May, the Commission decided to refer to a prediction of possibly 26 billion connected devices by 2020.

Revolution

“IoT will revolutionise, like the mobile technology has done a few years ago, business models,” said Mario Campolargo, director of the Net Futures unit of the commission.

It became clear at the conference that there are still many questions about how IoT will affect the EU's privacy and security rules, and whether these rules will stand the test of time.

The current privacy rules were drafted with the idea that one provider of a service collects your data with a certain purpose. However, increasingly easy large-scale data analysis commonly known as Big Data, may facilitate indirect and unexpected inferences.

“There is normally a contract with you and any service provider,” said Frederic Donck, head of the European division of the Internet Society, a regulatory body of the Internet.

“It's okay to have a toothbrush connected to the Internet, it's okay to have your refrigerator, your watch [connected], but if all this goes on the same network, somewhere someone might have a pretty narrow idea of your health”, noted Donck.

Click here to accept

He also pointed out that the Internet of Things may render unrealistic 'notice and consent', the principle that citizens should be informed about data that is being collected about them and then make an informed decision to agree or not.

The idea of notice and consent lies behind the current rules that make websites inform their users that they are putting small text files known as cookies on their computer, and that requires users to agree to cookies before using the website's service.

“I'm a very strong proponent of notice-and-consent, but yes, how do we do it with the Internet of Things?," asked Donck. "Do we need every cheap sensor to have a click and you would agree? Would you be asked to click every time?”

Sebastien Ziegler coordinates two European research projects on IoT. He voiced similar concerns.

He noted that a new regulation on data protection, the details of which are currently being negotiated behind closed doors by representatives of the European parliament and national governments, “will impact IoT directly”.

“It will make compulsory that if you want to use any personal data you need to have prior informed consent”, said Ziegler.

“If you have sensors deployed massively, how do you handle that? How do you ensure that any people passing nearby will be informed about that?”

The regulation is expected to come into force some time next year, which means that companies will have to adhere to it by 2018. But Ziegler added he is optimistic “innovative solutions” will be invented.

“I am sure we will have enough creativity to overcome that. But there will be a need for the industry and research community really to address it,” said Ziegler.

Who will be responsible?

One other aspect is liability.

“Objects will take decisions on the basis of policies. We expect that their decisions will be conforming with the policies that we authorise them to take, but this may not be the case,” said the commission's Campolargo.

If the autonomous system of, for example, a car, causes an accident, who is then responsible? Is it the software manufacturer? The internet provider? The consumer? These kinds of questions need to be answered if IoT is to be adopted.

Trust and security are key.

“You will not have any market [for IoT products] if you don't convince the citizens that what you're developing in terms of technology is safe, is a benefit for the society and not a threat,” noted Ziegler.

At the same time, there are calls on governments to allow for exemptions, and not regulate too much.

"IoT is still in its infancy and as such for it to flourish, we need to avoid excessive regulation that would prevent new innovative business initiative," said Tony Graziano, vice-president of Huawei's European public affairs and communications office.

"However, there is a need to provide sufficient assurance to users that there is a framework in place. Without putting users at the heart of the IoT, people will remain afraid of the technology," he added.

Wim De Waele, a Belgian investor in tech start-ups, said that in addition to technological experiments, “there should also be regulatory pilots and environments where citizens can experiment together with technology companies and service providers”.

“I would encourage the European Commission and the local authorities … to get rid of the rules – privacy, whatever it is – that we are in Europe so hung up about, that hamper the introduction of certain technology, at least in a contained environment,” noted De Waele.

In a conversation with EUobserver, however, De Waele predicted it will be “ten to twenty years” before the Internet of Things will be a mainstream phenomenon.

That gives the EU some time to think about what it wants to do.

The commission, for its part, is not rushing into any new IoT-specific legislation. Rather, it is first asking around whether there is an appetite for new rules.

As part of its Digital Single Market strategy, it has opened a number of consultations, some of them ask stakeholders about the Internet of Things.

The consultation on 'Online platforms, cloud & data, liability of intermediaries, collaborative economy', for example, asks whether the current legal framework is future-proof. Answers can be sent in until 30 December.