The Preliminary Report of the Sector Inquiry into Consumer Internet of Things: what is new for EU Consumer and Data Protection law?

Doutrina

By Francesca Gennari, PhD student, LAST-JD RIoE, Mykolas Romeris University- University of Bologna- University of Turin (frgennari@mruni.stud.eu; francesca.gennari8@unibo.it)

On the 9th of June 2021, the European Commission published ‘The Preliminary Report of the Sector Inquiry into Consumer Internet of Things’ (hereinafter the report). The publication of this document takes place almost one year after Margrethe Vestager, Executive Vice President for ‘Europe fit for the Digital Age’ and Commissioner for Competition, decided it was necessary to investigate whether the market for Consumer Internet of Things (meaning connected/smart objects that we as consumers use every day) presented issues for EU competition law. The reasons behind this inquiry were the expansion of this market among EU consumers and the potential amount of money that it involved for investors and companies but also the reliance of these objects on personal data to work better. As a consequence, the Commission launched a sector inquiry in July 2020 based on Article 17 of Regulation 1/2003. Following the publication of the preliminary results of this report, a public consultation started in order for stake-holders to comment on those. This consultation ended on 1st September 2021. The final report of this enquiry is expected in 2022.

The preliminary report is structured in eight sections (nine if we include the page dedicated to the launch of the public consultation). The introduction also explains the methodology through which the Commission collected and analysed the relevant data. The Commission sent to relevant stake-holders four different sets of questionnaires after having divided the ‘Consumer IoT market’ at large in four segments: i) manufacture of smart home devices; ii) provision of voice assistants; iii) manufacture of wearable devices and iv) provision of consumer IoT services (such as creative content services). Furthermore, standard-setting and industry organisations participated too by replying to a fifth yet different questionnaire. The content of the questionnaires reflected a particular time window (the second half of 2020) and it can be used just as a qualitative tool as the Commission warns that the answers to the questionnaires should not be used as statistical information. The main questions that the selected respondents had to answer were about: i) their own characteristics in order to have a deeper understanding of each market (segment); ii) the potential competition issues in the IoT market; iii) the role that is played by standards and standard setting organisations; iv) the interaction between IoT devices, services and voice assistants and v) the role played by data in this market.

The outcomes of the report seem not to be interesting for consumer law specialists but only for competition law practitioners and scholars at first. In fact, the results show that the IoT consumer market, and especially the segment concerning voice assistants, is dominated by few enterprises which are able ‘de facto’ to make their contractual solutions accepted by other manufacturers of smart devices in order for them to be compatible with the voice assistant. One of the highlights of these preliminary results is that general purpose voice assistants are becoming the main gateways for making the home a connected environment and to process data detected and collected even by other connected objects. This could potentially be at the origin of exclusive practices such as ‘tying’ more software services and objects together, maybe with pre-installed options and default setting applications. Furthermore, the economic power of few competitors could also cause a relevant barrier to entry this market: in fact, it was confirmed by the respondents that the investments and capitals in order to have consistent research and development activities are considerably high and that discourages many potential competitors from entering the market. In addition, the forecast of a universally connected Consumer IoT to make it a fairer competitive market needs to be balanced with the evidence that there is still a lack of uniform standards to meet this target of full interoperability. This problem concerns connectivity standards as well. Interestingly enough, some respondents stressed the need not only to have new common standards but also to have more clarity among the existing ones. This holds true also as far as Intellectual Property Rights (IPRs) and Standard Essential Patents (SEPs) policies are concerned. However, the report shows intuitive graphs and tables in which it is possible to compare, in a synthetic way, the different licensing policies of the main standard setting organisations and industry organisations and that can be indeed useful in the future. Finally, the preliminary report shows that the role of data, and particularly data flows, in consumer IoT is essential, not only for product maintenance but also for the personalisation of the experience, business analytics and other targets such as marketing strategies and fraud prevention. Moreover, indirect monetisation of data through consumer profiling and advertising are mentioned both as indirect effects of data processing. One big concern that is left out is that sometimes it is not possible to guarantee the portability of data because of technical features (e.g. the device or service does not request registration data, therefore it is not possible both to identify or to transfer data that cannot be matched with anyone).

Despite this preliminary report has competition law and its respect as main targets, it is quite relevant for other disciplines such as Consumer law and Data Protection law, at least implicitly.

This is not just because ‘consumers’ benefits’ is one of the criteria that competition authorities have to take into account when deciding whether to start an infringement procedure or to exempt an undertaking from said infringement procedure (101.3 TFEU). This preliminary report is important because it gives (even unofficially) an intuitive taxonomy of the kinds of IoT objects and services that consumers use most frequently, by dividing the Consumer IoT market in the previously cited segments. It also makes an effort in selecting and finding definitions, by discarding also some neologisms that could become common language words. For instance, there is no use of smart assistant/smart speaker qualification but voice assistant, which is identified primarily as “voice-activated pieces of software that can perform a variety of tasks, acting both as a platform for voice applications and a user interface’’, and therefore is not primarily connected to a physical object.

Although not constituting binding legal categories, these new labels and definitions will provide help in interpreting and adapting the current EU Consumer law to this evolving technology as they are quite intuitive and comprehensive of the Consumer IoT objects on the market. In fact, the existing EU consumer law documents never mention the word IoT directly but use synonyms such as ‘goods with digital elements’. Moreover, this new taxonomy could also be used in forthcoming policies and legislation about the liability and safety of IoT objects, such as for the update of the Product Liability Directive.

Furthermore, it is very interesting the part of the report which explains where and how data processing happens at the Consumer IoT level thus giving more clarity to the definition of processing set out in Article 4.2 GDPR. If a larger public can potentially know, from now on, all the typologies of processing (e.g. on device, in the cloud, on premise…) and their functioning scheme (even in general terms) this will benefit consumers which might be more likely to choose a brand that is more intuitive to use and that better explains how and where the processing takes place, giving them a better control of their devices and data. In short, this part of the report is important not only to better inform consumers on the functioning of what they purchase but for data protection issues as well, because it points out implicitly what still needs to be done in order to create a more trustworthy consumer IoT. For example, it seems that there is no or little commercial interest on how to build IoT consumer objects that need less personal data to function in order to respect the data minimisation principle (Article 5.1.c GDPR); it was previously mentioned that some Consumer IoT objects also do not consent portability of their data to competitors. This can cause a problem if consumers want to change the provider of a service on a certain device or they want to connect a device which does not provide interoperable data to other ones. In this case, the principle of portability set out in the GDPR (Article 20 GDPR) cannot be respected also because of the lack of interoperability protocols.  We already know that a fully interconnected consumer IoT environment is still not possible technically today because of the lack of common standards, but it could be interesting to wonder how stake-holders would react whenever two or more IoT consumer objects might concur in causing damage by unfairly or incorrectly processing personal data that they shared independently from their manufacturers previsions. At the moment, the rule at Article 26 GDPR on joint controllership seems to suffice as it is quite easy to imagine which object will connect with which, and that is why this problem is not mentioned.

Even if this is just a preliminary report referring to a specific span of time (second semester 2020), it is interesting to notice that when respondents were asked what was needed to succeed in this market, quality, brand reputation, privacy policies and cybersecurity were considered by most respondents as among the most important factors, but there was no mention of any strategy for durability or environmental sustainability for Consumer IoT objects (unless these elements were meant to be associated with the ‘quality’ factor). In this sense it is hoped that not only last August’s IPCC report on climate change but also the upcoming initiatives announced in the New Consumer Agenda (such as the durability and single charger initiatives) and research in the still experimental Green IoT (GIoT) can boost the industry in integrating data and consumer protection as well as environmental sustainability as part of a new Consumer IoT paradigm. To this end, it is expected that the results of the public consultation will draw attention on these issues in a more structured and explicit way.

Acknowledgment

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie ITN EJD grant agreement No 814177.