Today more than ever, companies are leveraging the transformational power of the digital network, signifying a shift towards a new era of “digital ecosystems". According to a report by Accenture entitled "Technology Vision 2015: Digital Business Era: Stretch Your Boundaries", one trend that will dictate how companies will do business in the next few years is the "Internet of Me", which has been described in the report as the emerging interconnected environment in which businesses are building products and services to be designed for, created for and specifically centred on the individual. It therefore places emphasis on personalizing customer experience through connected objects thereby significantly improving customer satisfaction.
What are the trends of the "Internet of Me"?
Advisory firm Gartner Research has predicted that the consumer experience will be the deciding competitive factor by 2016. In addition, two thirds of the world’s population are expected to own a connected object in five years’ time.
These projections signify the impending growth and expansion of digital channels in five key areas created by enterprises to deepen customer engagement. These include: (i) wearables, (ii) connected homes (including devices and appliances), (iii) connected cars, (iv) connected cities and the (v) industrial internet (including transportation, oil & gas, and health care).
While these trends signify a move by companies towards greater customization of products and services, it also translates to companies sharing skills and expertise through meaningful partnerships which will become vital in producing "digital ecosystems" through connected devices, sensors, and algorithms which all operate in ways that involve massive amounts of data.
In this highly interconnected world, it consequently becomes necessary for companies to enhance their digital strategies by determining and defining the roles to play and effectively managing its concomitant legal risks.
What are the major legal challenges to face?
Reassure users on data management
Trust is fundamental in the development of the "Internet of Me" economy. In an opinion published in September 2014, the G29 group provided some guidance on a number of challenges arising from connected objects, which have become “amplified” due to the huge increase in the amounts of data being processed. Businesses are called to anticipate the application of the EU data privacy regulation principles and in particular to:
conduct a Privacy Impact Assessment (PIA) before any new Internet of Things (IoT) project is conducted. G29 recommends the development of specific PIA frameworks for particular digital ecosystems (e.g., quantified self; smart cities, etc.);
apply the principles of Privacy by Design and Privacy by Default (data minimization, use aggregated data and delete raw data at the nearest point of collection) when selecting the operating systems, devices and applications;
enable users to be informed in the most user friendly manner (for instance via the device interface or a signal on a wireless channel), to consent to the use of the connected device and be in "control" of the data at any time according to the principle of self determination of data, thus shifting the burden of data protection from provider to the user. In its report of 2015,
the U.S. Federal Trade Commission (FTC) suggests creative solutions (video tutorials for privacy settings; affixing a QR code which will take consumers to a website containing information about privacy practices; a set-up wizard that provides information about privacy practices, allowing users to configure devices, to receive information through emails or texts, etc.)
choose standards and platforms guaranteeing the application of data protection, confidentiality, and security (integrity, authentication, access control).
Clearly define contractual warranties and responsibilities
Businesses implementing IoT projects will have to think about how they are going to address legal requirements. Much of this relates to the contractual relationships that will support the technology and connectivity involved.
A company will have to make sure that its internal departments work together and understand customer-facing issues. Data protection, security and privacy will have to be at the forefront of these new projects and only partners and suppliers which offer appropriate warranties and other contractual commitments on these different issues will have to be selected.
With so many stakeholders involved (OS and device manufacturers, application developers, social platforms, etc.), it becomes unclear where the line between data controller and data processor should be drawn. As such, it is highly crucial for parties to allocate legal responsibilities between and among them very clearly. Further, this distinction, which appears in current EU legislation, often does not fit well with the stakeholders of the new digital ecosystem nor is it necessarily replicated in data protection regimes outside the EU. More generally, the number of stakeholders will also need to carefully review the chain of contracts to respond to the following question: “Who will be responsible in bearing the financial consequences if damage is caused to the user of an IoT?"
Manage cybersecurity concerns
A study released by Hewlett-Packard in 2014 found that 70 percent of IoT devices are vulnerable to attacks. The vulnerabilities identified in the report include password security, encryption and general lack of granular user access. In its January 2015 report, the FTC recommended that in addition to specific measures for data protection, it is crucial to implement among other things (i) “security by design” by building security into each IoT device at the outset, rather than as an afterthought, (ii) a defense-in-depth approach for systems with significant risks, (iii) reasonable access control and (iii) monitoring of connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks. The FTC also released a new publication for businesseswhich provides guidance on how to build security into products connected to the IoT on a risk-based approach, taking advantage of best practices developed by security experts, such as using strong encryption and proper authentication.
Companies which are starting to develop an IoT project should strongly consider guidance offered by the different regulators, evaluate what steps they can take to mitigate data privacy and security risks and carefully negotiate and review the contractual warranties, commitments and liabilities provided by the different stakeholders involved.
 Accenture Technology Vision Report 2015: Digital Business Era: Stretch Your Business
 Goldman Sachs Report 2014 - The Internet of Things: Making Sense of the Next Mega-trend (September 3, 2014)
The G29 Data Protection Working Group is composed of the representatives of all EU Data Protection Authorities.Opinion 8/2014 on the recent developments on the Internet of Things.
 "Careful Connections: Building Security in the Internet of Things"
Baker & McKenzie, Paris