Samsung’s recent security warning regarding its QLED TVs (smart TVs using Quantum-Dot Light Emitting Diodes) illustrates the risk posed to consumers from connected devices and hardware. Connected devices are physical objects that can connect with each other and systems via the Internet.
Businesses who manufacture and supply connected devices are exposed to various forms of liability from contractual, negligence and product liability through to fines under the General Data Protection Regulation and claims from affected data subjects. A data subject is any person who can be identified directly or indirectly via an identifier such as a name, location data or other factors.
What happened in the Samsung Example?
In 2017, Wikileaks revealed a security vulnerability in Samsung’s smart TVs, that was allegedly exploited by the CIA to record conversations taking place using the always-on voice control system (the “Weeping Angel” exploit). Samsung responded by investigating the issue. The vulnerability was limited as it required a USB drive to be inserted into the smart TV to infect it, so the impact was limited. It was assumed that this vulnerability was fixed.
On 17 June 2019, Samsung tweeted a warning to consumers to apply virus checking to their new QLED TVs on a weekly or monthly basis as well as sharing a video showing how they do this. Not surprisingly this led to concern and comments in the media that Samsung should be able to fix security vulnerabilities remotely, rather than relying on consumers to do this themselves. Samsung has since deleted this tweet.
What is the legal framework for consumers use of connected devices in the UK?
Consumers who buy a connected device and face issues with its performance have redress under their contract with the retailer or supplier and via the Consumer Protection Act 1987 (CPA) which implements the EU’s Product Liability Directive 1985.
The CPA imposes strict liability directly on the manufacturer for damage caused by a defective product. This means the consumer doesn’t need to provide evidence of fault or negligence on the part of the manufacturer. This covers personal injury and damage to other goods or property (e.g. a defective charging cable that causes a house fire or a self-driving car that malfunctions and damages another vehicle or kills a pedestrian). In this context, damage does not include the failure of the product to function (or damage to the product itself).
Claims could be made by a consumer for breach of contract against the retailer, supplier and manufacturer, under the express terms of the contracts or under terms implied by the Consumer Rights Act 2015 or otherwise.
The implementation of the General Data Protection Regulation (GDPR) introduces further areas of liability for connected devices. A personal data breach can lead to fines from the local regulator, in the UK this would be the Information Commissioner’s Office (ICO). Manufacturers and suppliers should be aware that processing data without ensuring appropriate security for personal data (using appropriate technical or organisational measures) counts as a breach of Article 5(1)(f) of the GDPR even if the inadequate security is never exploited and no data subjects are affected. So if in the Samsung case, the connected Tv didn’t have appropriate technical measures to protect personal data, there could still be a breach of Article 5(1) (f) if personal data was at risk.
Article 82(1) of the GDPR allows a data subject who has suffered material or non-material damage from a breach of the GDPR to receive compensation. Significantly, non-material damage can include distress; and there is no need to prove that the distress was accompanied by direct financial loss, which expands the possible scope of liability of device manufacturers and suppliers.
What you should be doing now?
If you’re a business that supplies hardware as part of a connected device or manufactures connected devices, you can take various measures to manage your liability.
Technology suppliers and manufacturers can apply their standard terms and conditions within the supply chain or directly on consumers or via distributors. If you also distribute firmware updates these need to be subject to separate licence terms and conditions. These can help manage supply chain and/or consumer expectations and limit or exclude some types of liability. For example, you can describe the level of support and patching you intend to provide and reduce or limit contractual liability if the consumer fails to install patches within a reasonable time frame. By specifying high-risk activities for which the products are not appropriate or safe, you can reduce liability if the products are actually used for those activities.
You should be reviewing the scope of your product liability insurance and aligning this with your exposure for those liabilities which cannot be excluded contractually.
If data is a risk, data impact assessments should be applied to typical use cases for all connected devices.
You should also ensure robust product testing is carried out and continues to be carried out before each product release gate.
If you are supplying to the public directly, you also need to ensure your connected devices and consumer terms and conditions comply with the Consumer Protection from Unfair Trading Regulations 2008 (which bans particular forms of unfair conduct e.g. false claims that a product has been endorsed); Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (which requires businesses to provide particular information to consumers ; the Consumer Rights Act 2015 (which prohibits certain clauses and implies key terms into consumer contracts e.g. goods to be of satisfactory quality or goods to conform to description).
What else should you be aware of?
It can be challenging to identify the cause or causes of loss or damage. For example, a defect causing a connected oven to start a fire could be the result of the hardware, components made by different manufacturers, firmware built into the oven or even potentially settings applied via an app on the consumer’s smartphone.
However in this connected world, identification and investigation of the risks posed by the device in its connected environment will be an important part of your marketing, sales and legal strategy and if you are to keep customers on side (even if you are not liable for failure caused by other connected apps or devices), you will have to determine when and where your liability ceases and ensure your customers are clear about this.
This strategy then needs to be applied to all territories where the connected devices are distributed and sold to consumers, as local legislation will be different.
What happens next?
The European Commission has been consulting on changes to the Product Liability Directive 1985. It has appointed an expert group on liability and new technologies; and has commissioned an external study to see how it could make it more relevant to new technologies, so we may see changes on the horizon here.
The ICO has published guidance for consumers on securing connected devices, so the issue is on their radar. It will also be interesting to see how the ICO and other regulators sanction the manufacturers of connected devices when their products expose personal data going forward.
How can we help you?
We have a long history of advising tech companies and digital and creative agencies on drafting and negotiating international contracts with clients and suppliers, managing disputes and data breaches.
If you need further help on managing liability for your connected device we’d be happy to help – please contact Rebecca Steer Rebecca.firstname.lastname@example.org