The Internet of Things and EU Law

This book offers a comprehensive and holistic analysis of the cybersecurity, privacy & data protection challenges entailed by IoT devices in EU law. A working definition and three-layered architecture taxonomy of the ‘Internet of Things’ are provided, together with a state-of-the-art threat landscape in which each specific attack is linked to a layer of the IoT taxonomy.

In a scenario where IoT devices physically interact with individuals, the book disentangles the legal, ethical and technical aspects of the concepts of ‘(cyber)security’ and ‘safety’, as the former now affects the latter more than ever before. To this end, a normative analysis aims to explore the concepts of ‘cybersecurity’, ‘safety’ and ‘privacy’ against the background of the ‘IoT revolution’.

Building on the outcomes of this normative analysis, the work then addresses from a legal perspective the rapidly evolving EU cybersecurity legal frameworks, particularly taking into account the specific issues related to the IoT, both in terms of technology and the market dynamics of the stakeholders involved. On a different level, the book also investigates three legal challenges raised by the ubiquitous IoT data and metadata processing to EU privacy and data protection laws.

After having examined the manifold IoT ‘security & privacy’ risks, the discussion focuses on how to assess them, by giving particular attention to the risk management tool enshrined in EU data protection law (i.e., the Data Protection Impact Assessment). Accordingly, an original DPIA methodology for IoT devices is proposed.

This book will appeal to researchers in IT law, EU cybersecurity & data protection law, and more generally, to anyone interested in finding out how EU cybersecurity and data protection law is responding to the manifold regulatory and compliance issues associated with connected devices.