When the fridge takes control: A legal perspective on Industry 4.0 by Professor Thomas Klindt

Yes, data is indeed the essential asset in the new data-driven economy. From a technical or economic viewpoint, data can be classified in many ways. Legally, there are exactly two categories of data: personal data, subject to data privacy laws, and “other” data, which could be termed machine-related data.

Personal data may not be processed, be recorded, and not even be deleted without the consent of the person concerned. In Germany, that has been the law since 1977, and business models simply have to take that into account. Totally prohibited, for example, would be to employ recognition and tracking technologies to create employee productivity profiles without their awareness; no matter how high the demand for such a system might be on the market.

It’s different with machine-related data. There is no legal protection for this type of data at all in Germany, everything goes. But is the data therefore worthless? Far from it! For example, consider the data that results from opening a roller door in a factory building. By itself, this data is irrelevant, but if a rolling door manufacturer can collect the entire field population of that data, then that’s not just big data, but actual smart data – because the data is meaningful. Through evaluations, the manufacturer may notice, for example, that the doors are operated much less often than expected – meaning that the drives are completely oversized; by adjusting this product properly, perhaps 30% of the cost can be saved.

This data can thus have a tangible value contributing to the business success of a company. The situation becomes problematic when this data is the only asset of a business case: if the asset disappears – so does the business case. For instance, if an employee takes this data and starts their own company, there is no law preventing that. Machine-related data enjoys no protection whatsoever.

Precisely because the legislation does not provide any protection, you must get this protection yourself, especially if the data is mission-critical to the success of the business. There are the two ways you described: You must provide technical protection, such as encryption, access control, firewalls, backups, etc. And you must protect yourself contractually, for example, through data pool contracting.

In my opinion, the industry is not yet paying sufficient attention to the concept of non-personal data and its utter vulnerability!

(Find out data regulations at Siemens here.)

Yes, absolutely! Connectivity has risks that we lawyers discuss because they are actually pressing and important subjects. A distinction is made between active and passive risks. Active risks arise from the fact that connectivity does not happen in a legal vacuum. If this is not taken into account, there is a risk that a product innovation will run counter to legal regulations and thus be unlawful. A famous example is the WLAN-enabled doll “Cayla”, which the German Federal Network Agency classified as a disguised listening device, and whose possession is thus a criminal offense. Only a minor modification to the product that makes the internet connection obvious could have saved the business.

The passive risks of connectivity – keyword cyber security – also concern us immensely, especially in industry. Imagine, you are a manufacturer of industrial hot water boilers that are WLAN-based and can be controlled via an app. What if a hacker, from the outside, succeeds in causing a boiler to explode – resulting in property damage and injuries? Sure, if we catch the hacker, the law will mete out punishment. The problem is, we don’t catch them all that often.

Then the debate sprouts why the product could be hacked. Is it a product liability complaint to the manufacturer why the product could be hacked at all? Cyber security thus becomes cyber resilience, an intrinsic property of the product. This seemingly small legal question, though, decides on billions of euros in potential revenues or costs. Because if I were legally responsible for being cyber-resilient, I would have to provide a patch free-of-charge whenever I discover a new vulnerability in my already delivered products. The patch would be the mandatory “digital recall.”

Personally, I think that is completely wrong! Look, if I were to set fire to your jacket, no one would consider holding your tailor accountable – you’re going to grab Mr Klindt, end of story. Cyber resilience is one of the last outstanding issues in European product liability law. And this debate must not be left up to lawyers to decide.

…which for me, represents the outstanding quality of digitalization! Automation has been going on for many decades, and just because robots now mow lawns and vacuum, they are not an expression of digitalization. Automation concerns action, digitalization concerns decision-making – for me as a lawyer, a completely different quality.

Lawyers speak of machine-to-machine contracts here, which in addition to the aforementioned reordering, also play an important role in predictive maintenance concepts. But let’s just stick to the refrigerator, which has sensors, RFID, and cameras, and therefore always knows which products have expired or are running out. The refrigerator then automatically orders fresh butter, sausage, and vegetables from an online retailer, and has it delivered to your home. Watched in slow motion, the following happens: The fridge says I need 2 liters of milk, the retailer’s chatbot says OK you’ll get 2 liters of milk, which is delivered and then charged via a payment service. Everyone is happy.

For us lawyers, this is a process that we can’t explain. That’s why we examine the facts in every last detail as to understand what’s actually happening. Through this magnifying glass, the given situation plays out as follows: The refrigerator is now ordering, for whatever reason, 20,000 liters of milk, and the chatbot is perfectly fine with that. It organizes 20,000 liters of milk and then charges everything again via the payment service. You now have 20,000 liters of milk in your kitchen and ask your lawyer how to get out of that mess.

The problem is that for centuries, we have had a constant when it comes to law: people enter into contracts. This is the law. A contract consists of two corresponding declarations of intent made by different persons. Of course, these persons can also be a limited liability company or a corporation. But nowhere is there anything about refrigerators, robots, Kanban systems. Or machine-generated declarations of intent – because we currently assume that a refrigerator has no will of its own, and therefore can’t declare intent; no matter which data records are pushed back and forth.

This can have strange outcomes: For example, in high-frequency trading on the Frankfurt Stock Exchange, all transactions are printed out at the end of the day and signed manually – to at least maintain the fiction that the will of a person is behind it all. The whole thing has nothing to do with stable legal certainty.

We lawyers call this “code is law”. Take a traffic accident for example: An obstacle appears suddenly and unexpectedly in front of my car. As a human driver, I might overcorrect the steering to avoid it and race into a group of people. That may be battery or even homicide, but as a driver I probably did not act culpably – it’s certainly a tragedy, but probably no wrongdoing. Same situation in the autonomously driving car. But now nobody is overcorrecting the steering; the decision is made by a programmed algorithm coded years ago. But, was the programmer right in writing the crucial line of code like that? May a person program, years before an accident, who is killed? This topic, too, can be transferred well to the industry, for example, when an algorithm monitors the safety of a potentially explosive facility.

This is how terms such as machine ethics or “code is law” come into being. That which is in the codes is already the law. In the discussion it’s said again and again, either ethics enter the programs, or the programmers consider ethical issues. Do we need a TÜV or any other authority to inspect algorithms? Many experts say that would not be feasible and would end up in an enormous agency. But my simple counterquestion: Do we want to allow all algorithms unchecked?

Get a good lawyer! (laughs)