Key legal challenges of the Internet of Things (IoT)

The Internet of Things (IoT) is a technology that accompanies people in almost all areas of their lives. Home appliances, smart home systems, smartwatches, medical equipment, vehicles and traffic lights – all these items, referred to in legal terms as connected products, are textbook examples of the wide application of the Internet of Things. Thanks to the sensors they contain, it is possible to collect key data on their use as well as the environment in which they are located. The collected information is then transmitted via electronic communication or physical connection to various recipients known as data holders. The ongoing digital transformation necessitates the introduction of appropriate legal regulations. What challenges must the Internet of Things face in order to meet the standards set by law?

Data Act

From 12 September 2025, Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) will apply. The Regulation, known as the Data Act, introduced significant regulations on the management of data generated by devices connected to the Internet, harmonising the legal framework in the EU in this area.

In Chapter II of the above-mentioned regulation, the EU legislator included a number of obligations for various entities that use and operate devices equipped
with IoT technology. The first of the obligations listed in this chapter is the requirement to design and develop connected devices and related services in an appropriate manner, as specified in Article 3(1) of the Data Act. According to the wording of this provision, their design and production must ensure secure, free and convenient access for users to the information collected, in a commonly used format. It is proposed that direct access be provided, as far as this is feasible from the technical point of view of the data controller. It should be emphasised that the requirements originating in the aforementioned paragraph will apply to connected products and related services placed on the market after 12 September 2026.

At the same time, the Data Act provides for an information obligation on the part of potential data controllers towards users of connected products. Thus, before concluding a contract (e.g. for the sale, rental or leasing of a connected device), the user of the device must be informed about the type and approximate amount of data collected, the manner and place of its storage (continuous, actual, on the device or on a server), as well as about the possibility of accessing, downloading or deleting this information. This obligation also covers the conditions of data use.

However, facilitating access to data exposes businesses to the risk of disclosure of trade secrets. Article 4(6) of the Data Act establishes standards for the protection of trade secrets, which may only be disclosed if both the data holder and the user have taken all necessary measures to ensure confidentiality. In the circumstances provided for in the regulation, the data holder is also entitled to withhold or suspend the sharing of information classified as trade secrets. In such a case, the user of the IoT device has the right to lodge a complaint with the competent authority, which shall take a decision on the matter without undue delay, or to agree with the data holder to refer the matter to the appropriate dispute resolution body.

The faster the development, the more requirements

New technologies are increasingly supporting people in countless areas. However in the hustle and bustle of rapid digital progress, we should not forget to ensure adequate protection for legal rights, in particular privacy. The Data Act is a groundbreaking regulation on access to information generated by IoT devices. However, this is only the beginning of the legal challenges that IoT product manufacturers, data holders and users will have to face. In the near future, it will be necessary to adapt this technology to the standards of another EU regulation, i.e. the Cyber Resilience Act, which will come into force on 11 December 2027.