PORTUGAL Law and Practice Contributed by: Jorge Silva Martins, João Carminho and Inês Coré, CS’Associados
In addition to the GDPR, which provides general protection for personal data, the ePrivacy Direc - tive (Directive 2002/58/EC) specifically regulates privacy in electronic communications, serving as lex specialis in relation to the GDPR. While the ePrivacy Directive remains in force, a new ePrivacy Regulation is under discussion and is expected to update and strengthen privacy rules for electronic communications, including IoT devices. The NIS2 Directive (Directive (EU) 2022/2555) which entered into force on 16 January 2023, replacing its predecessor, the NIS Directive, is considered the EU’s primary cybersecurity leg - islation. While it does not explicitly regulate IoT, it has broader cybersecurity implications for cybersecurity, indirectly impacting communica - tion secrecy within IoT ecosystems. Portugal is expected to complete the transposition of the NIS2 Directive into national law soon. Additionally, recognising the security risks posed by products with digital elements, including IoT technologies, the European Commission adopt - ed the Cyber Resilience Act – which establishes comprehensive cybersecurity standards for con - nected devices. 4.2 Compliance and Governance Compliance Challenges Companies deploying IoT solutions in Portu - gal need to deal with several compliance chal - lenges, primarily related to data protection and cybersecurity: • Data protection obligations: (a) IoT devices often collect vast amounts of personal data, triggering compliance requirements under the GDPR. Key chal - lenges include ensuring transparency, obtaining valid consent from data sub -
jects, and adhering to the principles of data minimisation and purpose limitation. (b) Companies must also address the com - plexities of IoT data security, particularly given the potential vulnerabilities in con - nected environments. • Cybersecurity concerns: (a) IoT devices are often considered weak entry points for cyberattacks, increasing the need for companies to ensure proper encryption, secure firmware updates, and vulnerability management. (b) Operators of Essential Services (OES) under the NIS Directive (as implemented in Portugal) face stricter obligations if IoT solutions are integrated into critical infrastructure. • Interoperability and standards: The frag - mented IoT ecosystem presents challenges in ensuring compliance with technical stand - ards, particularly when integrating devices from multiple manufacturers. Governance Frameworks for IoT Deployments To ensure effective IoT deployment and regula - tory compliance, companies in Portugal should adopt governance frameworks tailored to the risks and legal requirements associated with IoT technologies: • Data protection governance: (a) establish a Data Protection Impact Assessment (DPIA) process to evaluate risks related to personal data processing, as required under the GDPR for high-risk processing; and (b) appoint a Data Protection Officer (DPO) to oversee IoT-related data protection compliance, particularly for organisa - tions processing large-scale or sensitive personal data.
387 CHAMBERS.COM
Powered by FlippingBook