EU issues first product recall alert over privacy concerns

13 March 2019

The European Commission has ordered a Europe-wide recall of a children’s smartwatch, thought to be the first recall on privacy and cyber security grounds.

In January, the EU’s Rapid Alert System for Non-Food Products (RAPEX) issued a safety alert for the ENOX Safe-Kid-One smartwatch. In its alert, the Commission said the device posed a “serious” risk and it failed to comply with the Radio Equipment Directive. The recall was ordered after a complaint was initially lodged with the Commission by Iceland’s consumer protection regulator.

The RAPEX alert requires EU regulators to order a recall of the product. However, Germany-based ENOX says the decision was “excessive” and has appealed against the ruling. It told media that the watch had passed tests carried out by German regulators in 2018 and that the version tested by the EU was no longer for sale.

IOT SECURITY CONCERNS

The ENOX device has GPS, a microphone and speaker. Parents can use the app to track the location of the wearer and contact them. 

However, the alert noted that the watch used an unencrypted connection to the company’s servers, which enabled unauthorised access to users’ personal data, including location history and phone numbers. 

It also warned that a malicious user could remotely take control of the watch and communicate with the child wearing the device, or locate the child through GPS.

Last year Pen Test researchers warned of a similar smartwatch – the MiSafes Kid’s Watcher Plus – that was easy to hack, and therefore hijack, to gain access to personal data or spy on users. Pen Test tested a number of other brands of children’s smartwatches and found similar vulnerabilities – it estimates that between 1 million to 3 million vulnerable devices are currently in use. 

The Norwegian Consumer Council also found cyber security flaws in children’s smartwatches, leading some retailers (including John Lewis in the UK) to remove several brands from sale. In 2017, Germany ordered a ban on smartwatches for children.

 
 Sign up to our latest  news & insights Sign up to our latest  news & insights

Product liability

According to law firm Eversheds, this is the only known instance of RAPEX issuing an alert for a product on the basis of concerns over data privacy and security. 

The recall has been ordered because the Commission believes that the product does not adequately protect consumers’ data and privacy, and therefore creates a potential security concern for children. 

Not because the EC believes that the product poses any “physical risk” to consumer safety, the law firm says.

The increasing popularity of wearable technology and the internet of things (IoT) is likely to result in increased product liability risk for manufacturers.

IoT cyber security is increasingly on the agenda of policy makers and regulators. The EU’s proposed Cyber Security Act, for example, establishes a single pan-EU framework for cyber security certification. The act aims to improve cyber security for online services and consumer devices. 

The legislation is the first EU law seeking to enhance the security of IoT devices, including consumer products and those used in critical infrastructure.

Last year the UK government launched a voluntary code of practice to encourage manufacturers to improve the security of IoT devices. 

California also passed IoT cyber security legislation that will require manufacturers to ensure IoT products have “reasonable security features” to protect sensitive customer information from unauthorised access, which will come into effect in 2020.
Sarah Stephens

TALK TO AN EXPERT

For further information, please contact Sarah Stephens, Head of Cyber/ Technology E&O on +44 (0)20 3394 0486 or email sarah_stephens@jltgroup.com

Download cyber decoder

YOU MAY ALSO BE INTERESTED IN