The Legal Implications of the Internet of Things

Sue McLean
Of Counsel

@sumolaw

Certainly, it’s clear that consumer adoption of IoT is growing in the UK. In April 2016, John Lewis announced the launch of a smart home section at its flagship Oxford Street store, triggered by an 81% increase in sales of smart home products in the last 12 months.

And it’s these consumer applications of IoT (smart homes, wearable tech, driverless cars), that tend to dominate the headlines. However, despite this fascination with consumer IoT, many believe that IoT is going to have a far greater impact on business, with ‘industrial IoT’ helping to improve business processes, deliver operational efficiencies and enable new business models. Indeed, earlier this year it was reported that organisations expect to spend 42% more on IoT projects in 2016 and over half of UK businesses surveyed planned to employ a chief internet of things officer (CIoTO) in the next 12 months. However, despite these reports, IoT adoption is still at an early stage. According to a recent Computing report the majority of existing IoT projects are trials and limited deployments, as opposed to larger initiatives.

In terms of the legal response to IoT, as with the majority of technological developments, the law trails behind the innovation. There are currently no specific laws for IoT in the UK – IoT is constrained by existing law and regulation, and there isn’t a developed body of case law. Bearing this in mind, what are the key legal issues companies need to consider when embarking on an IoT project?

Which laws apply?
Due to the borderless nature of IoT, devices, systems, users and providers may be located in different countries and various national laws may apply. As you embark on your IoT project, you will need to consider which laws and regulation are relevant. These may include laws relating to consumer protection, data privacy, cyber-security, and telecoms, plus industry specific regulation. The law is likely to evolve as IoT develops and so you will need to make modifications to your IoT solutions as law and regulation changes.

Data privacy and security
Given that many IoT applications involve the collection and use of vast quantities of data about individuals, it’s unsurprising that data privacy and security are key concerns. Moreover, because IoT applications combine data from a variety of sources, this can result in additional security vulnerabilities. The IoT network is only as secure as its weakest link.

The Mobile Ecosystem Forum (“MEF”) recently published a report which highlighted that 60% of users are worried about connected devices, with privacy (62%) and security (54%) considered the biggest threats. Equally, the authorities are very aware of the privacy and security risks posed by IoT, and various regulators have issued specific IoT guidance (including the ICO, EU Article 29 Working Party and the FTC).

Of course, the best approach is to bake privacy and security into IoT devices upfront. However, this is easier said than done – there are widespread concerns that many existing IoT products and services are being rushed to market without sufficient focus on privacy and security.

When planning your IoT project, you will need to carefully examine the data privacy and security implications and ensure compliance with applicable laws and regulatory guidance. Note that a one size fits all approach is unlikely to work for IoT, as the scale and nature of the data privacy and security issues will vary depending on the devices involved.

Of course, there are many IoT applications which won’t involve processing of personal data at all. Nonetheless, data security will remain a key risk, both in terms of protecting potentially valuable business data, protecting against the damage (financial and reputational) caused by a cyber-attack, and mitigating the risk of physical damage if a device is compromised.

Image taken from IoT meeting hosted by TLT LLP. Read more >

Understanding the supply chain
In order to identify the commercial implications of each IoT application, you will need to consider upfront the deployment lifecycle. That lifecycle ranges from initial design and development of a device, through to manufacturing, installation, operation, maintenance and, finally, decommissioning and re-commissioning.

Each IoT solution is likely to depend on an extended supply chain and issues of data ownership and software licensing will apply across that supply chain. In the UK, there are limited intellectual property rights in data. To avoid uncertainty, you will want to contractually address data ownership in all relevant services and licence agreements. It will also be important to define handover points and who owns the integration risk for products as they are developed and launched. You will want to consider typical service issues too, such as availability and response times, scalability, pricing and exit.

In terms of contractual arrangements, at the design and development stage, you will typically have, at a minimum, professional services agreements and employment agreements. You will need to address issues such as privacy and security by design, together with whether data ownership and licence rights are wide enough to cover the intended use. When it comes to deployment, you will need to consider third-party services agreements, as well as appropriate end-user agreements. The product manufacturer will need to address appropriate security and privacy issues concerning data transfer, and arrangements for exit and avoiding lock-in.

An ‘Internet of lawsuits’?
New technologies have always triggered questions of liability for acts or omissions. This is heightened in the IoT world, where liability does not arise solely from the device itself, but also from its connectivity with other devices. At an early stage of an IoT project, you should evaluate all relevant risks across the supply chain, taking into account all relevant parties, for example:

• who is responsible for device security?
• what are the consequences if a device is hacked?
• who is liable if an IoT product injures a customer?
• who is liable for data accuracy?
• who is responsible for intervening if a failure occurs? and
• could you be liable for not intervening before a failure occurs (if you have data that predicts that it is likely to occur)?

You will then need to take steps to remove, mitigate or transfer identified risks – for example, via contractual protections, insurance, compliance programmes and/or security protocols.

Standardisation
One of the key challenges with IoT is interoperability. Currently, there is a lack of consensus between IoT standards organisations and industry stakeholders on even the most basic technical standards. This fragmented landscape is, in part, down to the fact that while stakeholders share an interest in aligned standards, some companies perceive competitive and economic advantages in building their own proprietary systems. Also, while inter-operability is widely believed to be essential, defining what is meant by interoperability and where it is required is more difficult.  In addition, disagreement over the appropriate IP licensing terms for standards has characterised much of the standards debate to date.

However, we are seeing some progress in this area. In April 2016, the European Commission (EC) published a Communication on ICT Standardisation that included an action plan for IoT standards. Of course, even if agreement can be achieved within Europe, it’s ultimately international consensus that’s required. The EC recognises this and stresses in the Communication the importance of strengthening the EU’s presence in international dialogue and cooperation on standards.

Conclusion
IoT offers great potential to transform business, but careful consideration of the legal issues is vital. Indeed, IoT initiatives will require a multi-disciplinary approach to maximize success. Organisations will typically need to pull together a ‘connected’ team, including stakeholders from IT, engineering, R&D, finance, business, marketing, legal and compliance.

FOLLOW ME