As many new companies found themselves on the growing internet of things, Mason Hayes & Curran outlines the various legal issues these businesses must consider.
The internet of things (IoT) is a real game-changer that is set to transform our lives. Gartner predicts that by the end of this year more than 6.4bn web-enabled devices will be connected as part of the internet of things, an increase of 30pc on 2015. And a staggering 5.5m new ‘things’ will be added each day, with the total predicted to rise to more than 20bn by 2020.
What exactly is the internet of things?
In simple terms, the internet of things, which is also known as the IoT, is a collection of everyday physical ‘smart devices’ that are connected to the internet (and in turn to each other) and which send and receive myriad user data.
Examples include smart thermostats, wearable devices, home security webcams, and even smart coffee machines. The IoT allows users to control and interact with these devices individually or collectively through apps on their smartphone. Some IoT companies even claim that their devices can ‘learn’ user behaviours and adapt to them.
Privacy, security and other legal challenges
Many of the legal challenges arising from smart devices that are constantly sensing and/or tracking our behaviour are new. Consequently, it is not always easy to apply existing laws to the range of IoT devices in the market.
We have previously examined data protection and privacy challenges in IoT and IoT recommendations from EU privacy regulators. As these articles illustrate, two of the core risk areas with the IoT relate to user privacy and device security. This could be anything from hackers breaking into the user’s network at home and controlling or disabling devices remotely, to unauthorised access or theft of personal data.
While it is probably true that security and privacy protections will determine the success of the IoT, in this article we will explore some other legal challenges that arise and why the absence of approved standards or protocols relating to the operation of IoT devices adds to these challenges.
Different regulations in different countries
In the US, the Federal Trade Commission (FTC) recently released an IoT report, which contains the following three key recommendations for companies designing or developing IoT devices:
- Data security: IoT companies should design devices so that they are physically secure ‘out of the box’.
- Data consent: IoT companies should let users choose what data they share and promptly notify them of a data breach.
- Data minimisation: IoT companies should not collect more data than they need.
One of the uncertainties for IoT companies is that different regulations may be adopted in different jurisdictions. This adds to the operating costs and regulatory burden of an IoT company operating in multiple countries and regions.
Importantly, however, the FTC guidelines appear to be broadly consistent with many of the recommendations from the EU’s Article 29 Working Party Opinion from late 2014, which itself seemed to rely on features of the draft EU General Data Protection Regulation, such as privacy by design, the right to data portability and the principle of data minimisation.
Chain of liability
As automation and decision-making robots become a reality, the question of who is liable when an IoT device malfunctions or crashes becomes blurred.
‘If a self-driving car accelerates too quickly and causes a traffic accident on the M1, it’s complicated to determine who is liable’
For example, if a self-driving car accelerates too quickly and causes a traffic accident on the M1 motorway, it is complicated to determine who in the chain of supply is liable to the user. Every stakeholder – from the IoT end-supplier in Ireland, to the device manufacturer (who could be located in China), the sensor designer (who could be located in Germany), the software programmer (who could be located in the UK), the hosting company hosting the user’s data (who could be located in the US), and the local Irish internet service provider – will scramble to review the terms of their respective contracts and each may try to ‘blame’ the next party along in the chain of liability.
Complicated ownership of data scenarios
As data is the currency that flows through the IoT and allows it to work, an IoT company can create enormous value if it is able to understand the nature and patterns of information its devices collect from users. It could exploit this data for everything, from using it to target advertising for particular users to determining the company’s overall strategy and direction.
However, from a legal perspective, the scenario of ownership of data becomes complicated in a home using a range of connected IoT devices from different suppliers that share the user’s data between devices.
Availability of bandwidth and net neutrality
‘Net neutrality’ refers to the concept that governments and internet service providers (ISPs) have a duty to treat all data on the internet equally and not discriminate or charge users extra for any reason – whether by user type, user location, website visited or equipment used.
In future, with so many different IoT devices all trying to use the same wires of the internet, the world wide web may become congested as it tries to process all of the traffic on the network at the same time.
While advocates of net neutrality are opposed to a ‘dual-lane’ internet, with so many connected devices and so much data being transferred, unless there is significant investment in infrastructure, ISPs or governments may be forced to require IoT users to pay a premium for unmetered and unlimited access to the internet.
If IoT devices manufactured by different companies are not interoperable and remain locked to their own proprietary networks and technology, this will limit the usefulness of the IoT and may cause competitors or users to take legal action.
We may see some IoT companies trying to lock users into the company’s own ecosystem by using copyright law to protect their IP and to prevent competitors from using their software and APIs.
‘There are numerous patents being filed to protect wearable technology and even certain hand gestures’
There are also numerous patents being filed in relation to protecting wearable technology, such as solar-powered contact lenses, and even certain hand gestures. These developments mean that companies designing IoT solutions should carefully consider how they can protect the IP they create and ensure they are not infringing someone else’s IP.
The IoT may mean we start to see contracts being formed between two machines. For example, a smart washing machine may know that a user is running low on washing powder and order a box directly from the website of the local supermarket using the user’s pre-programmed account login details, address and credit card information.
‘It is not clear if existing principles of Irish law would apply to a contract between two machines where there is no user input’
Under existing laws, it is possible for someone to set up recurring orders to replace items they have already ordered in person over the internet, though it is not clear if existing principles of Irish law would apply to a contract between two machines where there is no user input. The uptake of IoT may also require the review of definitions used in consumer legislation as the current definitions contemplate some form of communication between traders and consumers.
What can an IoT company do?
The issues we have considered above show that, as the IoT matures and becomes more complex, the law may struggle to evolve quickly enough to address the challenges it poses. Past experience with other technologies shows that when this happens the industry is likely to face considerable regulatory and media scrutiny.
Understandably, though, many existing IoT companies are reluctant to follow government guidelines and self-regulate when the parameters of such self-regulation are not clear and where it may result in them losing competitive advantage.
However, as IoT regulations and rules are still being established, now is the perfect time for IoT companies to plan and adapt their products and services accordingly. This will allow them to differentiate themselves from the competition in the market and to position themselves as the company that offers products that help customers interact with their devices like never before while minimising the legal challenges of an ultra-connected world.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.
Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.
Internet policing image via Shutterstock