The ‘Internet of Things’ (IoT) is clearly a game changer that impacts and transforms our daily live in all ranks, since with its emergence a myriad of user data is getting collected and analyzed in a matter of seconds. Naturally, this raises privacy and security concerns globally.
The business law firm Mason Hayes & Curran started to look early into the legal issues that are surrounding the Internet of Things (IoT) for many good reasons. The smart devices are constantly sensing and/or tracking our behavior, making it difficult to apply existing laws to the range of IoT devices in the market.
“We have previously examined Data Protection and Privacy Challenges in IoT and IoT Recommendations from EU Privacy Regulators, as these articles illustrate, two of the core risk areas with the IoT relate to user privacy and device security. This could be anything from hackers breaking into the user’s IoT network at home and controlling or disabling devices remotely, to unauthorized access or theft of personal data”, the law firm wrote in its blog already back in 2016.
Mason Hayes & Curran points out that security and privacy protection will most probably determine the success of the IoT, hence, approved standards or protocols relating to the operation of IoT devices are crucial.
The law firm identified a number of legal challenges that have to be take into consideration in today’s ultra-connected world, which are the following
Different regulations in different countries
The Federal Trade Commission (FTC) in the U.S. provided three key recommendations for companies designing or developing IoT devices:
- data security - IoT companies should design devices so that they are physically secure ‘out of the box’
- data consent – IoT companies should let users choose what data they share and promptly notify them of a data breach
- data minimization – IoT companies should not collect more data than they need
Well, one of the uncertainties for IoT companies is that different regulations may be adopted in different jurisdictions. This adds to the operating costs and regulatory burden of an IoT company operating in multiple jurisdictions. Importantly, however, the FTC guidelines appear to be broadly consistent with many of the recommendations from the EU’s Article 29 Working Party Opinion from late 2014, which itself seemed to rely on features of the draft EU General Data Protection Regulation, such as privacy by design, the right to data portability and the principle of data minimization.
Chain of liability
As automation and decision-making robots become a reality, the question of who is liable when an IoT device malfunctions or crashes becomes blurred. For example, if a self-drive car accelerates too quickly and causes a traffic accident on a highway, it is complicated to determine who in the chain of supply is liable to the user. Every stakeholder, from the IoT end-supplier to the device manufacturer, the sensor designer, the software programmer, the hosting company and the local internet service provider, will scramble to review the terms of their respective contracts and each may try to ‘blame’ the next party along in the chain of liability.
Complicated ownership of data scenarios
As data is the currency that flows through the IoT and allows it to work, an IoT company can create enormous value if it is able to understand the nature and patterns of information its devices collect from users. It could exploit this data for everything from using it to target advertising for particular users to determining the company’s overall strategy and direction. However, from a legal perspective, the scenario of ownership of data becomes complicated in a home using a range of connected IoT devices from different suppliers that share the user’s data between devices.
Availability of bandwidth and ‘net neutrality’
‘Net neutrality’ refers to the concept that governments and internet service providers (ISPs) have a duty to treat all data on the internet equally and not discriminate or charge users extra for any reason, whether by user type, user location, website visits or equipment used. In future, with so many different IoT devices all trying to use the same wires of the internet, the world wide web may become congested as it tries to process all the traffic on the network at the same time. While advocates of ‘net neutrality’ are opposed to a ‘dual lane’ internet, with so many connected devices and so much data being transferred, unless there is significant investment in infrastructure, ISPs or governments may be forced to require IoT users pay to a premium for unmetered and unlimited access to the internet.
If IoT devices manufactured by different companies are not interoperable and remain locked to their own proprietary networks and technology this will limit the usefulness of the IoT and may cause competitors or users to take legal action. We may see some IoT companies trying to lock users into the company’s own ‘eco-system’ by using copyright law to protect their IP and to prevent competitors from using their software and APIs. There are also numerous patents being filed in relation to protecting wearable technology, such as solar powered contact lenses and even certain hand gestures. These developments mean that companies designing IoT solutions should carefully consider how they can protect the IP they create and ensure they are not infringing someone else’s IP. In general, the uptake of IoT may also require the review of definitions used in consumer legislation as the current definitions contemplate some form of communication between traders and consumers.
Mason Hayes & Curran summed up in its blog post in a comprehensive and structured way that the law may struggle to evolve quickly enough to address the challenges the fast IoT development poses to companies. “Past experience with other technologies shows that when this happens the industry is likely to face considerable regulatory and media scrutiny”, the law firm emphasized.
“Understandably, though, many existing IoT companies are reluctant to follow government guidelines and self-regulate when the parameters of such self-regulation are not clear and where it may result in them losing competitive advantage. However, as IoT regulations and rules are still being established, now is the perfect time for IoT companies to plan and adapt their products and services accordingly. This will allow them to differentiate themselves from the competition in the market and to position themselves as the company that offers products that help customers interact with their devices like never before while minimizing the challenges of an ultra-connected world”, Mason Hayes & Curran concluded.