The 'Internet of Things' (IoT) is a real game changer that is set to transform our lives. Gartner predicts that by the end of this year over 6.4 billion web-enabled devices will be connected as part of the Internet of Things, an increase of 30% on 2015. And a staggering 5.5 million new 'things' will be added each day with the total predicted to rise to over 20 billion by 2020.
What exactly is the 'Internet of Things'?
In simple terms, the Internet of Things, which is also known as the IoT, is a collection of everyday physical 'smart devices' that are connected to the internet (and in turn to each other) and which send and receive myriads of user data. Examples include 'smart' thermostats, wearable devices, home security web-cam monitoring, and even 'smart' coffee machines. The IoT allows users to control and interact with these devices individually or collectively through apps on their smartphone. Some IoT companies even claim that their devices can 'learn' user behaviours and adapt to them.
Privacy and security
Many of the legal challenges arising from smart devices that are constantly sensing and/or tracking our behaviour are new. Consequently, it is not always easy to apply existing laws to the range of IoT devices in the market. We have previously examined Data Protection and Privacy Challenges in IoT and IoT Recommendations from EU Privacy Regulators. As these articles illustrate, two of the core risk areas with the IoT relate to user privacy and device security. This could be anything from hackers breaking into the user's IoT network at home and controlling or disabling devices remotely, to unauthorised access or theft of personal data.
Other legal challenges
While it is probably true that security and privacy protections will determine the success of the IoT, in this article we will explore some other legal challenges that arise in the IoT and why the absence of approved standards or protocols relating to the operation of IoT devices adds to these challenges.
Different regulations in different countries
In the US, the Federal Trade Commission (FTC) has recently released an IoT report, which contains the following three key recommendations for companies designing or developing IoT devices:
- data security - IoT companies should design devices so that they are physically secure 'out of the box'
- data consent – IoT companies should let users choose what data they share and promptly notify them of a data breach
- data minimization – IoT companies should not collect more data than they need
One of the uncertainties for IoT companies is that different regulations may be adopted in different jurisdictions. This adds to the operating costs and regulatory burden of an IoT company operating in multiple jurisdictions. Importantly, however, the FTC guidelines appear to be broadly consistent with many of the recommendations from the EU's Article 29 Working Party Opinion from late 2014, which itself seemed to rely on features of the draft EU General Data Protection Regulation, such as privacy by design, the right to data portability and the principle of data minimisation.
Chain of liability
As automation and decision-making robots become a reality, the question of who is liable when an IoT device malfunctions or crashes becomes blurred. For example, if a self-drive car accelerates too quickly and causes a traffic accident on the M1 motorway, it is complicated to determine who in the chain of supply is liable to the user. Every stakeholder, from the IoT end-supplier in Ireland, to the device manufacturer who could be located in China, the sensor designer who could be located in Germany, the software programmer who could be located in the UK, the hosting company hosting the user's data who could be located in the US, and the local Irish internet service provider, will scramble to review the terms of their respective contracts and each may try to 'blame' the next party along in the chain of liability.
Complicated ownership of data scenarios
As data is the currency that flows through the IoT and allows it to work, an IoT company can create enormous value if it is able to understand the nature and patterns of information its devices collect from users. It could exploit this data for everything from using it to target advertising for particular users to determining the company's overall strategy and direction. However, from a legal perspective, the scenario of ownership of data becomes complicated in a home using a range of connected IoT devices from different suppliers that share the user's data between devices.
Availability of bandwidth and 'net neutrality'
'Net neutrality' refers to the concept that governments and internet service providers (ISPs) have a duty to treat all data on the internet equally and not discriminate or charge users extra for any reason, whether by user type, user location, website visited or equipment used. In future, with so many different IoT devices all trying to use the same wires of the internet, the world wide web may become congested as it tries to process all of the traffic on the network at the same time. While advocates of 'net neutrality' are opposed to a 'dual lane' internet, with so many connected devices and so much data being transferred, unless there is significant investment in infrastructure, ISPs or governments may be forced to require IoT users pay to a premium for unmetered and unlimited access to the internet.
If IoT devices manufactured by different companies are not interoperable and remain locked to their own proprietary networks and technology this will limit the usefulness of the IoT and may cause competitors or users to take legal action. We may see some IoT companies trying to lock users into the company's own 'eco-system' by using copyright law to protect their IP and to prevent competitors from using their software and APIs. There are also numerous patents being filed in relation to protecting wearable technology, such as solar powered contact lenses and even certain hand gestures. These developments mean that companies designing IoT solutions should carefully consider how they can protect the IP they create and ensure they are not infringing someone else's IP.
The IoT may mean we start to see contracts being formed between two machines. For example, a 'smart' washing machine may know that a user is running low on washing powder and order a box directly from the website of the local supermarket using the user's pre-programmed account log-in details, address and credit card information. While under existing laws it is possible for someone to set up recurring orders to replace items they have already ordered in person over the internet, it is not clear if existing principles of Irish law would apply to a contract between two machines where there is no user input. The uptake of IoT may also require the review of definitions used in consumer legislation as the current definitions contemplate some form of communication between traders and consumers.
Conclusion: What can an IoT company do?
The issues we have considered above show that as the IoT matures and becomes more complex, the law may struggle to evolve quickly enough to address the challenges it poses. Past experience with other technologies shows that when this happens the industry is likely to face considerable regulatory and media scrutiny.
Understandably, though, many existing IoT companies are reluctant to follow government guidelines and self-regulate when the parameters of such self-regulation are not clear and where it may result in them losing competitive advantage. However, as IoT regulations and rules are still being established, now is the perfect time for IoT companies to plan and adapt their products and services accordingly. This will allow them to differentiate themselves from the competition in the market and to position themselves as the company that offers products that help customers interact with their devices like never before while minimising the challenges of an ultra-connected world.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.