The cyber laws particularly the laws pertaining to data protection and data security in India are in the nascent stage and are still developing, with the only significant legislations being the Information Technology Act, 2000 ("ITA") and the "Reasonable practices and procedures and sensitive personal data or information Rules, 2011". Due to the paucity of legislation in this regard, the legal issues pertaining to an IoT service provider can be fully addressed only by drafting and executing agreements incorporating relevant provisions to safeguard the interest of both the IoT service provider and the IoT user. The key issues to be taken into consideration for an IoT environment have been discussed below:
Data Privacy & Protection
With innumerable IoT devices talking to each other via the internet, the potential for a data security breach is high and as more and more IoT devices are introduced in the market, this issue would only complicate further.The provisions relating to data protection of individual personal information are covered under the Information Technology Act, 2000 ("ITA") and the "Reasonable practices and procedures and sensitive personal data or information Rules, 2011" ("Rules") issued under Section 43A of the ITA (as amended). Section 43A of the ITA deals with protection of data in electronic medium and provides that when a body corporate is negligent in implementing and maintaining 'reasonable security practices and procedures' in relation to any 'sensitive personal data or information' that it deals, possesses or handles in a computer resource that it owns,operatesor controls and such negligence causes wrongful loss or wrongful gain to any person, such entity shall be liable to pay damages by way of compensation to the person so affected. Further, Section 72 of the ITA, enunciates penalty for breach of the confidentiality and privacy of the data collected.
The Service provider can also adopt precisely drafted terms & conditions which typically regulate, Limitation of Liability, Responsibilities of the service provider and consumer/user, Indemnification, Intellectual Property Rights, Assignment/Licensing, and Dispute Resolution etc.
Further, in order to ensure compliance with Section 72 of ITA, the service provider can execute stringently drafted Non-Disclosure Agreements with its customers.
Considering the volume of the data/ information and the number of stakeholders involved, which in all likelihood is going to increase in the coming time, the service provider may be required to outsource the responsibility of accumulating, processing and safekeeping of the data to third party "specialist data brokers/vendors". In such a scenario, it is pertinent that, prior to any disclosure to any third party, the service provider takes all the reasonable steps to ensure that there is no breach of the privacy and data protection clauses. The Service provider can also execute separate vendor agreements providing guidelines to protect "sensitive personal data or information" in accordance with the provisions of the Indian IT Act.
The service provider needs to strike the right balance concerning the "allocation of risk". This is particularly vital in order to set the limitation of liability for the service provider in the event of breach of data privacy and non-disclosure requirements. The allocation of risk can be dealt with by incorporating relevant provision in the terms & conditions of use of service. Alternatively, the service provider can have software End User Licensing Agreements (EULA) drafted that incorporate the relevant clauses which can be executed each time a user of IoT agrees to use the service provider's software/services.
Due to the involvement of multiple stakeholders/IoT users, involvement of third parties and the multitude of sources of the data, the data may come into possession of many data processors. The IoT service provider, being the data controller would essentially determine the scope, extent, manner and purpose of the use of the personal data, whereas the service provider may have different third party data processors, functioning to process the data on the instance and under the control of data controller. Therefore, an aspect worth noting is that since there are numerous channels of dissemination of the data/information and multiple stakeholders involved, the IoT service provider (data controller) at all times should ensure that the line between data controller and data processor does not get obscured. Additionally, the Machine Generated Information (MGI) and Machine to Machine Communication (M2M) generated in an IoT environment would also pose ownership and liability issues.
In light of the above, the allocation of risk and responsibilities between the parties must be defined preciselyin particular, which party bears the liability for any damage caused to the user of an IoT and which party owns the information generated by the IoT project. Hence, warranties and indemnities regarding data protection, security and privacy will become important to help draw the line between data controller and data processor which are made all the more complex by the large number of stakeholders involved in an IoT environment. The question that who will own the data will be purely based upon the agreement between the two entities.
Privity of E-Contracts
The issues pertaining to data ownership, security and privacy in an IoT environment can be reasonably addressed by contracts between device manufacturers/ IoT service provider and the IoT users. These contracts may be entered by way of click wrap and shrink-wrap contracts which are basically End User Licensing Agreements (EULA) governing the terms and conditions of use of the software or device. Like any normal contract, an e-contract can form a valid and binding relationship between the parties under the Indian Contract Act if it fulfils the essentials of a valid contract as provided under Section 10 of the Act. In an IoT environment, there is no privity of contracts between multiple IoT users which may lead to complexity in case of a dispute. Therefore, the draft agreement should contain express provisions regarding third party liabilities and dispute resolution.
Product Liability & Consumer Protection
In case where an IoT device malfunctions, or if data or software is compromised or lost, individuals and businesses may suffer devastating losses. Such device failures may result not only from a device defect but also from a network failure to provide communications as needed. Thus, it will be important for IoT device manufacturers to purchase and cover themselves with product liability insurance.
Intellectual Property Rights
An IoT environment facilitates data generation and content creation including Machine Generated Data. The question that arises is, "When an original data is created by virtue of the interaction of various devices in an IoT environment, which may include, inter alia, a new process of arriving at desired results, who claims the IP Rights in such content/data/process?" The ownership of the title and claim to the IP Rights needs to be expressly enunciated in the agreements executed between IoT service providers and device manufacturers/consumers, especially considering the fact that the IP rights confer upon the owner a host of other rights like licensing and commercialization of their IP to further exploit the commercial utility of their IP.
The legal wisdom regarding the IoT is inadequate due to the lack of sentience and awareness in this regard. With the advancement in technology, the IoT environment continues to evolve at an unprecedented rate and the legal acumen regarding IoT cannot lag behind for long. Europe, US and Australia have already embraced the legal implications of an IoT environment and it is about time that Indian legislature triggers a befitting enactment!
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.