The Internet of Things (IoT) is the world of physical devices connected with each other – and with humans – via a network or over the Internet. From home automation to medical monitoring to industrial machines, machine to machine (M2M) communication is experiencing a significant burst of activity and creativity.
As lawyers and regulators struggle to get to grips with the pace at which Internet of Things technology is developing, it’s clear that the privacy issues are attracting headline billing for lawyers. Privacy, and its co-star, data security, garner most of the headlines and legal attention. However, although the data privacy implications of the IoT are undoubtedly significant, there are a whole range of other potentially significant legal issues that need to be addressed in any IoT solution.
The term ‘Internet of Things’ was first coined in 1999 as part of efforts connected with the standardisation of approaches to RFID tags. But the real pace of growth in the IoT market has only recently begun to bear fruit. The key drivers of that growth have been the ‘perfect storm’ of:
· lower costs and increased accessibility of sensor technology;
· cheap and massively scalable computing power to enable effective data manipulation;
· growth in smartphone technology and social media;
· a huge increase in the digitalisation of information;
· ‘big data’ solutions optimised to exploit an exponential growth of an ecosystem of networked – and therefore potentially accessible – data.
IPv6 and web services are increasingly simplifying the deployment of IoT solutions by enabling more effective integration with Internet hosts; manufacturers are creatively deploying diverse ‘things’; and semiconductor manufacturers are specifically designing low power, high reliability chips for sensors intended for remote deployment in IoT solutions.
The core building blocks of growth in IoT solutions have been the relative ease and cheapness with which appropriate hardware can be produced and the dramatic evolution in wireless connectivity over the last few years. On the basis of that foundation, the IoT marketplace has seen almost bewildering growth of applications of the available technology designed for specific markets. Particular sectors such as pharma, home automation, and automotive have been fertile grounds for the roll-out of attractive new technology solutions.
Among the key technological questions underpinning long-term success in the IoT market are whether a platform developed for one vertical market will easily translate to another – which in turn depends on such key architectural issues as whether a platform is based on open or closed, proprietary technologies.
Commercial Issues
A ‘thing’ is really just a device to collect and disseminate information. It has to be produced, installed and maintained, just like any other item. Accordingly, to anticipate the likely commercial implications of the IoT, you need to understand the lifecycle of deployment of the ‘things’ involved.
That lifecycle ranges from initial design and development, through manufacturing, installation, operational mode, maintenance and, finally, decommissioning and re-commissioning. It is important to understand both the overall supply chain and the network of agreements that underpins each stage, as well as the relevant issues that arise.
So, for example, at the early stage – design & development – an IoT-enabled product will typically involve, at a minimum, professional services agreements and employment agreements. Issues such as privacy by design and security by design need to be addressed, along with IPR ownership issues which would typically be resolved by appropriate contractual terms. The developer will also need to make crucial decisions around use of open or closed standards and APIs, and whether to involve open source software.
Looking forward to the eventual deployment of the product, at the end stage there will be third-party services agreements (again to deal with re-deployment) as well as appropriate end-user agreements. The product manufacturer will need to address appropriate security and privacy issues concerning the transfer of data and arrangements for exit and avoiding lock-in. So, for a car with built-in telematics that registers user data, how do you allow for resale of that car? How do you allow for user A’s data to be deleted (or transferred to user A’s own personal data locker) and enable user B to wipe the slate clean in respect of that car, register his or her identity and re-start the clock running on the car’s telematics data sensors. All of these need to be addressed from the outset of the product’s deployment.
Clearly, privacy and data security issues are fundamental to any IoT solution. But it’s also important to realise that many IoT solutions do not involve any kind of personal data to which regulations might apply. Data security might still be an issue, but the regulations underpinning the transfer of personal data overseas or securing appropriate consents to data are unlikely to apply. Conversely, issues around ownership of data and IPR are likely to be raised in almost any scenario. It is fundamental to determine whether and how issues of IPR ownership and licence rights are addressed, and whether those rights are wide enough to cover the intended use.
As already noted, any IoT solution will depend upon an extended supply chain and issues of data ownership will apply across that supply chain. It is important to define handover points and who owns the integration risk for specific products as they are developed and rolled-out onto the market. Many of the issues here will be typical outsourcing type issues around service availability and response times, issues of scalability, price structure issues and exit issues.
In liability terms, the IoT raises many of the same issues that lawyers have dealt with for many years – in terms of which party is liable for acts or omissions. You need to understand the types of liability that might arise from a particular IoT application, such as who bears responsibility for inaccurate data or failure to achieve proper anonymisation of data collection.
However, another developing issue for corporate users of IoT, especially when allied with ‘big data’ analytics, is whether the predictive capabilities of an IoT/big data solution impose greater duties to identify risks and intervene before incidents occur. In other words, if companies use an IoT solution to collect data, combine it with other data and make predictions about the future, does that create a greater duty to act to prevent problems before they cause injury? If a company that offers an IoT-enabled solution (to use data in medicine bottles to identify users failing to take their medication and issue a warning, for example) does not analyse data correctly, is the company liable for failing to identify the potential for injuries or unfortunate events (ie not issuing a warning when it should have)? Lawyers will need to help product manufacturers understand how risk and liability are managed holistically across the supply chain, and think about potential new areas for liability.
As companies realise the benefits of the IoT, they will increasingly have to reckon with the consequent risks. Utilising and monetising the IoT raises significant legal questions of potential liabilities, some of which cut across traditional norms of foreseeability. While the IoT issues may be more eye-catching in the area of privacy and data security, a wide range of other issues – from regulatory compliance to IPR to liability – also need to be properly addressed to understand, and price, the risks that any given IoT-enabled solution will create.
Alistair Maughan is a partner in Morrison & Foerster’s London office. He is co-chair of the Technology Transactions Group and a member of the Global Sourcing Group.