The legal considerations of the internet of things

As with many new technologies, there are a number of tricky legal challenges to consider as part of widespread IoT adoption

The internet of things (IoT) is the latest emerging area of technology that will be impossible to ignore.

The term has been around for some time – it is thought to have originated in the late 1990s – but it is only now, with ubiquitous connectivity and proliferation of mobile devices, that it is starting to come into its own. It coincides with the rise of big data, as IoT sensors and networks generate vast quantities of real-time information about the world around us.

But as with many new technologies, there are several tricky legal challenges to consider as part of widespread IoT adoption.

Cyber security

The National Fraud Intelligence Bureau recently said that around 70% of the 230,845 frauds recorded in 2013/14 included a cyber element, compared to approximately 40% five years ago. 

It could be argued that if consumers cannot protect the devices that are already connected to the internet, perhaps we should not be adding more web-enabled devices to our homes and businesses.

For example, would it be possible for criminals to use your central heating system to access your mobile phone and gain access to your credit card details? Security researchers recently proved they could hack into home networks through Wi-Fi-enabled smart light bulbs. Could they tell when you’re not in and rob your house? 

IoT has the potential to be a disruptive technology. Traditional consumer manufacturers may not be the most obvious long-term beneficiaries and companies that are not currently in the consumer goods market could shape the way this develops. Google’s $3.2bn purchase earlier this year of Nest, which manufactures connected thermostats, is an example of this.

Read more about the internet of things

  • IT departments unprepared for internet of things
  • Internet of Things already stretching networks to capacity
  • Germany leads the internet of things, says Cisco
  • An internet of things vision
  • Internet of things will drive forward lifestyle innovations
  • Internet of Things legal issues include product liability, data privacy

Language and culture

Behind the scenes, businesses that adopt IoT solutions will need to ensure the way in which they do this is going to address legal requirements. Much of this will relate to the contractual relationships that will support the technology and connectivity. 

A business will need to ensure that its internal departments work together. An IoT solution will require IT managers, who may be sourcing some of the service providers to implement an IoT solution, to understand the customer facing issues. Data protection, security and privacy will be at the forefront of this. 

Data protection

The way in which a business using IoT manages the vast amounts of data that those engaged objects produce will need to be filtered. This will be a challenge for developers to ensure the system works as efficiently as possible, as well as having data protection implications so irrelevant data is not collected. As we have already seen, precautions against data security breaches and misuse of data need to be designed into IoT solutions. 

Another risk identified is that data may be re-purposed. This addresses the need to safeguard data subjects by ensuring data is only used for the purpose for which it was collected and originally contemplated. 

With many IoT applications operating together and communicating with each other autonomously, data subjects will be unaware of all the processing taking place. This will impact the ability to give the right consent and exercise their rights in respect of the data collected.

It is not unrealistic to expect that there will be different IoT regulations in different jurisdictions, just as has happened with cloud, data privacy and other technologies

Regulation and standards

Governments and other regulators have begun to focus on IoT. This includes the EU commission, which has published a report on the result of its public consultation on the IoT. Top of the list of issues that the law needs to address are loss of privacy and data protection.

The EU Commissioner’s report recommended that IoT should be designed from the start to meet suitable detailed requirements that underpin the right of deletion, right to be forgotten, data portability, privacy and data protection principles.

IoT systems operators will have been looking at the recent decision in relation to Google and the right to request the takedown of links to out-of-date information, as a lesson in the importance of this to consumers. The draft Data Protection Regulation addresses some of these measures including:

  • Privacy by design and default – to ensure that the default position is the least possible accessibility of personal data
  • Consent
  • Profiling – clearer guidelines on when data collected to build a person’s profile can be used lawfully, for example to analyse or predict a particular factor such as a person’s preferences, reliability, location or health
  • Privacy policies
  • Enforcement and sanctions – violations of data privacy obligations could result in fines of up to 5% of annual worldwide turnover or €100m, whichever is greater

In the US, privacy and data security in the IoT is also being considered by regulators with the same focus on privacy and security. 

Any new solution, which is based on integration, will require standards. So far, the software industry has not been great at adopting standard terms for provision of services, including for cloud computing, although this is something which is being addressed. 

The IoT may be the beneficiary of this, but it is not unrealistic to expect that there will be different regulations in different jurisdictions, just as has happened with cloud, data privacy and other technologies.

Advantages of the IoT

Of course, every existing technology has faced criticism and fears and the IoT has a number of advantages, which suggest such concerns should not get in the way of its more widespread adoption.

For instance, waiting in for repairs on white goods might become a thing of the past thanks to remote diagnostics and programming, while meter reading could not only be carried out from afar, but also be used to help homeowners avoid overspending on utilities. The IoT may also mean an end to flooded kitchens by ensuring freezers alert their owners if their doors are left open.

Product developers could enjoy benefits too, by assessing the ways in which people actually use things and implementing this information to get rid of useless functions in favour of more useful ones.

Another key use is monitoring the elderly who live alone. Doctors could see at a glance if their medical tests are a cause for concern and check on medicine consumption remotely to see if they are taking prescriptions correctly. With an ageing population, this could well be where the IoT comes into its own

It is hard to tell at this stage if the IoT will become as widely adopted as the original internet, but the journey towards regulations and adoption is sure to be an interesting one. 

Kim Walker (pictured) is a partner at law firm Thomas Eggar LLP

Read more on Internet infrastructure

Data Center
Data Management