The legal implications of the Internet of Things

Posted on 8 Jul 2014 by The Manufacturer

Alistair Maughan, a partner at law firm Morrison & Foerster and co-chair of the Technology Transactions Group, discusses the legal implications of the Internet of Things for manufacturers.

Alistair Maughan
Alistair Maughan, Morrison & Foerster.

By 2020, it’s estimated that there will be 50 billion internet-enabled devices, controlling everything from your morning cup of coffee to your evening choice of television series.

Refrigerators that tell you when your food is going off, thermostats that monitor and control your house’s heating, and sensors that monitor your sleeping baby’s vital signs – the Internet of Things (IoT) is developing at an increasingly rapid pace.

But while this may provide a desirable vision of the future, it creates a wake of legal and ethical problems.

It’s one thing to feel comfortable with your fridge knowing that you eat pizza every Tuesday, but if that information were to be passed on to your health insurance provider and affected your premiums, it may become a very different matter.

Data in a post-Snowden world

In a post-Snowden world, data protection measures have taken on a far greater social relevance.  The onus now falls to companies to ensure that the products they create are designed and manufactured to be legally – and ethically – compliant.

A “thing” is really just a device to collect and disseminate information.  It has to be produced, installed and maintained, just like any other item.  Accordingly, to anticipate the likely commercial implications of the IoT, you need to understand the lifecycle of deployment of the “things” involved.

That lifecycle ranges from initial design and development, through manufacturing, installation, operational mode, maintenance and, finally, decommissioning and re-commissioning.  It is important to understand both the overall supply chain and the network of agreements that underpins each stage, as well as the relevant issues that arise.

To some extent, the challenges facing manufacturers of internet-enabled devices are much the same as for many other forms of technology.  Liability, intellectual property ownership, and compliance with consumer protection regulations are all issues that require constant awareness and engagement.

But, for many consumer-oriented products, it’s the data privacy angle that needs real attention, especially in a developing field where regulatory measures are struggling to keep up with the pace of technology development and deployment.

The folly of devices

At the core of the problem is the dilemma thrown up by the very way that the IoT-enabled devices operate.  Having been designed exclusively to increase productivity and reduce costs, it’s very difficult to create a machine that takes more holistic ethical concerns into account.  Technology may have an “ambient IQ”, but this is by no means the same as a moral compass.

There is little commercial interest in creating devices with an in-built moral awareness and, with autonomous applications processing data quickly and efficiently, the user may not even be aware of their data privacy rights.

While the ability to process data has historically been limited by the lack of interconnectivity between devices, they are quickly learning to cooperate.  Data that previously resided in silos according to the sensors and systems by which it was captured will in future be able to be cross-referenced and linked.

Soon, companies will be able to create wider ways of bringing together complex, individual data and suing those data sets to make innovations, predicts customers’ behaviours, and increase the efficiency of the manufacturing process.

Understandably, where the IoT ecosystem touches on personal data of individuals, there is widespread concern about the unforeseen effects; it is seen by some to cross a line when a machine can predict shopping or holiday habits from information previously collected.

The UK data landscape

But how does this fall into the current data privacy landscape?  Some would lead you to believe that the UK is already a dystopia of Orwellian government surveillance, but the reality is that a framework of data protection legislation is already in place.

Member states of the EU remain bound by the existing European principles of Data Protection Directive 95/46/EC.  This states that data must only be collected for “specific, explicit and legitimate” purposes, and that the methodology behind collection must be adequate, relevant and not excessive.

Having been introduced in 1995, the current EU data privacy landscape isn’t new, and concerns about internet-enabled technology have been filtering through to Brussels.  In early 2013, the EU Commission produced a report detailing in-depth consultation with the European public about issues raised by the IoT.

This was followed by Draft Data Protection Regulation, intended to fully harmonise the European data protection landscape.  Approved in March of this year, the regulation must now be approved by each of the 28 EU member states.  It’s looking increasingly likely to be passed sooner rather than later.

The technology and regulation race

From a legal perspective, organisations will be pressured into adapting their data protection policy to fit the new climate.  Privacy by design is fundamental to IoT product manufacture. For manufacturers of products incorporating internet-enabled technology, it will become an imperative to implement appropriate privacy policies and procedures explaining what data is collected, why it’s being collected and how an individual can access it.

It all comes down to transparency; by ensuring that customers are aware of where their data is going, and for what purpose, they will be satisfied that the organisation is doing its utmost to comply with their individual rights. If they wish to withdraw consent, they have the option.

Clearly, privacy and data security issues are fundamental to any IoT solution.  But it’s also important to realise that many IoT solutions do not involve any kind of personal data to which regulations might apply.  Data security might still be an issue, but the regulations underpinning the transfer of personal data overseas or securing appropriate consents to data are unlikely to apply.

Conversely, issues around ownership of data and intellectual property rights are likely to be raised in almost any scenario.  It’s fundamental to determine whether and how issues of IPR ownership and licence rights are addressed, and whether those rights are wide enough to cover the intended use.

As ever, technology and regulation are locked into their own on-going arms race.  But manufacturing firms now have the chance to take the lead and prove that they are the most ethically responsible and reliable producer of any given form of technology.  As we move further into an era where individual liberties are valued, firms that fail to adapt risk falling behind.