The Internet of Things or the IOT is all around us, whether we realize it or not. Common devices that we see everyone wearing such as fitness bands, to smart grids that provide sustainable energy solutions are all part of the IOT ecosystem. A whole range of devices are becoming internet enabled or 'smart' such as smart lights, smart homes, smart refrigerators, etc. These internet enabled devices facilitate interaction between themselves (machine to machine or M2M interaction) which require minimal human intervention. Minimal human intervention or automation is a desired trait for many industries and sectors, as this can increase efficiency and productivity. However, like any other new technology, the law is still coming to grips with the challenges posed by the emergence of IOT.
The emergence of IOT has led to large scale interaction between the various 'internet enabled' devices and exchange of huge volumes of data between them. This in turn has resulted in the existing laws and norms on privacy, data security, intellectual property and product liability being challenged or posing challenges to IOT in ways described below. This article poses questions and sub-questions, an attempt to answer them is for another time.
1. Privacy & Data Security
The IOT ecosystem is heavily dependent on data collection and transmission. Ordinary devices with connected sensors collect terrabytes of data through the Internet, enabling M2M interaction and processing of data for particular services. This data includes personal as well as sensitive personal information of the users such as bank account details, blood group of an individual, etc. Before such data is collected from the users, express notice is given and consent to collect the data is obtained as required under the current and proposed law on privacy in India. Most privacy laws also require giving an option to the user to withdraw consent, change the information in case of a mistake, etc. This is easy to follow in case of ordinary smartphones and computers with a readymade interface where it can be done. However, in an IOT ecosystem, ordinary devices such as a wearable or a thermostat (with no proper interface) also collect data. Obtaining consent and adhering to the other requirements of privacy in these situations become difficult. Ensuring the security of this data in these devices also becomes challenging, given the costs involved in privacy by design and insufficient standards for data security layers.
2. Intellectual Property
- Network connectivity is the foundation of the IOT ecosystem. The interconnected devices in the IOT ecosystem connect and communicate using standardized technology. In this regard, Standard Essential Patents (SEP) in the Information and Communication Technology sector, is essential for the proliferation of IOT. Mostly the SEPs in these technologies are owned by third parties, the use of which may result in infringement of the rights of such third party patent holders. Further, the parties holding these patents license out the technology at exorbitant prices, making it difficult for small IOT manufacturers to have easy access. Every time the technology is used, it is a potential dispute for infringement. Technologies that are used widely in the development of the IOT infrastructure must be available to the industry without any such barriers or obstacles, preferably on fair, reasonable and non-discriminatory (FRAND) terms. A few standard setting organizations in Europe have initiated the process, by prescribing guidelines to make the standardized technology available on FRAND terms to all stakeholders.
- There are multiple stakeholders in an IOT transaction chain, with each stakeholder either collecting, processing or generating new data. These are generally large volumes of data that are extremely useful in analytics and further development of the IOT, with a commercial value of its own. As a result, questions on who owns this data will come up in these scenarios. This data may be further compiled in unique ways or databases, which will again be considered valuable intellectual property.
3. Product Liability
An IOT device usually comprises of various components such as hardware, software and other service elements. Each of these components come with their own set of warranties and disclaimers. Therefore, any defect or deficiency in the IOT device riding on substantial service delivery frameworks, is a complex issue, as it is difficult to pinpoint which component or which link or actor in the IoT transaction chain, is responsible for the defect. This becomes difficult for the user/ consumer to determine who he/she must go to for claiming compensation or repair. If all stakeholders in the transaction are disclaiming responsibility for the defect, it is possible that the consumer may not have a way out at all. For example, insurance companies are increasingly offering wearable devices to its customers for tracking their health data to offer incentives. The wearables offered by these companies may be manufactured by another entity and the insurance company typically disclaims warranty in relation to the fitness of the device. There could be situations, where an incentive to a customer is withdrawn due to discrepancies in the data, as a result of a defect in the product. In such situations, it becomes difficult for the customer to bring an action against the insurance company. However, the recent amendments to the law on consumer protection in India attempts to bring a solution to these challenges upto a limited extent, by defining "product seller" and attributing product liability under certain circumstances to this category. In this regard, the insurance company in the above example can be brought under this category.
4. M2M Contracts
The IOT devices interact among themselves without the user's intervention and sometimes act on behalf of users. For example, an IOT refrigerator will place an order for milk from the local grocery store when the milk is about to get over. The refrigerator in this case is transacting on behalf of the owner every time it places an order for milk, without his/ her interference or express orders. In effect, the IOT device is entering into a contract for the user, without his knowledge or express transactional-specific consent. A master or initial generic consent at the time of sign-up or first use of the device may exist, but the owner of the refrigerator may not realize that it he is entering into a contract, every time the refrigerator does so. In this regard, the question of whether the user is aware and has agreed for the device to enter into specific transactions on his behalf becomes crucial.
Clearly there are significant legal challenges for the advancement of the IOT ecosystem which will require a convergent view of law and technology and its impact on society in order to address these challenges. It is imperative that conversation and dialogue on these issues take place, in order to address these legal impact factors.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
