The Internet of Things: Highlighting the Legal Issues

Written by Jim Dennis

What is the “Internet of Things” (IoT)?

A fridge that can update your grocery list when you’ve run out of milk? A ‘superbed’ that can monitor and improve your sleep before waking you up in the morning? The IoT is the idea of everyday physical objects having network connectivity, allowing them to both send and receive information over the internet and make smart decisions based on the information they receive (whether from a person or from another object).

IoT devices are poised to become more pervasive in our lives than mobile phones and will have access to the most sensitive personal data. As the number of connected IoT devices increases the implications on the way that people live and businesses operate are hugely exciting, but legal concerns are also multiplied.

What are the legal issues?

The risks posed to security and privacy by hackers being able to access and control devices are becoming increasingly apparent. For example, hacking into smart thermostats could reveal whether or not a family is at home. Web-linked security cameras could be used to spy on residential properties. A recent study by HP Security Research reviewed 10 of the most popular devices in some common IoT niches, revealing an alarmingly high average number of vulnerabilities per device.

However, this is by no means the only issue that has arisen. As the IoT starts to plays a greater role in our lives, other legal issues to be aware of will include:

  • Liability: As people increasingly rely on machines to automate elements of their life, the question will arise as to what happens when the machines get it wrong? Who will be liable? A case of someone providing a machine that does not behave as it should may be simple (it is likely that the provider would be liable under the contract of supply). However, where machines are not ‘provided’ under contracts, and are accessible by internet users generally, the situation will be less clear. Under English law it is not lawful to limit liability for personal injury or death caused by negligence, so the greatest risk for businesses here may come from health- related or medical devices.
  • Patents: The extent to which many parts of the technology required for the IoT are patentable could become an issue. UK and European case law is clear that software and methods of doing business are by and large not patentable. However, computer-implemented inventions that have a technical effect (and fulfil other certain requirements) are potentially patentable. Another key difficulty will be that for the IoT to work effectively, it needs to connect objects from different sources and allow the addition of new objects without disrupting the existing design or requiring an alternative structure. If the standardised elements of technology in the architecture are patented, this presents a problem because without a licence from the patent owners, third party users of the technology may infringe those patents.
  • Access to bandwidth: With so many devices connected to the internet, an increase in bandwidth will be needed. Although connection speeds are enabling IoT today, at some point in the future it is very possible demand will exceed supply. The principle that Internet Service Providers and governments should treat all data on the internet equally (net neutrality) will arguably become vital in terms of eliminating barriers and keeping costs down for consumers. The European Parliament recently voted in favour of this, and a bill to stop internet providers from charging for preferential access to their networks is now awaiting approval, although the plans will still need to be adopted by individual member states. European policy appears to be departing from the route taken in the US, where net neutrality rules were struck down by a court in January this year. This issue is one that will therefore become increasingly relevant at both a domestic and global level for businesses. Alternatively, it may be that other technological solutions can be developed to solve the problem.
  • Ownership: Who owns what when devices interact with each other and collect vast amounts of data? It’s won’t always be straightforward to decide who owns the technology on which the IoT is founded, and it will be even trickier to deal with ownership of data. It is likely to become increasingly difficult for individuals to keep track of and control what data is shared, when and with whom, where it’s stored and for what purpose.
  • User profiling: In relation to the above, the monitoring of data will increase the opportunity for businesses to profile individuals for various reasons. Use of personal data for user profiling already falls within the general requirements of the Data Protection Act 1998. Under proposed EC law users are likely to be given the right to object to such profiling.
  • Automated contracts: In the UK, consumers are protected by various laws. The set of laws that apply to internet or ‘remote’ sales (where there is no face to face contact) are known as the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (previously the Distance Selling laws). These require, among other things, the relevant seller to communicate clearly to the buyer the terms on which the sale is to be made, a cooling off period of up to 14 days to be provided, and express consent to be given by consumers where extra payments will be charged in addition to the price paid for the goods/services. What will happen when machines buy and sell from each other? Will consumer laws apply? The reality is that written communication will still need to take place directly between the seller and individual to satisfy these laws.

To tackle concerns, the manufacturers of products need to address legal issues at the design and production stages. With the growing number of connected things in people’s lives, individuals will have the ability to become more in tune with their own data and interact further with brands and retailers. Businesses will need to establish a trust among consumers and prove that they have addressed these issues before going to market. The IoT has the huge potential for improving lives, saving resources, and lowering costs. However, only time will tell how much personal autonomy and privacy individuals are willing to risk in order to fully reap these benefits.

Contact the Author

Jim Dennis

Gordon Dadds