The Internet of Things and the law

If there's a recurring theme of this blog, it's probably that the gap is continually widening between what technology can do and the laws that exist to regulate technology and its capabilities. From offshoring to cloud to the right to be forgotten, regulators are in constant catch-up mode, seeking with increasing desperation to apply old legal norms to ever more sophisticated technologies.

The Internet of Things (IoT) and machine-to-machine communication solutions are the latest in a long line of IT developments where the tech sector rides the wave, while lawmakers struggle in its wake.

In IoT terms, a "thing" is really just a device to collect and disseminate information. It has to be produced, installed and maintained, just like any other item. Accordingly, to anticipate the likely commercial implications of the IoT, CIOs will need to understand the lifecycle of deployment of the "things" involved.

That lifecycle ranges from initial design and development, through manufacturing, installation, operational mode, maintenance and, finally, decommissioning and re-commissioning. Any IoT solution will depend upon an extended supply chain and issues of data ownership will apply across that supply chain. It is important to define handover points and who owns the integration risk for specific products as they are developed and rolled-out on to the market. Many of the issues here will be typical outsourcing type issues around service availability and response times, issues of scalability, price structure issues and exit issues.

For example, at the design and development stage an IoT-enabled product will typically involve, at a minimum, professional services agreements and employment agreements. Issues such as privacy by design and security by design need to be addressed, along with the core issues of whether the IPR ownership and licence rights are wide enough to cover the intended use - which would typically be resolved by appropriate contractual terms.

Looking forward to the eventual deployment of the product, at the end stage there will be third-party services agreements as well as appropriate end-user agreements. The product manufacturer will need to address appropriate security and privacy issues concerning the transfer of data and arrangements for exit and avoiding lock-in. So, for a car with built-in telematics that registers user data, how do you allow for resale of that car? How do you allow for user A's data to be deleted (or transferred to user A's own personal data locker) and enable user B to wipe the slate clean in respect of that car, register his or her identity and re-start the clock running on the car's telematics data sensors. All of these need to be addressed from the outset of the product's deployment.

In liability terms, the IoT raises many of the same issues that lawyers have dealt with for many years - in terms of which party is liable for acts or omissions. An organisation implementing an IoT solution will need to understand the types of liability that might arise from a particular IoT application, such as who bears responsibility for inaccurate data or failure to achieve proper anonymisation of data collection.

However, another developing issue for corporate users of IoT, especially when allied with Big Data analytics, is whether the predictive capabilities of an IoT/Big Data solution impose greater duties to identify risks and intervene before incidents occur. In other words, if companies use an IoT solution to collect data, combine it with other data and make predictions about the future, does that create a greater duty to act to prevent problems before they cause injury? If a company that offers an IoT-enabled solution (to use data in medicine bottle to identify users failing to take their medication and issue a warning, for example) does not analyse data correctly, is the company liable for failing to identify the potential for injuries or unfortunate events (i.e., not issuing a warning when it should have)?

As companies realise the benefits of the IoT, they will increasingly have to reckon with the consequent risks. Utilising and monetising the IoT raises significant legal questions of potential liabilities, some of which cut across traditional norms of foreseeability. While the IoT issues may be more eye-catching in the area of privacy and data security, a wide range of other issues - from regulatory compliance to IPR to liability - also need to be properly addressed to understand, and price, the risks that any given IoT-enabled solution will create.

Copyright © 2014 IDG Communications, Inc.

7 secrets of successful remote IT teams