The term “Internet of Things” was first used by Kevin Ashton in the title of a presentation given by him at Procter & Gamble (P&G) in 1999. At that time he used the phrase to refer to Radio-frequency identification (RFID) gadgets used for tracking consignments. In other words, where everything can be connected via a sensor and connectivity to enable that ‘Thing’ to be a part of the larger ‘network ecosystem’ where machines can virtually talk to each other can be called as the Internet of Things (“IoT”).
These Internet-enabled gadgets encourage interaction between themselves (machine-to machine or M2M interaction), which require minimal human intervention. Minimal human intervention is a coveted characteristic for for many industries and sectors, as this can increase proficiency and productivity. However, like any other new innovation, the law is as yet dealing with the challenges posed by the rise of IOT.
The cyber laws particularly the laws pertaining to data protection and data security in India are still in the primitive stage and are still developing, with the only few significant legislations being the Information Technology Act, 2000 (“ITA”) and the “Reasonable practices and procedures and sensitive personal data or information Rules, 2011”. Due to the lack of legislation in this regard, the legal issues and challenges pertaining to an IoT service provider can be completely addressed only by drafting and executing agreements, incorporating relevant provisions to safeguard the interests of both the IoT service provider and the IoT user.
The major challenges to be considered for an Internet of Things environment are discussed below:
1.Privacy and Data Protection:
The IoT ecosystem is heavily dependent on data collection and transmission. This data includes personal as well as sensitive personal information of the users. With innumerable IoT devices communicating with each other via the internet, the odds for a data security breach is high and as more IoT devices are introduced in the market, the issue is getting complicated. The provisions relating to data protection of individual personal information are covered under the Information Technology Act, 2000 (“ITA”) and the “Reasonable practices and procedures and sensitive personal data or information Rules, 2011” (“Rules”). Section 43A of the ITA deals with protection of data in electronic medium and provides that when a body corporate is negligent in implementing and maintaining ‘reasonable security practices and procedures’ in relation to any ‘sensitive personal data or information’ that it deals, possesses or handles in a computer resource that it owns, operates or controls and such negligence causes wrongful loss or wrongful gain to any person, such entity shall be liable to pay damages by way of compensation to the person so affected. Further, Section 72 of the ITA, enunciates penalty for breach of the confidentiality and privacy of the data collected.
The service provider can also adopt specially drafted terms & conditions which regulate, Limitation of Liability, Responsibilities of the service provider and consumer/user, Indemnification, Intellectual Property Rights, Assignment/Licensing, and Dispute Resolution etc.
Due to the involvement of numerous IoT users, involvement of third parties and the multitude of sources of the data, the data may come into possession of many data processors. The IoT service provider, being the data controller would essentially determine the extent, manner and purpose of the use of the personal data, whereas the service provider may have different third party data processors, functioning to process the data on the instance and under the control of data controller. Since there are numerous channels of dissemination of the data or information and multiple users involved, the IoT service provider who is the data controller at all times should ensure that the line between data controller and data processor does not get concealed. In addition to this, the Machine Generated Information (MGI) and Machine to Machine Communication (M2M) generated in an IoT environment would also pose ownership and liability issues.
Warranties and indemnities regarding data protection, security and privacy will become important to help draw the line between data controller and data processor which are made more complex by the large number of users involved in an IoT environment. The question that who will own the data shall be purely based upon the agreement between the two entities.
The issues relating to data ownership, security and privacy in an IoT environment can be addressed by contracts between device manufacturers or IoT service provider and the IoT users. These contracts may be entered by way of click wrap and shrink-wrap contracts which are basically End User Licensing Agreements (EULA) governing the terms and conditions of use of the software or device. Like any other contract, an e-contract can form a valid and binding relationship between the parties under the Indian Contract Act if it meets the essentials of a valid contract as provided under Section 10 of the Act. In an IoT environment, there is no privity of contracts between multiple IoT users which may lead to complications when there is a dispute. Therefore, the agreement should contain express provisions regarding third party liabilities and dispute resolution.
An IoT device usually contains various components such as hardware, software and other service elements. Each of these components has their own set of warranties and disclaimers. Therefore, any defect or deficiency in the IoT device is a complex issue, as it is difficult to point which component or who is responsible for the defect. This becomes difficult for the user or consumer to determine whom he or she must contact for claiming compensation or repair. If all users in the transaction are disclaiming responsibility for the defect, it is possible that the consumer may not have a solution at all.
In case where an IoT device malfunctions, or if data or software is compromised or lost, individuals and businesses may suffer huge and devastating losses. Such device failures may result not only from a device malfunction but also from a network failure to provide communications as needed. Thus, it will be important for IoT device manufacturers to purchase and cover themselves with product liability insurance.
5.Intellectual Property Rights
The interconnected devices in the IoT ecosystem connect and communicate using standardized technology. Mostly the patents in these technologies are owned by third parties, the use of which may result in infringement of the rights of such third-party patent holders. Further, the parties holding these patents license out the technology at excessive prices, making it difficult for small IoT manufacturers to obtain easy access. Every time the technology is used, it is a dispute for infringement. Technologies that are used widely in the development of the IoT infrastructure must be available to the industry without any such barriers or obstacles. Compulsory licensing of such patents can be considered as a solution to the problem of patent infringement.
An IoT environment facilitates data generation and content creation including Machine Generated Data. The question that arises is, “When an original data is created by virtue of the interaction of various devices in an IoT environment, which may include, inter alia, a new process of arriving at desired results, who claims the IP Rights in such content/data/process?” The ownership of the title and claim to the IP Rights needs to be expressly enunciated in the agreements executed between IoT service providers and device manufacturers or consumers, especially considering the fact that the IP rights confer upon the owner a host of other rights like licensing and commercialization of their IP to further exploit the commercial utility of their IP.
The legal knowledge regarding the IoT is inadequate due to the lack of awareness and knowledge of its existence in this regard. With the advancement in technology, the IoT environment continues to evolve at an very high rate and the legal acumen regarding IoT cannot lag behind for long. Europe, US and Australia have already embraced the legal implications of an IoT environment and it is about time that Indian legislature triggers a befitting enactment.
– Medha P M
(Alliance Law School, Bangalore)
- Ashton, Kevin, That ‘Internet of Things’ Thing, RFID Journal, 2009
Disclaimer: Legal Bites is determined to include views and opinions from all sides of the spectrum. This doesn’t mean we agree with everything we publish. But we do support their right to the freedom of speech. In case of content writers/editors/bloggers articles, the information, ideas or opinions in the articles are of the author and do not reflect the views of Legal Bites. Legal Bites does not assume any responsibility or liability for the same.