The “Internet of Things” (IoT) is a term used to describe devices which can connect via the internet and can communicate with us and each other. Used efficiently, these IoT devices could transform the way in which we live, with technology assisting various tasks and processes as we go about our daily lives.
There is a whole host of IoT devices now available to consumers which promise to make life smarter, from smart TVs to smart cars to smart pet feeders.
As an example, my friend recently had a new boiler fitted, along with a shiny little box which cleverly self-programmes to her temperature needs. This little box knows when she is at home or away, awake or asleep and through a connection with her phone she can turn the heating on whilst out of the house. It is evident that such technology could bring huge benefits, including cost and time savings, but what are the legal issues that should be considered?
The legal issues:
Data, data and more data – security risk?
Data security is a key concern with IoT devices, taking into account just how much data can be collected. With various IoT devices talking to each other via the internet, the potential for a data security breach is high and with more and more IoT devices coming onto the market, this issue is not going to go away.
Take for example the smart meter initiative led by the government. The intention is that by 2020, over 53 million smart meters shall be installed in over 30 million homes and small businesses. The potential here for households and small businesses to join the “grid” and be connected through an IoT device is huge.
With increased data collection, comes an increase in the risk of a breach or failure in data security. As previously mentioned, my friend’s shiny new box knows when she is at home or away. Is there a risk that this information could end up in the wrong hands? Absolutely, and to make matters worse, some IoT devices have not been designed to automatically update with new security updates and patches, leaving these devices without any security updates. There is also the risk that users may not update default passwords provided with the IoT devices or fail to update them with sufficiently strong passwords.
If hackers infiltrate IoT devices, the potential scope for damage is great. Take for example a smart car - a successful hack could impact the functions and safety of the car. Beyond personal use, IoT devices can be used in various businesses and institutions including hospitals. In hospitals, IoT devices can be used to track the vital information of patients, which medics can use to determine required medication. If these systems where hacked the result could potentially be life threatening. Whilst these examples are extreme, they do highlight the important of getting security right and ensuring user confidence and trust.
The security of data goes hand in hand with data protection. The current data protection regime in the UK is governed by the Data Protection Act 1998 which controls how personal data is used by organisations. There have been recent developments in respect of EU data protection law and the new General Data Protection Regulation (GDPR) will come into force on 25 May 2018. Regardless of the UK’s EU membership status, any company which holds or uses personal data of EU citizens will still be required to comply with the GDPR. In addition, there is also the likelihood that in preparation to leave the EU, the UK will reform its current data protection law to bring it in line with the GDPR.
With the tightening up of the data protection regime, this will impact on the obligations and responsibilities imposed on those businesses involved in the collection and processing of data from IoT devices - including a requirement to carry out privacy impact assessments, increased scrutiny as to obtaining the consent of the user to process their personal information and enhanced data subject rights, to name but a few.
Adopting a privacy by design approach and incorporating privacy impact assessments into the design stage of the IoT devices should put data privacy at the forefront of the minds of the designers and manufacturers of IoT devices.
Linked with data protection is data sovereignty - the principle whereby digital data stored in a country will be subject to the laws of that country. The data from IoT devices may be held in the “cloud” or in a data center and it is vital to understand where that data resides. For example, if this is in the US, that data would also be subject to the laws of the US. This is particularly relevant given the developments in respect of the Safe Harbour Agreement and the EU-US Privacy Shield. IoT device providers will need to be clued up on where the data is to be located so it is clear which laws and regulations will apply in respect of that data.
With the potential for IoT devices to transform the way in which we conduct our daily lives, we have to question what happens in the event these devices get it wrong? Where does the liability sit?
Take for example smart, driverless cars. The potential is for these vehicles to radicalise the way in which we get from A to B. However, what happens in the event the car, whilst in driverless mode, is caught speeding or worst still, what happens if the car causes an accident? Who takes responsibility for this?
Recently, there has been a situation where autopilot driverless technology resulted in the death of the driver - the first known fatality resulting from such technology. That particular car manufacturer has stated that the computer programme used in the car is still in a ‘beta testing phase’, this is something which the driver is required to acknowledge prior to using the technology, and that drivers are warned to keep their hands on the wheel at all times and be “prepared to take over at any time”. Other car manufacturers have taken the stance that they will take full responsibility for their driverless technology – giving the driver certainty as to how liability would be allocated in the event of an accident. This approach sees a shift on responsibility from the driver to the car manufacturer. However, this approach is not currently the norm.
In support of the progression of driverless technology, the Department for Transport has initiated a consultation in respect of proposed changes to the laws and rules surrounding driverless cars and insurance cover for such technology. Under the proposed new measures, the rules would change, allowing for driverless cars to be insured and the Highway Code and associated regulations will be updated to support the use of driverless car features. No doubt steps such as this will pave the way for new regulations and provide drivers with the added confidence needed when deciding whether to purchase and use such technology.
The future of the Internet of Things:
With much investment in the industry, the IoT’s market will no doubt continue to grow. Some of the gimmicks may fall by the way side but there is considered to be real benefit to a number of the smart products available today and envisaged for the future.
However, key to the success of the IoT is consumer confidence. Manufacturers will need to convince consumers that the use of IoT devices is safe and secure and to do this, much work is still needed.