18 May 2019

Internet of Things

Over the last few years the Internet of Things (IoT) has become more mainstream and more organisations are looking to either produce IoT devices or implement third party IoT products within their businesses.

IoT devices are physical devices which are connected to the internet, which may include sensors to collect data. The range is ever increasing, including everything from thermostats linked to apps to control heating systems from a mobile to automatic stock counting in large retail premises with a swish of a device over the garments on the shop floor. Internet connectivity may enable the device to be operated or monitored remotely, or to exchange data with other software or devices. As well as the technical issues which need to be considered as part of any development or implementation, there are a number of legal issues to be thought through, particularly in relation to the way in which data from the devices is collected, processed and stored.

For IoT device manufacturers, it is important to ensure that any intellectual property rights in the hardware and software are appropriately owned or licensed on terms which permit ongoing commercialisation of the product. Where software development is outsourced to a third party this may include taking an assignment of rights. Branding issues relating to the product also need to be considered if the device will be marketed under a new brand rather than the company’s existing trademarks.

The collection and use of data is a fundamental issue for IoT devices. Some devices, particularly in the consumer market, collect personal data either directly, as in the case of wearable technology, or indirectly as in the case of smart home devices which may collect information about the routine of the individuals living there, for example by analysing when heating and lights are turned on.

Under GDPR it is important to consider how this data will be handled from the earliest stages of a project in order to comply with obligations around data protection by design and by default. This will include ensuring that the device does not collect unnecessary data, that it is held securely, and that there are restrictions on the purposes it can be used for.

Due to the implementation of GDPR there is now a requirement for a greater level of transparency, control and choice for the data subject. As well as giving choices when the devices are first set up, IoT providers will also need to put in place processes to manage ongoing data subject rights and requests for the deletion of data. It is likely that the development or implementation of new IoT devices collecting personal data will also require a Privacy Impact Assessment to be carried out.

Commercial devices, for example those which monitor or control production lines, may not collect personal data but the data may still be commercially sensitive, leading customers to require that it is held confidentially, not used for other purposes and destroyed when no longer required.

Businesses will also need to consider the terms on which the devices are sold, and any ongoing maintenance and support. IoT devices are likely to need software updates over time and there will often be a web based interface to review data collected by the device, or an integration with third party software. Customers will want assurances that these interfaces will remain available and supported for the expected life of the device so as to avoid the device becoming obsolete.

An important issue to be considered is liability. As well as headline grabbing issues in the context of self-driving cars around whether the manufacturer or the user should accept liability for collisions, liability issues are also likely to arise in areas such as control systems which could impact on the smooth running of a production line if the data collected or analysis of it is incorrect. When entering into contracts relating to IoT devices and systems, either as a supplier or a user, it is important to be clear about the extent of your exposure and the risks which you are exposed to.

To discuss any of the issues addressed in this article, please contact our Commercial team.