Author: Öznur Uğuz, MSc in European Economy and Business Law at the Tor Vergata University of Rome, 2021-2023

Legal Editor: Bader Kabbani, LLM International Commercial and Economic Law, SOAS, University of London, 2020-2021

The Internet of Things (IoT) is an advanced technology which connects the physical world to the digital one and offers several benefits that could change people’s lives for the better. However, as with all new technologies, IoT comes with potential risks and legal challenges that require careful consideration. This article gives a brief analysis of IoT ecosystems by touching upon the key legal issues that arise in the context of IoT, and the current and incoming regulatory framework applicable to the technology.

Introduction

The Internet of Things (IoT) refers to the network of connected objects that are embedded with software and sensors and have the ability to connect, transfer and exchange data between devices through the Internet without the need for human interaction. They are already a big part of our lives usually in the form of “smart” devices and systems such as smart home systems where the house appliances and devices are connected and can be controlled remotely. On a larger scale, the IoT is used in urban development, with an important example being smart cities which use IoT devices to collect, analyze and utilize data to optimise city functions and promote sustainable development.

The IoT technology has various advantages in terms of improving efficiency and sustainability in infrastructure, transportation, industry and agriculture as well as managing domestic activities, improving home security and saving energy. While the benefits the IoT offers are undisputable, the use of these systems entails a number of risks for users.  Those range from the misuse and unauthorized disclosure of private information to cybersecurity attacks and physical injury as well as the infringement of human rights such as the right to privacy and the right to non-discrimination.

Key Legal Considerations

IoT devices collect a vast amount of data from users and their surrounding environment, including sensitive information about users’ precise location, medical data, and financial accounts. The complex data interactions in IoT ecosystems and the subtle nature of the data-gathering function of some IoT devices may cause data subjects to lose control over the collection, use and redistribution of their data. Personal data collected by various IoT devices may also enable the profiling of data subjects, revealing their lifestyle and behavioural patterns of them, which may lead to a number of issues such as the loss of consent privileges of data subjects, discrimination and stereotyping.

From a security perspective, the immensity of IoT networks and the huge amount of data shared between IoT devices present opportunities for cyber threats, which may not be easily defended with conventional firewalls and tools. The vulnerability of IoT ecosystems is aggravated by the fact that conventional consumer goods that are connected to the IoT are often equipped with fewer security features, which leaves them exposed to cyber-attacks. Such attacks may result in private and sensitive information being disclosed or modified as well as unauthorized remote control of the IoT devices. Given that many IoT devices are capable to act on the physical world, the risk of physical harm and economic loss in such a scenario is much higher with the IoT than with conventional computers.

Most IoT devices are complex not only technologically but also in terms of contractual arrangements due to their connection with living objects and other IoT devices whose design, production and operation involve multiple actors. This complexity gives rise to a variety of concerns with respect to privacy, liability and litigation. One of the concerns relates to data ownership. Since many stakeholders are involved in the gathering and processing of data within an IoT network, there may be confusion over which one of the parties has the right to use collected data and for what purpose. This may result in the data being shared with more parties than the data subject is aware of as well as cause problems in liability allocation in the event of a dispute. Identification of governing law and jurisdiction might also be problematic in such cases as data collected by the IoT is transmitted across numerous parties in different jurisdictions.

In respect of product liability, complex interdependencies between hardware, software and networks might pose challenges if various components of an IoT device malfunction at the same time, putting different producers at fault for the failure of a single product. Liability issues are likely to be exacerbated as the IoT technology becomes more sophisticated and gains more autonomy to operate without user command.

Regulatory Framework

Several regulations that are specifically designed or applicable in the context of the IoT are already in place in different parts of the world such as the United States, China, the United Arab Emirates and the European Union.

In Europe, most issues related to data generated and transmitted through IoT devices fall within the scope of the European Union General Data Protection Regulations (GDPR). GDPR sets out a number of obligations concerning data collection, processing, storage and protection for entities that control and process personal data, which may be applicable to IoT ecosystems.

EU Cyber Security Directive (Directive 2016/1148) aims to enhance cybersecurity resilience across the EU and requires EU member states to impose certain obligations for operators of essential services and digital services providers. Depending on its implementation by individual member states, the Directive might apply in the IoT context.

The proposed EU e-Privacy regulation, which will repeal EU e-Privacy Directive (Directive 2002/58/EC), sets a specific privacy framework for electronic communications, including machine-to-machine communications and IoT. The regulation will impose consent and confidentiality requirements in electronic communications data, even stricter than under GDPR in some aspects, exasperating the existing privacy considerations the IoT raises.

In the US, the Internet of Things Cybersecurity Improvement Act 2020 sets out the minimum cybersecurity standards for IoT devices owned and controlled by the federal government. While the applicability of the Act does not extend to consumer IoT devices, the law might have a broader impact on consumers if the standards set by the Act are also adopted in the IoT consumer market.

Another important piece of legislation on the topic is California’s IoT Cybersecurity Act SB-327, which is known to be the first IoT-specific cybersecurity act passed by a U.S. state. The law requires manufacturers of IoT devices to equip such devices with reasonable security measures that protect the device and the processed data from unauthorized activities. Notably, the legislation does not confer a right of private action upon those who suffer loss or damage as a result of a breach of the law. Instead, enforcement power is given to certain law enforcement agencies.

UAE’s new Internet of Things Regulatory Policy, which aims to ensure the development of IoT services in the country, is another important example of the existing IoT regulations. As technology becomes more ingrained in our lives, more countries are expected to introduce IoT-specific regulations.

Conclusion

The creation of safer and more reliable IoT ecosystems requires certain steps to be taken by public authorities and other stakeholders. Data protection, privacy and security are better ensured when they are considered from the beginning. It is therefore important to integrate these measures into the IoT technology starting from the development process. Increasing consumer awareness in relation to the operation of IoT systems and entailing risks is also crucial to improve transparency and guarantee an informed consent procedure. Finally, the adoption of a consistent set of international standards specific to the IoT would help a well-defined regulatory environment to be formed which alleviates risks associated with the technology.

References

Fabiano N, ‘Internet of Things and the Legal Issues related to the Data Protection Law according to the new European General Data Protection Regulation’ (July 2017) <https://www.athensjournals.gr/law/2017-3-3-2-Fabiano.pdf> date accessed 26 January 2023

Helms S, Morgan M, Krieser J, Long B, ‘California’s New IoT Cybersecurity Law: A Guide for Business’ (October 2019) <https://d1198w4twoqz7i.cloudfront.net/wp-content/uploads/2019/10/29190137/CA-IoTCybersecurity.pdf> date accessed 26 January 2023

Lee D, ‘The Internet of Things: What It Is and Key Legal Issues’ (18 September 2020) <https://lawpath.com.au/blog/the-internet-of-things-what-it-is-and-key-legal-issues> date accessed 26 January 2023

Manwaring K, Hall C, ‘Legal, social and human rights challenges of the Internet of Things in Australia’ (2019) <https://acola.org/wp-content/uploads/2021/02/acola-iot-input-paper_legal-social-and-human-rights-challenges_manwaring-hall.pdf> date accessed 26 January 2023

Mulika C, ‘Privacy Regulation On The Internet Of Things (IoT)’ (2 September 2021) <https://tripleoklaw.com/privacy-regulation-on-the-internet-of-things-iot/> date accessed 26 January 2023

Norton Rose Fullbright, ‘What are the key legal considerations?’ (25 June 2019) <https://www.insidetechlaw.com/internet-of-things/what-are-the-key-legal-considerations> date accessed 26 January 2023

PWC, ‘Regulating the Internet of Things in the UAE’ <https://www.pwc.com/m1/en/publications/regulating-the-internet-of-things-in-the-uae.html> date accessed 26 January 2023

Simmons-Simmons, ‘UAE’s new laws and regulation of the Internet of Things (IoT)’ (29 May 2019)<https://www.simmons-simmons.com/en/publications/ck0adlwaqd4jb0b59rbrqtabl/290519-uae-s-new-laws-and-regulation-of-the-internet-of-things> date accessed 26 January 2023

Verhey D, ‘Expanding the Internet of Things: Four Key Legal Issues’ (6 October 2020) <https://www.dbllawyers.com/expanding-the-internet-of-things-four-key-legal-issues-october-2020/> date accessed 26 January 2023

Vigderman A, Turner G, ‘California Passes Nation’s First Cybersecurity Law Addressing Internet of Things’ (22 July 2022) <https://www.security.org/blog/california-passes-first-cybersecurity-law-iot/#:~:text=What%20Does%20The%20New%20Law,designed%20to%20protect%20user%20privacy. > date accessed 26 January 2023

 

This article is written within the Academic Essay Project (AEP) organised by LAWELS. AEP aims to increase the number of quality academic writings on legal topics, encourage young lawyers to participate in academic writing, and lay the foundation of an online database on legal science. The team of legal editors and legal writers share their knowledge through high-end essays that we are publishing on our website and social media accounts for the world to read and learn from.

The articles on the LAWELS platform are not, nor are they intended to be legal advice. You should consult a lawyer for individual advice or assessment regarding your own situation. The article only reflects the views of the author.