Bird & Bird: the future of IoT in 2017 and beyond

Barry Jennings, Legal Director at international law firm Bird & Bird, discusses how businesses in many industries are being affected by the Internet of Things (IoT) and the legal issues that need to be considered when adopting IoT solutions.

The Internet of Things (IoT) has undoubtedly generated some fascinating technology in recent years involving autonomous vehicles, industrial systems, logistics and tracking, smart metering, consumer devices, unmanned air systems and healthcare. These may seem quite distinct topics but there are a number of common legal issues we have been able to identify across these projects, as technology converges with and disrupts more industries. IoT has the potential to generate $2.7 trillion to $6.2 trillion year-on-year by 2025, according to McKinsey Global Institute. However, this growth will only be achieved by businesses that grasp not just the technology but which also create scalable business models, appropriate risk allocation and mitigation strategies and robust service management processes. As the IoT technologies available continue to evolve, businesses in all sectors should be considering how they respond to the opportunities and threats associated with IoT as it will apply in their industries.

Of course, IoT services are already part of businesses and our personal lives - many people have a plethora of connected devices in their homes. In this respect, it is not just "FutureTech" but it is also an area of technology that is having a disruptive effect on today's businesses and which will shape the operation of commerce and government for many years to come. IoT sits at the top of the list and will also be the enabling platform for other trends in robotics, automation and artificial intelligence.

The technology around IoT is fairly clear – we understand what it is capable of doing now and what will be possible in the near future. What is far less clear is how companies will develop business and service models that allow IoT technologies to scale out. What will customers pay for and what will they not? Where will risk be retained or passed along in the complex supply chains we are seeing develop? Which platforms and standards will become established as the market norms?

Here are some of the key IoT themes that Bird & Bird sees developing, and the governing regulations that businesses need to keep in mind:

The complexity behind liability

The tangible impact on the physical world, the complexity in the chain of stakeholders and the security vulnerabilities that arise in a connected environment all create an expanded risk profile for IoT market players in terms of legal liability. Who is liable if something goes wrong is a key issue that should be considered, especially if there is a chain of interdependent IoT products, with differing systems, devices and software. For this reason, it is important to identify areas of risk at an early stage; develop a model for allocation of risk across the supply chain (including through contract terms and insurance); build precautionary steps into your product design from the outset; and plan to manage vulnerabilities across a product's full-life (through software updates and security patches).

Businesses should also be aware of claims that could be brought against them. These could include defective devices, connectivity failures or cyber breaches. Identifying the root cause of the error, and who is therefore responsible, will be critical and operators will need to consider how fault management processes will be co-ordinated. The existing product liability framework can be unclear, particularly where software is converging with other industries, and the EU Commission is currently running a consultation on how fit for purpose the product liability regime is for IoT.

Cyber-security and privacy risks are amongst the most challenging for IoT operators

IoT technologies capture, process, generate and respond to large amounts of data and often in significant areas where private data about individuals has not previously been collected, or at least not at the same scale, frequency or automation. This has privacy, security and safety implications in an IoT world where software is ever-closer to the physical world and data protection regulations will play a big role in how IoT services take shape.

Every company is at risk of being hacked, or its systems breached. Cyber security is a central issue in the digital world we are living and working in. An awareness of the risks, and taking the necessary steps to minimise them, should be at the forefront of any IoT projects. IoT devices will likely be outside protected networks and corporate systems, and may end up being standalone devices abandoned in unsecured locations, accessible by any type of user, including ill-intentioned hackers and organised criminals.

A lot of these simple sensors and IoT connected devices operate using simple software embedded systems that may not be constantly updated or sufficiently protected. A recent and very real example of the cyber security risk that could menace IoT devices is the Heartbleed virus that attacks the Open SSL cryptographic software library commonly used to provide secure internet communication. Like every virus, it is possible to identify and eliminate it from affected systems, but this would prove more difficult for devices and systems that are not routinely monitored or updated and that are not sufficiently protected. These devices have the potential to be infected and remain so for a long period of time, posing a threat after most users would think they are safe.

The processing of personal data is subject to new regulation around data protection in the EEA, the General Data Protection Regulation (GDPR), which comes into effect in May 2018. The changes which are to be ushered in by the GDPR are substantial and ambitious. At over 200 pages long the Regulation is one of the most wide ranging pieces of legislation passed by the EU in recent years, and concepts to be introduced such as the 'right to be forgotten', data portability, data breach notification and accountability (to call out only a few) will take some getting used to. There are then the much-publicised penalties, of up to 4% of global turnover, that could be applied to certain breaches of GDPR. Even its legal medium - a regulation not a directive - make the GDPR an unusual piece of EU legislation as it applies directly and does not require transposing into local law.

Many technology vendors, particularly those operating on a business-to-business basis, have traditionally relied on the fact they are data processors (who process data for others) and that the statutory regimes applied principally on data controllers (who choose what data is processed and how). Allocation of responsibilities was then managed through contract terms. The GDPR applies more obligations directly on data processors that, in a technology world increasingly dominated by large platform operators, in practice may have more material control over how data is secured than their customers. This is generating more discussions about mutuality in data protection drafting and more clearly delineating between the parties' responsibilities.

Many IoT supply chains are complex with personal data being handled at different levels so data processing, and compliance with GDPR, needs to be considered holistically with responsibilities consistent and flowed through between operators. Mutual indemnification for data issues caused by each parties' acts or omissions may be required to effect such risk allocation but there will be challenges around allocating responsibility in practice. How will data be made portable and deletable in accordance with GDPR? How will those processes be managed amongst operators in a supply chain? How will operators ensure these processes do not become potential security vulnerabilities (if it is easier for me to get my data back, is it not also easier for a hacker to do so fraudulently)?

Patent predictions

The introduction of new IoT players to the radio wave patent industry will see a new phase of convergence between the two industries - similar to the smartphone wars. There are key areas of dispute where current industry incumbents own the majority of patents – cellular and wireless standards, encoding, user interfaces and hardware patents (including chips and antennae). It is usually best to use third party studies to assess the value of patents and to understand whether royalty rates offered by industry patent owners are reasonable.

There will certainly be a clash between new IoT entrants to the radio wave patent industry, bringing technology from their own industries, and industry incumbents with existing patents. This will lead to a race to a remedy with both players seeking to be the first to impose an injunction on the other.

5G - The future of communications and IoT

As IoT becomes more widespread, it will be necessary for operators to rely on the full range of telecoms technology available, including the emerging 5G standard – which will have an impact on flexibility of telecoms infrastructure, compute capacity at the edge of networks, latency, service tiering and energy efficiency. Additionally, the cost of using satellites in M2M services is becoming more competitive in comparison to terrestrial networks. For instance, High Throughput Satellites are larger, high speed and low latency and IoT specific satellites are now entering the market.

However, as well as the lack of clarity in terms of spectrum requirements for IoT, there is uncertainty in relation to regulation in this area in general. The stricter regulatory requirements for 'electronic communications network services providers' will be applicable to a new set of operators and regulators will find themselves stretched in new directions (with turf wars to be fought over who has responsibility for regulating different aspects of IoT infrastructure and services).

There will be challenges and opportunities for almost all businesses as a result of increased connectivity, efficiency and automation arising from IoT. There will also be societal implications for work forces, privacy, public safety, wealth generation and taxation that mean regulators and politicians will generate legislative responses. Over time, market norms in terms of service management, risk allocation and business models will emerge to address these legal and commercial risks but there is already a lot of practical experience available from projects that have been undertaken and learning that can be translated and adapted for different contexts.


Contact Barry Jennings at