Internet of Things: Unresolved legal questions

The Internet of Things, "IoT" for short, stands for the smart appliances and devices that are replacing the personal computer. More and more everyday objects are being equipped with embedded processors, sensors and network technology. The sky is the limit here – from app-controlled lighting to intelligent pacemakers and even robotics. Depending on the area of application, a differentiation is often made between "industrial IoT", an example of which can be controls for production lines, and "consumer IoT", which can include things like "wearables" that, for example, count a person's daily steps.

Data exchange over the internet between smart devices and systems hosted by servers is essential for the internet of things. Thus, the internet of things is usually based on cloud services. Data from the smart devices is processed using software in the cloud, for example to monitor the devices ("fleet management"), control the devices or be analysed in a compilation with other data ("big data"). The use of self-learning software ("artificial intelligence") for such purposes is increasing. This makes it possible to use the internet of things for autonomous, interactive control of a number of devices, for example in the context of a completely remote-controlled smart factory.

Actual and economic significance

The internet of things will dramatically change everyday human life. One example is autonomous driving. Monitoring health data such as heartbeat and blood sugar can help to improve the quality of life of chronically ill people, and network connections make cities into "smart cities", for example with automated traffic guidance systems.

According to a current survey by the McKinsey Global Institute, the internet of things can create global economic added value of up to US$ 11 trillion in the year 2025. This would correspond to approximately 11% of global economic performance. The study reveals that the potential influence of the internet of things is greatest in factories (up to US$ 3.7 trillion in economic added value), cities (US$ 1.7 trillion) and the health care sector (US$ 1.6 trillion).

According to the study, 90% of the total added value will benefit users – i.e. companies that use IoT applications or consumers – for example in the form of lower prices or time saved. At the same time, the study predicts, the internet of things will dull the distinction between technology companies and traditional enterprises and make new data-based business models possible.

Unresolved legal issues

As in many other fields, legislation is unable to keep up with the fast pace of technological developments in the internet of things. Here are some of the most pressing legal issues:

Data protection law

Especially in consumer IoT, personal data that is subject to data protection law is a significant factor. For example, a device to measure body functions amasses a prodigious amount of sensitive information. This causes difficulties, particularly in regard to justifying data processing. It is almost impossible to ensure that the user of the object has entered into the contract regarding the relevant service or issued the necessary consent. Questions also arise regarding international data transfer and use of data for "big data" solutions. Due to the sheer amount of available data, it is doubtful whether anonymisation is at all possible in such a case.

Rights to data

There is usually no personal component in machine data in the context of industrial IoT, and no general right similar to ownership applies to data. Thus, in light of the value of this data for future analyses, questions regarding the attribution of use and control of data are becoming more frequent. In Europe and Germany, heated discussions on this topic are currently being conducted; they alternate between the extremes of comprehensive monopolisation and a right to free access to the data. Due to the large number of parties involved, it is not easy to attribute the data in a way that takes all parties' interests into consideration, for example when a distinction is made between the data generated by smart devices on the one hand and the results of calculations based on the data on the other hand. Currently, it is only possible to resolve this situation by means of contractual attribution in each individual case.

Automated and autonomous entry into contracts

More and more contracts are being created not by means of human declarations but in an automated or autonomous manner. One example is if a system orders spare parts based on a software analysis. Especially where artificial intelligence is used, a person initiating the service is hardly in a position to predict the prerequisites under which an order can be created. One of the main points being discussed in this context is whether and to what extent the principles applying to messengers or delegates can be applied.

Liability issues

The use of IoT services can constitute a substantial risk factor, for example if the use of a robot results in injury to a person. IoT systems consist of a number of software and hardware components. Due to the complexity of such systems, it is often impossible to determine whether an injury was caused by a software defect for which the software supplier would be liable, an error on the part of the device, defective data or problems with transmission over the internet. When artificial intelligence is used, an unresolved issue is whether the "behaviour" of the machine can be attributed to its user as a consequence of a human act. Neither the courts nor scientists have developed a convincing solution. The discussion ranges from concepts of no-fault liability to corresponding application of the principles of vicarious liability.

IT security law

Where use of internet-supported services increases, so does the risk arising from hackers and malware. According to German and European law, security requirements apply to the use of "information society services" and to certain critical types of infrastructure. However, the smart device itself represents an unprotected flank.

Regulation

Regulations for specific sectors such as medical products could become just as relevant to the internet of things as general product safety law. In this context, difficulties arise in classifying an IoT service. The smart device is a product, but this does not necessarily apply to the services provided by the IoT service provider because they are not a product. Questions surrounding the classification of closed services with a data transmission function as a telecommunications service and the applicability of export control law also arise.

Antitrust law

Antitrust law in an online context poses several special issues. One such issue recently addressed by the EU Commission is the acquisition of market power using data pools. Another involves various approaches to reform in regard to such topics as lowering applicability thresholds.

Emphasis: contract drafting

The internet of things and its legal implications are in the earliest of stages. Thus, it is not likely that legislators and courts will resolve the open issues in the foreseeable future. In light of the uncertainties, minimising risk by means of contracts will become increasingly important for not only service providers but also their users. This means that how contracts are drafted will also become increasingly important.