Whether you consider it the latest buzzword or the beginning of a new era, the internet of things will have significant impacts across the business landscape.
The Internet of Things (IoT) refers to the interconnection of identifiable embedded computing devices.
In a nutshell, IoT is where every day physical objects are connected to the internet and can identify themselves to other devices without requiring human-to-human or human-to-computer interaction.
A related term, the “industrial internet”, coined by American super-conglomerate General Electric, refers to the integration of complex physical machinery with networked sensors and software.
IoT is still in its infancy, but a generation shift is already taking place.
So while driverless cars that seamlessly interact with road infrastructure are a leap away, many companies are embracing the opportunities offered by connected devices and data to optimise manufacturing and service in real-time.
The estimates are that connected devices will outnumber people in the near future. Depending on the source, the number of digital devices connected to the internet is estimated to grow from the current 3 to 7 billion, to 25 to 50 billion, by 2020.
The change creates business opportunities. Cisco Corporation, for instance, has estimated that the value of new business created as a result of IoT will total roughly USD 19 trillion over the next decade – out of which USD 14.4 trillion will be contributed by enterprises and USD 4.6 trillion by smart cities, administration and the public sector.
Both manufacturing and service industries will be affected: intelligent systems in the IoT enable rapid manufacturing of new products, dynamic response to product or service demands and real-time optimisation of manufacturing production, while allowing for more effective use of energy and other resources.
All of this is based on data gathered, analysed and communicated by machines.
The data, its creation, indexation, analysis and control over it become key issues in the emerging legal landscape. Strictly speaking, one cannot “own” data, but access to it is something businesses should want to have a say on and, as discussed below, legal considerations in the form of IP, data privacy and contracting will be on the table.
The co-existence of, and interrelationship between, relevant factors can be depicted as follows:
If data is the key in the IoT, what is the relevant legal tool in the IP toolbox?
In terms of traditional intellectual property, data, as such, is not an object of protection. Large amounts of data may, however, take forms that are granted protection; and database protection and its associated forms of IP (e.g. the so-called protection of catalogues granted under Finnish law) may see a rise in significance.
You will also need to address IP ownership issues, including the complex question of joint ownership, in more detail. Even the thus-far somewhat academic question about IP ownership of works created by machines may be revived: in the traditional “internet”, people are the main producers of content and data, whereas in the IoT, machines assume this role and become the creators.
If a machine created a database or a copyright work and, in the process of doing that, used a significant part of another database, with who will the rights vest, and has an infringement taken place?
The key, most likely, will be in the contractual stipulations, but if the underlying IP issues are not taken into account beforehand, problems may emerge. Also, issues of open data and accessibility of governmental data on the one hand, and trade secrets, on the other, are likely to raise difficult questions.
Traditional “hard IP”, patents, will also be relevant, and companies may need to start looking into new areas of technology in trying to map their patent landscape: by way of example, manufacturers of heavy machinery may find themselves faced with telecoms and computer-implemented-invention-related-patent thickets.
Another challenge will be that for the IoT to work in a truly seamless and interoperable way, it needs to use standardised technology. If, however, standardised elements of technology in this architecture are patented, third party users of the technology who have not obtained a licence may be forced to infringe those patents.
Data protection law regulates how information on consumers may be collected, processed and transferred.
By definition, “personal data” means any information that – either as an isolated datum or in combination with other pieces of information available to the business – is identifiable as concerning a private individual. Controllers of such data are under a statutory duty of care, the purpose of processing this data must be specified in advance, and there has to be a legal ground for any processing.
Big data may mean big value and big benefits, but also big responsibility.
Data protection challenges related to the IoT include information on the processing of data, prerequisites for the user’s consent, exclusivity of purpose, data analytics, limitations on the possibility to remain anonymous when using services, and security risks.
You can overcome these challenges, but careful planning and a proper understanding of the applicable regulatory framework are needed.
It is highly probable that the regulatory landscape will be transformed in the not-too-distant future if and when the so-called General Data Protection Regulation (GDPR) proposed by the European Commission already in 2012 enters into force. Already approved with amendments by the European Parliament on its first reading last year, but still pending Council agreement, the GDPR would introduce new requirements to businesses, backed up with hefty fines for non-compliance.
In the proposed form, the GDPR contains extensive provisions on profiling. Now, the IoT promises to be an unmatched medium of analysing and, on that basis, predicting people’s personal characteristics and circumstances, but the data subjects’ right to object to profiling under the GDPR will need to be ruled in. The same would apply to the far-reaching principles of data protection by design and data protection by default embraced in the GDPR.
IoT-related contractual issues may arise out of many different types of contracts. IoT-related contract clauses are not relevant only in traditional ICT contracts, but they become significant also in contract types that have traditionally not dealt with ownership of data, data protection and intellectual property rights.
Since all sorts of devices will be connected to the internet and will gather data, for example,R&D agreements, sale and purchase agreements of machinery and other devices and various rental, services and maintenance agreements need to address these issues.
Perhaps the most important issue lawyers will need to stipulate is how the rights regarding the data are divided among the parties. For instance, does one of the parties have the exclusive right to use this data, or do the parties have equal or parallel rights of use?
There is naturally an unlimited number of ways rights can be allocated. Moreover, these contract clauses resemble more traditional licensing and transfer of IP provisions.
Naturally, privacy considerations must be addressed when drafting the contracts.
The internet of things will present, in the very near future, a whole host of opportunities – and challenges. For some issues, it is sufficient to look to existing legal norms for a solution. For others, new tools are needed to work with the evolving technological landscape.