Emily O’Neill, Group IP & Litigation Counsel for Spectris plc, outlines the legal conundrums to be solved in implementing internet of things (IoT) solutions.
Spectris provides IIoT (industrial internet of things) solutions to various industry sectors under the Spectris Advance umbrella. With these solutions encompassing individual sensors, data ingestion, aggregation and analytics for enhancing productivity, Spectris Legal has to consider the full spectrum of legal issues relevant in overcoming the operational and engineering challenges in implementing Spectris’ solutions and providing an efficient and secure platform for its customers.
The internet of things (IoT) is at the heart of the fourth industrial revolution, bringing with it connected sensors in every area of our lives, across industrial sectors. American IT research and advisory firm Gartner predicts that there will be nearly 20.8 billion IoT-connected devices by 2020. The interconnected and networked infrastructure in IoT data generation, ingestion, aggregation and analytics are posing legal questions around liability, data privacy, intellectual property and how to structure contractual terms to address these.
The industrial internet of things (IIoT) is the industrial sibling of the consumer-focused IoT. IIoT goes beyond its roots in large-scale industrial control software and factory automation to networks of connected sensors across operational areas with data ingestion, aggregation and analytics using artificial intelligence to provide feedback, improve efficiency and productivity. For example, Spectris’ Bruel & Kjaer Vibro business provides predictive maintenance services to wind farms through its sensors embedded in individual wind turbines, coupled with analytics services identifying failure modes to inform and increase efficiency in wind farm owners’ maintenance scheduling and increasing productivity of the farm itself.
IIoT is giving rise to new business ecosystems, and the contracts governing those new business relationships need to reflect this. IIoT is providing different opportunities to monetise technology from the traditional business models based on hardware sale and software licences. Efficiency improvements and data volume can be measured and monetised. The contracts setting the framework for these models must clearly define service levels and appropriately apportion risk in this new context.
Protection of information and data in the IoT / IIoT space is one of the primary risk areas for customers. Cybersecurity is central to information protection in the IoT / IIoT space particularly where devices are deployed outside traditional IT structures and firewalls. IoT devices can be vulnerable to attack such as the Mirai botnet attack which exploited Linux vulnerabilities in devices which had not received up-to-date patches and shut down a number of websites such as Etsy, Twitter and Netflix. As such, a best-in-class information protection strategy must be integrated, not just across technical protection means, but the entire product development and implementation cycle, including in product and software design, data aggregation, processing, transmission and storage. The importance of combining robust IIoT platforms with proven analytics methods integrated in a security / privacy framework, will be a key requirement to manage liabilities and comply with contractual obligations.
Much of the data generated within the IIoT is machine-to-machine data; however, this can still include personal identifiable data, which makes data privacy a concern. With the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, the collection and processing of data, which either on its own or in combination with other data can identify an individual, needs to be considered carefully.
Data controllers within the IIoT could include device manufacturers, third-party application developers, data-hosting providers and insurers. However, device manufacturers alone may not be data controllers if their product is a generic sensor, sold as an individual hardware product which has a range of collection uses, even if that sensor has networking capability. However, where the device manufacturer can remotely access or reveal personal information already stored on the IIoT device, that device will qualify as ‘terminal equipment’ under the e-Privacy directive.
Contract specifications will need to reflect the need for privacy by design, including that device wireless interfaces can be disabled when not in use, enable personal data to be encrypted locally before it is transferred to the data controller, and include functionality to distinguish between different users.
One of the core features of the IIoT is the aggregation and analytics of large data lakes. Aspects of the GDPR conflict with the general concept and analytics of the IoT, including data minimisation, purpose limitation and that the data subject must be aware of the processing. The Information Commissioner’s Office has reported that 59 per cent of devices reviewed in a study by the Global Privacy Enforcement Network did not adequately explain to customers how their personal information was collected, used and disclosed. In addition, under the GDPR, data must be kept for no longer than is necessary.
Pseudonymisation to retain and further process personal data may not be a viable solution, as further aggregation of data across IoT devices could result in re-identification of an individual.
Intellectual property ownership and clearance are key questions to address in assessing risk in IIoT applications. The IoT has brought new challenges in patent landscaping and clearance. The technology encompassed within the IoT can be viewed as an ecosystem comprised of different layers making up the IoT stack. Morgan Stanley outlines three layers: semiconductors, telecom/integration and big data / analytics.
There are over 240,000 patents and applications relating to IoT technologies and, with IoT applicable technology developing fast, this number is set to grow significantly. This has resulted in increased patent enforcement opportunities taking advantage of patents which are applicable to technology areas across end-user markets or which broadly address specific-use cases. This breadth of industry applicability makes implementing streamlined and cost-effective patent clearance reviews in the IoT space particularly challenging. A focus on core jurisdictions where enforcement or infringement risk is highest, and a consideration of granted patents and core competitor’s portfolios can play a part in managing the scope of the review.
Data ownership is also a widely discussed area. There is no property right in a piece of individual data. However, provided there has been a relevant investment in the collection of independent data and this is arranged in a systematic way and where data is individually accessible, then this will give rise to a sui generis database right. There will be no database right if data is streamed into a data lake without any systematic arrangement taking place. However, this is an EU right and as such, the database creator must have a substantial economic connection with a European state. Not all jurisdictions have an equivalent database right and so, both considering the jurisdictions in which the supply and services of an IoT offering will take place and applying local regulation will be crucial in identifying who has the economic rights to the aggregation.
As we have discussed, there can be significant risk in operating in the IIoT space, but apportioning that liability can be difficult. The sensors and devices comprising an IIoT solution are likely to be produced by different organisations, with the data from those sensors initially being reported and presented separately. As IIoT analytics mature, those aggregating data from a number of third-party sensors face not only cybersecurity risks, but also risks around the data itself in terms of accuracy, integrity and the ability to maintain the data for future analytics.
Organisations which provide not only a trusted IIoT platform architecture enabling end-to-end data and asset protection, but also a model to clearly set out contractual obligations, can demonstrate a risk-managed approach to customers. All aspects of contracting are impacted from the basis of service levels, insurance requirements, the impact and consequences of bankruptcy of data aggregators and analytics providers to applicable taxation regimes when services are provided across different jurisdictions.
The scope of the IoT and the range of legal issues to be considered will continue to lead to evolution in legal frameworks. Many of the legal challenges we have considered arising from the constant flow of data from a range of devices potentially across borders are new and require legal creativity working alongside other professional advisers to produce a risk- managed framework for IoT operators to work within.