TechNotes – Top 10 issues for the Internet of Things

“Gartner forecasts that 5.8 billion enterprise and automotive IoT endpoints will be in use in 2020.”

Gartner, 29 August 2019

1. Range of IoT technologies will grow: Current IoT use cases include “smart meters” that allow energy settings to be adjusted remotely, “wearable” health and fitness appliances, and medical devices that help manage conditions like diabetes and asthma. This range is set to broaden and expand to cover connected appliances within the home, automated cars, drone technology and smart city infrastructure projects. IoT devices rely on broad forms of connectivity, spanning from Radio Frequency Identification (RFID), Bluetooth, Radio Protocols, LTE-A and WiFi, and long-range technologies, which could be based on LPWAN standards or 3GPP Standards (e.g. 5G). Manufacturers of these connected products will continue to compete across these different connectivity protocols, balancing regulatory scrutiny with accessibility of high-speed connectivity over those networks.

2. Risk allocation: The connected world of IoT is challenging conventional legal understanding of risk allocation in relation to product liability. As typified by the EU Commission’s recent working document, IoT products generally involve complex interdependencies between hardware, software, telecommunications networks and data distribution. Where losses arise due to a malfunctioning of one or more of these elements, determining liability is far from clear-cut. The antiquated EU Product Liability regime is not fit for purpose within an IoT climate, hence the emphasis placed by the EU Commission on reforming the regime in order to rebalance responsibilities between industry and consumers more appropriately. IoT product manufacturers will need to keep a keen eye on upcoming regulation in this area to ensure that they appropriately factor in risk allocation into their costs or pricing structures and contractual protections.

3. Cyber security: Concerns about the vulnerabilities of connected products also continue to grow as the use of these products becomes more prevalent. Despite the lack of specific regulation, indicative codes of practice such as the UK government’s Code of Practice for Consumer IoT Security for manufacturers, or the European Telecommunications Standards Institute’s code of practice, demonstrate that market participants must build in strong cyber security protocols from product inception. As the IoT market matures, vendors will likely self-regulate security, meaning that principles such as “security-by-design” will become key competitive differentiators. Successful market participants will have to incorporate sophisticated security features from product inception and demonstrate their robustness throughout the customer journey.

4. Network capacity: The increasing proliferation of connected IoT devices will result in a need for increased bandwidth, even within the context of a 5G network infrastructure. For example, “smart home” devices (such as smoke alarms remotely connected to mobile devices) require real-time monitoring, over communications networks, to be successful. This raises the prospect of US-style “net neutrality” rules potentially being integrated into the existing EU legislative architecture in relation to IoT in order to minimise the potential for communications providers to decrease or increase service provision competitively to certain IoT devices in specific geographical locations and based on their own commercial considerations.

5. Data issues: IoT devices generate high volume, real-time data streams. The “real-time” connected nature of an IoT device raises questions about how individuals control and keep track of their data that is shared across an IoT network, with the companies supplying IoT devices and network providers. Competing views of where legal “ownership” of this data lies, ranging from the user of the data, the data subject, the product manufacturer or the network operator will likely vie for supremacy over the coming years. If the data is used to monitor individuals’ preferences or profiles, businesses will also need to evaluate data protection concepts of fairness, transparency, purpose limitation, data minimization, data retention and data disclosure (under the EU’s General Data Protection Regulation) from the outset.

6. Intellectual property issues: IoT market participants will need to consider protecting the IP they develop, IP licensing issues and the risk of using third party IP. For example, those developing proprietary IoT solutions will require a sophisticated patenting strategy to secure patents for software related inventions and IP rights related to data-sets (such as database right) will become more significant in any licensing discussions and enforcement. In addition, manufacturers of connected devices will be required to comply with technical standards for machine to machine communications to ensure compatibility of their devices across networks. The companies who participate in setting these technical standards must usually (1) declare any relevant patents, and (2) license those Standard Essential Patents (SEPs) on terms which are Fair, Reasonable and Non-Discriminatory (FRAND). Companies will need to be mindful of third party IP and develop a strategy for managing this risk, particularly in an environment where suppliers are unable or unwilling to give warranties.

7. Workforce issues: Businesses searching for candidates with broad IoT-based skills may outsource this to firms who add value in the screening process and to help make meaningful recruitment decisions. As with any disruptive technology, IoT has the capacity to create and eliminate jobs, and companies will need to manage this within the context of their contractual framework and applicable employment legislation. HR Managers will need to consider ways to incentivise employees to embrace new technologies (to become “lifelong learners”) whilst also providing reassurance on their continued employment. The heightened requirements on high risk issues around cyber security, data compliance, IP protection and ethics means organisations must establish clear rules and standards which are regularly refreshed and kept updated. These rules should apply to employees as well as other individuals, such as consultants and non-employees.

8. Consumer Protection: From a UK and EU perspective, consumer protection laws remain relatively unprepared for the ways in which connected devices may be able to contract with consumers. For example, current EU consumer protection regulations often require some form of written contractual communication between a seller and a consumer, and/or consent to additional charges to a price paid for goods or services. The fact that IoT devices will be able to initiate transactions with consumers in real-time in relation to consumer-related data or activities makes complying with such requirements challenging. The practicalities of ensuring that such information is passed onto consumers in the context of IoT devices may cause regulators to reconsider the detail behind existing consumer protection laws in this area.

9. Competition/anti-trust: The potential for IoT devices to converge players from different technology-focused sectors and create powerful data-sets could attract the attention of competition law regulators. Competition law would be particularly relevant to IoT collaborations or standardisation efforts. These must comply with antitrust rules prohibiting the exchange of competitively sensitive information between competitors, and arrangements should also be assessed for potential “exclusionary” market effects. Furthermore, powerful data-sets created through IoT devices might be viewed as a source of market power, leading businesses holding that data towards “dominance” territory; businesses should therefore be mindful of potentially “abusive” market conduct, particularly around issues of access to data and product/data interoperability.

10. Tax impact: IoT begins to blur the line between a supply of a product and supply of a service which can fundamentally change the tax position and profile for businesses. Companies could move from being product suppliers to services businesses which could shift business risk allocation (such as product liability as noted above), expand geographical footprint into new markets, create new supply chains through partnerships with external providers / intercompany flows and develop new IP. Tax should be considered as part of the feasibility and design of any IoT project as this shift in operating model is likely to be contentious territory for tax authorities with potential wide ranging implications on multiple areas of tax including direct tax and taxable presence issues, tax incentives for R&D, VAT, withholding taxes, transfer pricing and new “digital” taxes.

Found this article useful? Read others in our TechNotes series