IoT Law

The internet of things is a fast-moving, dynamic, and flexible technology. The law is a slow, unwieldy, and laboriously complex set of rules. The two do not mix well.

The law has consistently failed to keep up with technology. Issues like cyberbullying, data protection, and even internet regulation had all reached a pandemic level before the governments and courts of the world caught up. Now the challenge is how to make the internet of things become a safe, law-abiding area of commerce.

As increasing numbers of everyday objects come online in the internet of things, regulators and lawmakers have been slow to recognise the potential legal implications for many issues that are arising – chiefly privacy and data protection. Currently, the IoT is regulated and managed by existing legal frameworks; none of the worlds developed countries have passed any new legislation specifically regarding the sector.

Due to the fact many internet of things devices are located in personal spaces (such as the home, the car, or even the body itself), in most European countries they fall under the jurisdiction of laws covering personal data. In the UK that means the IoT comes under the Data Protection Act 1998 and Europe-wide it falls under the EU data protection directive. Breaching these laws can lead to enforcement action and fines by national regulators such as the UK’s Information Commissioner’s office – but not necessarily criminal charges.

It’s a similar story in the United States. The US Federal Trade Commission took its first action relating to the internet of things in 2013 and later settled a complaint with a company that marketed video cameras that were designed to allow consumers to monitor their homes remotely. The regulatory body successfully argued that the companies lacklustre data protection and wilful disregard for privacy had led to the exposure of the private lives of thousands consumers online – but again, no criminal charges were forthcoming.

A simple example shows the difficulty in forming effective laws: Consider a ‘smart’ shipping container that can tell it’s owner where is it, the conditions inside the container, and other useful metrics; should that be regulated in the same way as a health band that transmits sensitive data about a user’s physical condition? What about smart fridge? – it might seem harmless, but it could provide sensitive information about a person’s religion or health to supermarkets etc, depending on its contents.

A ‘data protection working party’ which advises the EU Commission, found in research last year that in most cases consumers are unaware that data processing is being carried out by the companies that have supplied specific objects – and that needs to change.

“The challenge is, how do you get that information on transparency and consent across to people in a meaningful way?” said Ruth Boardman, Head of the International Privacy and Data Protection Group at an EU-wide law firm. “It may be easy to get someone to sign up to consent when you have to set up a device but what about a toothbrush which is connected to the internet?”

Whatever the solution, you can be fairly certain that by the time lawmakers respond, the IoT will have already moved on!

By Daniel Price