The phrase “Internet of Things” was first used by Kevin Ashton in 1999. Wherein at that time, the phrase was used to refer to Radio-frequency identification (RFID) gadgets used for tracking consignments but in today’s e-world it is not just restricted to tracking but in a much wider ambit has evolved to include any device with a function that connects it to the internet is a part of the IoT.
To put it in simple term, it is a network of devices that can share data among themselves to help create convenience for people by creating patterns of daily activity and executing them. This convenience is in relation to both ease of living, as well as adding value to necessary infrastructure. The use of smart watches allows one to synchronize with the smartphone devices, inter-alia like messages, calendar, agendas, answer calls, Google searches, these are few examples of devices sharing data over the IoT.
For the development of IoT products specific to Indian needs in the domains of agriculture, health, water quality, and natural disasters among other things, Government of India today is using the potential of Machine to Machine (M2M) communication in solving urban problems and is increasingly exploring concepts such as smart cities for which the government has embarked on an ambitious project of developing ‘Smart Cities’ across the country.
India’s Policy Framework on the Internet of Things
The Ministry of Electronics and Information Technology on October 2014 released a Policy Document on the Internet of Things. Following public comments, a revised draft policy was released in April 2015. The Internet of Things policy is focused towards making life easier and ‘smarter’ for the consumer. However, the Draft Policy fails to provide a governance framework for the Internet of Things.
With the advent of IoT, it becomes necessary to analyse the existing legal system and the shortcomings therein to ensure that a Pandora’sBox is not left open and these issues are being adequately addressed.
(1) Data Security
The collection of data through the IoT creates databases for accurately predicting actions of the consumer, this accumulation of sensitive data (including mapping of personal habits, geo-tracking, video recording on CCTVs and home electricity patterns) needs to be safeguarded against cyber-attacks or theft. Information concerning the activity patterns of consumers can be mapped through the data collected to accurately predict the activities of a person, and this power can be susceptible to misuse in the wrong hands.
At present, India’s laws on data protection are codified in the Information Technology (Amendment) Act, 2011.
Section 43A obligates corporate entities to maintain reasonable security practices for safeguarding sensitive personal data. Accordingly, negligence in maintaining security measures invites liability to pay damages to the affected party.
Section 72A of the ITAA protects the right to confidentiality and privacy and makes disclosure of personal information without the consent of a person a punishable offense.
These offences are bailable in nature which does not render that against the severity of offence the punishments so rendered are inadequate
The Information Technology (Reasonable Security Practices and Procedures) Rules, 2011 have elaborated on the ITAA by defining key terms linked with data protection. The Rules define personal data and elaborate on means to collect and retain such data.
However, these Rules only protect data which can be used to identify a person and don’t cover cases where other background data, such as location and activity is collected as through linkage of data sources and systems increases the risk of re-identification of anonymized data. This loophole renders the Rules ineffective against a large portion of data collected by the IoT devices . Further, the data protection regime in India has also been criticized for the lack of a Data Protection Authority in India and the low rate of action taken under these laws.
In order for IoT to exist and function properly, devices need to communicate with each other for which different devices from different commercial sources have to connect such as Wi-fi, Bluetooth, RFID chips and so arises the need to use standardized technology, as a large amount of IoT devices rely on data-sharing and interoperability to create a smart sphere, and for doing so, a uniform standard is necessary to keep adding new devices on the common platform.
But if standardized technologies are patented, then it will be a roadblock for the development of IoT as any party adopting standardized technology will end up infringing patents of third party patent owners. Hence making it essential for the standard setting bodies for taking these factors into consideration while setting a standard and declare such patents as standard essential patents (SEP).
So in the present mechanism, the standard setting organization needs to impose a condition on the SEP owner to license their patents to third parties on fair, reasonable and non-discriminatory (FRAND) terms to ensure that the development of IoT is not hampered by self interest of patent owners.
With IoT, customers are able to enter into contracts for the sale of goods by using IoT devices i.e. without human interaction. But with this development of parties to contract, contract law is archaic when it comes to dealing with issues raised by the Internet of Things.
For instances, some of the potential problems being-
(1) Are such devices agents?
(2) How should courts assess consumer assent when contracts are entered into through IoT devices when not provided with contract terms prior to each purchase made by the device?
(3) In absence of privity of contract, what terms would govern the inter–relations between the multiple device manufacturers which e-compute with each other while providing services to the user.
The increased interconnectivity generated by the IoT brings along with it certain concerns including problems pre-existing like information asymmetry (one party has better information over the other and in this case, it is the IoT devices) and Contract Distancing in consumer contracts to the benefit of businesses.
With IoT, there is very little or no scope for negotiations to be held between the device manufacturer and the users regarding the terms of e-contracts. This may encourage consumers to continue to fail to review and understand contract terms, lead businesses to continue to include one-sided contract terms in form contracts, and encourage contractual abuse. The types and amount of data that will be generated by IoT devices will increase companies’ knowledge about the health, lifestyle, and everyday activities of consumers and individuals in their households and communities.
The existing legal framework applicable to form contracts is unlikely to provide adequate protection to consumers who enter into contracts for the sale of goods by using IoT devices, and the new, automatic, and interface-free contracting environment created by the IoT aggravates existing problems and creates difficulties in consumer transactions in a manner that compels a revision of applicable legal rules.
1. On October 2014, an Article 29 Data Protection Working Paper analyzed Internet of Things and recommended that the laws on data protection be made stricter to prepare for this new technology suggestion such as purpose limitation, minimal retention of data, and transparency in use. Based on the recommendations of the Working Paper, the European Union passed the General Data Protection Regulation (‘GDPR’) which was adopted on April 2016 and shall come into force in May 2018. The GDPR lays down law on how data is to be collected, processed, used and stored, and the limits on saving such data.
Several other countries have passed laws relating to data protection which could be applied to the Internet of Things. Canada, for example, passed the Personal Information Protection and Electronic Documents Act (‘PIPEDA’) in 2004.
Australia has the Information Privacy Act, 2014 which lays down rules of keeping consumer data confidential.
Thereby, it is necessary to evolve legal and policy frameworks tailored to this technology in India by taking note of these key legislative development around the globe.
2. Courts should adjust their application of common law and contract law principles, by considering where one party to the transaction has more or better information than the other also known as information asymmetry and contract concluded between a trader and a consumer under an organised distance without the simultaneous physical presence of the either also known as contract distancing . The IoT will create a new contracting environment in which interface-free automatic shopping and consumer use of electronic agents is widespread. Courts and legislators must acknowledge this new contracting environment and ensure that consumers are adequately protected in the age of the IoT.
3. With the advent of IoT, there arises the need to find a suitable way for addressing issues pertaining to standardized technologies so that the standards can be licensed on fair, reasonable and non-discriminatory terms to third parties, as it will also help the third parties to access the equivalent patents at royalty rates.