Legal Considerations for businesses producing “connected” goods (the “Internet of Things”)7 May, 2015
The variety of inter-connected products is ever-expanding, from the well-known example of “wearable tech” in the form of the now-discontinued “google glasses”, to lifestyle monitoring gadgets like “Fitbits”, automated home appliances and even connected cars. Whether you are a manufacturer, data broker, app developer or otherwise involved in creating or selling or using products which are designed to interconnect and share information with other products, known as the Internet of Things, there are a number of specific legal issues that you will need to consider, particularly in relation to the use of data. Whilst customers might be initially seduced by the look, feel, capabilities and cost of your products, there is some evidence that consumers are becoming much more interested in what happens to their data – making compliance with data protection and privacy laws a potentially key reputational issue. Certainly for the law-makers this is now an area getting a lot of attention.
Particular legal issues arise with inter-connected devices because of the sheer quantity of data collected and its often private nature; even anonymising data may not prevent invasions of privacy. Data protection authorities are concerned with the potential vulnerabilities of the Internet of Things due to the lack of encryption of much of the data being transferred over it.
There is also the issue of consent. Suggestions coming from the EU are that traditional methods of giving “low-quality” consent (such as incorporating a policy into consumer contracts) will not work with the Internet of Things. The continued collection of such extensive data, and the ability to use it for multiple analytical and automated purposes, requires an ongoing process of obtaining “fully informed, freely given and specific” consent from the consumer. New technologies may need to be developed to incorporate new methods of informing users about the ways in which their data is being used, and obtain the appropriate consent.
Specific goods will also raise their own particular issues, including, but not limited to, privacy. Take connected cars for example. They can drive themselves (potentially preventing accidents) but most cars have multiple named drivers. How to get informed consent from non-owner drivers for the use of their personal data, which is necessary for the functionality of such cars, will need careful consideration. Identifying the data controller may also be tricky – something which is key to unlocking potential liabilities under current data protection legislation. In addition, contracts between the connected car manufacturers and the connected car owners will need to deal with the apportionment of liability should a fault with the car lead to an accident. There is also the question of whether manufacturers will need a telecoms licence and potential product liability considerations.
Other areas may need further thought if the products in question are in a heavily regulated market, such as e-health or e-medicine, where additional considerations such as licensing, testing and approval come into play.
No doubt potential issues will have proposed solutions, but the key will be anticipating, as far as is possible, all of the legal ramifications resulting from the position to adopt in the production or operation of connected goods and taking the appropriate steps to protect that position in advance.
 Article 29 Data Protection Working Party Opinion 8/2014 on Recent Developments on the Internet of Things