Bird & Bird's Internet of Things Day brought together attendees from across the IoT spectrum to discuss a cross-industry, practical approach to managing both the risks and opportunities that IoT offers.
IoT services are already part of our business and personal lives as most people already have connected devices in their homes. We wanted to discuss an area of technology that we know is having a disruptive effect on our clients and which will shape the operation of commerce and government for many years to come.
Bird & Bird's Barry Jennings, Kimberly Wells and Henriette Picot opened the event with an overview of the current IoT landscape and addressed the increasing significance of IoT technology and the legal issues we are seeing in IoT projects. Ronald Hendrikx also "premiered" the video he shot earlier in the week at this year's Mobile World Congress in Barcelona which demonstrated the advent of 5G and the rise of artificial intelligence.
The complexity behind liability
A plenary session on liability was led by commercial partner, Roberto Camilli and IP associate, Toby Bond.
The tangible impact of software on the physical world, the complexity in the chain of stakeholders and the security vulnerabilities that arise in a connected environment all create an expanded risk profile for IoT market players in terms of legal liability. Allocation of liability if something goes wrong is a key issue that should be considered, especially if there is a chain of interdependent IoT products, with differing systems, devices and software.
For this reason, it is important to: identify areas of risk at an early stage; develop a model for allocation of risk across the supply chain (including through contract terms and insurance); build precautionary steps into your product design from the outset; and, plan to manage vulnerabilities across a product's full-life (through software updates and security patches).
Businesses should also be aware of claims that could be brought against them. These could include defective devices, connectivity failures or cyber breaches. Identifying the root cause of the error, and who is therefore responsible, will be critical and operators will need to consider how fault management processes will be co-ordinated.
The existing product liability framework can be unclear, particularly where software is converging with other industries, and the EU Commission is currently running a consultation on how fit for purpose the product liability regime is for IoT.
Patent predictions
The session on patents was led by IP partner, Richard Vary.
The introduction of new IoT players to the radio wave patent industry will see a new phase of convergence between the two industries - similar to the smartphone wars. There are key areas of dispute where current industry incumbents own the majority of patents – cellular and wireless standards, encoding, user interfaces and hardware patents (including chips and antennae). It is usually best to use third party studies to assess the value of patents and to understand whether royalty rates offered by industry patent owners are reasonable.
There will certainly be a clash between new IoT entrants to the radio wave patent industry, bringing technology from their own industries, and industry incumbents with existing patents. This will lead to a race to a remedy with both players seeking to be the first to impose an injunction on the other.
Data Protection
Bird & Bird's Emma Drake and Gabriel Voisin and Alain Lusardi from Intent Technologies discussed the new requirements under the GDPR and data protection policies.
The processing of personal data is subject to new regulation around data protection in the EEA, the General Data Protection Regulation (GDPR), which comes into effect in May 2018. The changes which are to be ushered in by the GDPR are substantial and ambitious. There are then the much-publicised penalties, of up to 4% of global turnover, that could be applied to certain breaches of GDPR.
Many technology vendors, particularly those operating on a business-to-business basis, have traditionally relied on the fact they are data processors (who process data for others) and that the statutory regimes applied principally on data controllers (who choose what data is processed and how). The GDPR applies more obligations directly on data processors that, in a technology world increasingly dominated by large platform operators, in practice may have more material control over how data is secured than their customers. This is generating more discussions about mutuality in data protection drafting and more clearly delineating between the parties' responsibilities.
Many IoT supply chains are complex with personal data being handled at different levels so data processing, and compliance with GDPR, needs to be considered holistically with responsibilities consistent and flowed through between operators. Mutual indemnification for data issues caused by each parties' acts or omissions may be required to effect such risk allocation but there will be challenges around allocating responsibility in practice. How will data be made portable and deletable in accordance with GDPR? How will those processes be managed amongst operators in a supply chain? How will operators ensure these processes do not become potential security vulnerabilities (if it is easier for me to get my data back, is it not also easier for a hacker to do so fraudulently)?
Corporate funding
Roger Bickerstaff, Isabel Evans and Treena Dunlea-Peatross from Bird & Bird gave attendees their insight into the world of corporate funding of IoT.
The focus of funding in the UK is on revenue streams – investors are keen on vertical tech markets (fintech, adtech and agritech), and there is a particular appetite for investment in industrial and agricultural IoT, given ease of deployment in environments controlled by one landlord.
There are several funding options available – acquisitions, licensing, joint ventures, and in-house development– but there are also risks and benefits of each of these options which businesses need to know.
5G – The future of communications and IoT
Joanne Wheeler and Cathal Flynn from Bird & Bird addressed some of the key concerns surrounding the future of communications required to support IoT and the impact 5G may have. Ingrid Viitanen from Nokia and Matthew Redding from BT/EE also provided a wider industry perspective.
As IoT becomes more widespread, it will be necessary for operators to rely on the full range of telecoms technology available, including the emerging 5G standard – which will have an impact on flexibility of telecoms infrastructure, compute capacity at the edge of networks, latency, service tiering and energy efficiency. The cost of using satellites in M2M services is becoming more competitive in comparison to terrestrial networks. For instance, High Throughput Satellites are larger, high speed and low latency and IoT specific satellites are now entering the market.
However, as well as the lack of clarity in terms of spectrum requirements for IoT, there is uncertainty in relation to regulation in this area in general. The stricter regulatory requirements for 'electronic communications network services providers' will be applicable to a new set of operators and regulators will find themselves stretched in new directions (with turf wars to be fought over who has responsibility for regulating different aspects of IoT infrastructure and services).
When software meets the physical world
Toby Bond and Roberto Camilli led the software session, along with industry input from Miriam Ezrachi from Intel. Businesses need to consider IP ownership in relation to IoT, particularly in the context of companies collaborating to develop new IoT technology.
When considering risk allocation and liability, distinctions should be drawn between business-to-consumer liability, and business-to-business liability. How software issues in "smart" devices will be addressed by the Product Liability Directive is an area of interest and likely to evolve.
Negotiations in IoT projects often involve new commercial and service models, a reliance on third party platforms or services, and either open or closed systems ("walled gardens"). This context needs taking into account in determining the appropriate risk allocations where market norms do not yet exist.
