Data Protection Report - Norton Rose Fulbright

Disrupted, yet again. The world is fast preparing for the invasion of objects connected to the Internet, otherwise known as the Internet of Things (“IoT”).

IoT is here, and it will revolutionize how both individuals and corporations interact with the world.  In this multi-part series we will explore this quickly evolving revolution and the privacy and security legal issues and risks that corporations will have to address in order to leverage IoT and move the world into a new reality.  Part One of this series provides background and context surrounding IoT and highlights the legal issues organizations seeking to leverage IoT will face.  Subsequent parts will dive much deeper into IoT.

To start, consider the following portrayal of a day in the life of IoT:

By the time Lazlo Hollyfeld’s smartwatch detected the proper biorhythms to roust him out of sleep, his coffee was brewing and his curtains were drawn back.  “It is cold this morning, Mr. Hollyfeld, but no rain today in the forecast,” stated his computer assistant over the Bluetooth speaker by his bed.  Lazlo haphazardly waved his watch at the T.V., which automatically began streaming his morning news program.  He fumbled for the slippers by the bed, and reached for his morning smart pills which were remotely dosed according to a physician’s review of Laszlo’s wearable health monitoring devices.  Health readings from the pills taken after ingested would later be sent to Lazlo’s physicians.

As he arose, motion detectors relayed to his home automation system to bring the lights up to 30%.  Stumbling into the bathroom, both the lights and his television stream followed him.  The shower was running at a comfortable temperature and Lazlo’s favorite album started to play on the shower stereo as he walked in.

Running late, Lazlo quickly dressed and dashed downstairs to grab his coffee.  Tracking his motion and triangulating the Bluetooth signal from his watch, the home automation system brought up Laszlo’s schedule and to do list on the refrigerator screen, shut down the heat system in the house, turned off the lights in the living quarters, and signaled to his car to start the engine and turn on the seat warmers.  Lazlo scanned his email on the fridge screen, and swiped a few emails to the car icon.  As he ran to the garage, he grabbed the last of the orange juice in the fridge, triggering a reorder to be delivered by drone later that evening.  By the time he pulled out of the driveway, his television stream was already playing in the car.  Meanwhile, his home automation system locked the doors, set the alarm system, and turned on the sprinklers. 

Lazlo entered the highway where his watch, reading his skin surface temperature, signaled the car to remove power from the seat warmers.  As he comfortably locked in cruise control, his car began reading the emails he had swiped to the car icon on the fridge.  Lazlo took his hands off the controls because his car was communicating with the other vehicles on the highway to maintain the proper speed and lane location.  Lazlo dimmed the car windows and settled into to his traffic-free relaxing morning commute.    

Does this sound like the distant future to you?  Think again.  Much of the technology discussed in this article already exists in the marketplace (or soon will).  For businesses, IoT will present enormous competitive advantages and financial opportunities, and also pose challenging legal, security and privacy risks.   To fully enable IoT organizations will have to consider privacy and security legal issues at the outset, and design IoT technologies and devices in way that address these issues and limit risk to both the users and companies.  Let’s begin exploring.


Not only does IoT promise to be as disruptive as the digital revolution, the data storage revolution, and the Internet itself, it will likely represent the next technological leap of our generation.  One might view IoT as the combination and integration of the Internet and the physical world into a complex matrix (with the last component being the direct connection of individuals themselves to the network).  IoT enables any electronic device to wirelessly connect to and communicate over the Internet, or with other connected devices.  IoT is defined online as:

the network of physical objects or “things” embedded with electronics, software, sensors and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected devices. Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure.

Over time, this technology will be present in a multitude of everyday objects and will be commonplace and largely invisible to users.  The Internet of Things will undoubtedly make its way into many (likely most) facets of our lives, and indeed, has already slowly creeped into the everyday lives of many.  Some homeowners, for example, already have Internet-connected thermostats, alarm systems, stereos, televisions, lighting control, and even basic appliances.  Wearable computing will be another burgeoning area—several smart watches already track heart rate, skin temperature, perspiration, and number of steps.  Sports clothing and shoes with data collection and reporting capabilities are available in the marketplace today.  Smart medical devices are soon to follow.   Some automobiles are already starting to become IoT enabled.  And commercial safety monitoring devices will likely adopt IoT technologies.

Corporate Leveraging of IoT

Beyond direct consumer applications many businesses, even “traditional” or business-to-business companies, are seeking to utilize IoT to improve their operations, capture multitudes of data to feed into “Big Data” analytical engines to gain new insights, and obtain competitive advantages:

  • Financial Institutions: engage customers with experiential interactions based on consumption, health, travel and leisure, and transportation data.
  • Energy: Providers monitor smart-meter energy usage, allowing them to recommend energy management applications for large buildings, and to pinpoint abnormal high energy usage as a leading indicator of a forthcoming maintenance issue.
  • Healthcare: Companies are leveraging proactive fulfillment by providing replenishing supplies of medicine and medical components before the patient runs out.
  • E-Commerce: Retailers benefit from better inventory and fleet management, enjoy more information about warrantied products, and can offer targeted real-time promotions.
  • Manufacturing: Manufacturers and customers alike benefit from new “servitization” maintenance contracts, where inspections are reduced, and maintenance visits are targeted to specific components reporting problems.

These examples are early use cases for IoT and we believe that the potential applications of this technology are so dynamic that, frankly, they are difficult to predict or comprehend.  One thing that is certain, however, is if IoT creates hyper efficiencies, results in new insights, and creates competitive advantages, most organizations will be clamoring to put it to use.

High Level Privacy, Security and Legal Risks

Companies that build, sell, employ, or rely on IoT devices should understand the privacy, security and legal ramifications of this new technology and how to reduce their risk.  While the benefits of IoT are yet to be fully understood or realized, many have concerns around the technology and its use that could serve as catalysts for potential legal risk, obligations and liability:

  • Security. Security of IoT is of particular concern to information technology specialists.  New technologies often experience growing pains as companies vie for market share and race to get their standards adopted.  During the initial rollout of IoT, therefore, securing the devices, applications, and platforms that enable IoT may be an afterthought.  We have seen this phenomenon play out in other areas, including mobile device application development. At the same time, IoT platforms are often equivalent in design, allowing hackers to exploit common vulnerabilities of one IoT device platform across different classes of devices.  Even after vulnerabilities are discovered, the low cost of the devices may disincentivize IoT producers from issuing security patches.
  • Privacy.  With connectivity comes the creation of data associated with a connected object, with the creation of data comes the collection of that data, the recognition that the data itself is valuable (in some cases more valuable than the connected object itself), and the desire to leverage the data for business purposes and profit.  Consider, as a hypothetical example, a connected pen.  What personal information could be derived from its use?  Location – the pen can be tracked as it sits in a purse collecting geolocation information, information concerning the stores and restaurants visited by the user, and perhaps even the location within a store that is visited (e.g. the aisle in which pregnancy tests are available in a drugstore).  The “content” created by the pen – data recorded by the use of the pen is tracked, including the companies or persons to whom checks are written and the amounts of those checks, or the private messages written to a friend or family member, or even trade secrets associated with a pending business offering.  Audio and video – if the camera is equipped with a camera or recording device, it could record and send audio and video back to its producer for further use and analysis.  When IoT is fully implemented, the variety and volume of potentially personal or private information available to third parties is enormous and ultimately poses risk for users as well as companies seeking to collect and use that information.
  • Property Damage and Bodily Injury. The Internet of Things, by definition resides in the physical world and is attached to physical objects.  These objects, if something goes awry, could cause physical harm or bodily injury.  The insulin pump that loses connectivity at night and fails to properly monitor blood sugar levels and deliver insulin.  The connected alarm system that fails to report an intruder because of a glitch.  The car that is hacked, causing a fatal accident.  In short, the more we rely on devices to monitor and impact the physical world, perhaps subjugating our own decision-making processes to connected “smart” devices, the greater the potential for physical or bodily harm.

Ultimately these issues could result in legal risk, regulatory scrutiny, or litigation for the various players in the IoT ecosystem, and could hamper an organization’s ability to leverage IoT.

To better understand IoT, with some context around its potential use and legal risks, it is important to be familiar with the IoT ecosystem.  In Part Two of this series, we will explore the key players and stakeholders in the IoT ecosystem and their relationships, including:  (1) hardware manufacturers, (2) software and platform providers; (3) data collectors and “Big Data” analytics providers; (4) data aggregators and data brokers;  (5) companies seeking to leverage IoT;  and (6)  data subjects (in cases where personal information may be implicated in an application of IoT).  Additional posts will follow that go into more depth on the legal, privacy and security issues inherent in IoT implementations, regulatory guidance and activity around IoT and methods and processes for analyzing anddressing these risks.