This is to certify that the present seminar paper entitled “INTERNET OF THINGS
(IoT) - Legal Issues, Opportunities & Challenges” embodies the original research work
carried out by Chinmoy Mishra under my supervision and guidance. This work is submitted to
Rajiv Gandhi School of Intellectual Property Law, IIT, Kharagpur for evaluation purpose.
..........................................
Supervisor
Dr. T.K. Bandyopadhyay,
Associate Professor,
Rajiv Gandhi School of Intellectual Property Law,
IIT, Kharagpur.
..........................................
Seminar in Charge
Dr. Padmavati Manchikanti,
Professor, Dean,
Rajiv Gandhi School of Intellectual Property Law,
IIT, Kharagpur.
ii
Acknowledgment.
CHINMOY MISHRA
iii
Table of Contents
Cover page i
Declaration ii
Acknowledgment iii
1. What is IoT? 1
2. IMPACTS OF IoT ON MARKET 2
2.A HOME APPLICATIONS 2
2.B HEALTHCARE & MEDICAL SERVICES 3
2.C RETAIL INDUSTRY 3
2.D AUTOMOBILE INDUSTRY 4
2.E SHIPPING & LOGISTICS 4
2.F SMART CITIES 5
3 LEGAL ISSUES & CONCERNS 6
3.A PRIVACY & INFORMATION PROTECTION 6
3.B NET NEUTRALITY 8
3.C PATENTS 11
3.D INFORMATION OWNERSHIP 12
3.E FORMATION & VALIDITY OF CONTRACTS 14
3.F JURISDICTION 15
3.G SECURITY 16
3.H PRODUCT LIABILITY & CUSTOMER SAFETY 17
4 Internet of Things (IoT) Cybersecurity Improvement Act of 2017(US) 19
5 General Data Protection Regulation (GDPR) (EU), 2016 21
5.a Increased Territorial Scope 21
5.b Penalties 22
iv
5.c Consent 22
5.d Information Subject Rights 23
5.e Right to Access 23
5.f Right to be Forgotten 23
5.g Information Portability 24
5.h Privacy by Design 24
5.i Information Protection Officers 24
6 Draft policy related to IoT (INDIA) 25
6.A.a Smart City 25
6.A.b Smart Water 26
6.A.c Smart Environment 26
6.A.d Smart Health 26
6.A.e Smart Waste Management 27
6.A.f Smart Agriculture 27
6.A.g Smart Safety 27
6.A.h Smart Supply Chain & Logistics 27
6.B Governance Structure 27
6.B.a Advisory Committee 27
6.B.b Governance Committee 28
6.B.b Program Management Unit 28
7 Effect of Aadhaar Judgement 29
8 Conclusion 31
Bibliography 32
v
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 1
What is IoT?
For simple understanding, the incorporation of devices which can interact with one another and
perform jobs useful to humans, where all these devices to be linked through a sensing device and
that connection is to aid the Device to partake in a bigger system where different devices can
interact with each other can be said as Internet of Things (IoT). ‘Things’ in the IoT sense, can
mean a wide diversity of devices such as heart monitoring implants, biochip transponders on farm
animals, electric clams in coastal waters, automobiles with built-in sensors, DNA analysis devices
for environmental/food/pathogen monitoring or field operation devices that assist fire troopers in
search and rescue operations etc. These devices collect useful information with the help of many
technologies and then automatically stream the information between other devices.
A simple notice on the news regarding the IoT today will reveal that every big market
players in the field of IT and technology industry are targeting to assert its dominance in IoT. Big
names in this area are not only operating on evolving business models and vendible applications
of the IoT but also focusing on developing principles and procedures for those succeeding in their
footsteps. The Government of India also published a ‘draft on Internet of Things Policy' in 2015,
with the goal of encouraging the formation of an IoT ecosystem, and the expansion of IoT
products specific to Indian requirements in various domains like agriculture, health, water quality,
and natural disasters among many things. Similarly, many Governments today are also coming
issues and are increasingly employing the concepts such as smart cities, smart power grids etc.
Global giants like Facebook, Google, Samsung, Apple, Microsoft and many more whether
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 2
development have financed deeply in the prospect of IoT and with estimations that IoT will see a
progress of over 400 % over a few years1, the scope for profit from such investment is
unimaginable.
• Your alarm clock alerts the coffee-maker as soon as you wake up, and the coffee maker is
• The coffee maker sends the ready signal to your car, after you pick up your coffee from the
machine, to set the temperature inside it to your preferred levels by the time you are set
to drive to work.
• As soon as you enter your car, it gets the latest information from traffic management
system and displays the most efficient route to your office and also reserves a nearest
• As soon as your car nears the office building, it, in turn, signals your offices' electrical
switches to be switched on and signal your computer to prepare your daily schedule.
There is no limitation to the above imaginary scenario and yet all of them can still become reality,
A. HOME APPLIANCES:
From security applications such as instruments which are proficient in sensing fires and
intrusions, control doors and locks at home to luxury features that allow one to control
heating, lighting and many more of smart instruments, service providers associated to
1
IoT market potential for Canada, available at “http://www.marketwatch.com/story/internet-of-things-presents-
enormous-untapped-potential-for-canadian-businesses-2016”
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 3
Predictions for the use of IoT in the health care systems are very extensive and can be in
form of a device like ‘GlowCaps’2 (“internet enabled medicine bottle caps, which can send a
patient reminders about taking medicines regularly, refilling prescriptions and even
scheduling doctor’s visits”), to isolated healthcare systems which offer efficient observing
of a patient’s medical statistics, using devices that routinely collect and analyze
information on a regular interval. The usage of wearable devices which can monitor
information such as the heart rate, sleep cycles and activity logs of patients is also a vital
C. RETAIL INDUSTRY:
With possible uses in supply chain management, customer experience, and new channels
and revenue streams, IoT is set to transform the retail sector.3 Few of the advantages of
IoT are:
carriage, carriage timelines, wear & tear and state of raw materials and final
• Smart Store Windows – Upsurge in smart store windows which gather and
examine data about the number of customers that stop and view a window
2
Glowcaps products, available at http://www.glowcaps.com/product/
3
Digital Disruption, available at “https://www.accenture.com/in-en/insight-internet-things-revolutionizing-retail-
industry.aspx”
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 4
D. AUTOMOBILE INDUSTRY:
In today’s domain of linked vehicles and linked drivers, IoT has led to one of its most
spoken of the topic, “the Internet of Cars”. These linked vehicles use instruments, software
software and a numerous number of the latest technology to offer a continual stream of
data about everything from traffic and weather conditions, to driver/vehicle performance,
Google has been testing a driverless car over the past few years4, and various other
technical organizations, for example, UBER and Apple are also said to be building up their
additionally ventured into the competition, with Tesla asserting that they are just two
years from producing its own autonomous vehicles.6 Outfitted with sensors and programs
to detect objects on the streets, and drive around such objects, these vehicles are also
completely linked with their owners, with capabilities to park themselves, to be called by
The shipping and logistics business has been one of the most pertinent benefactors of the
massive progress in global trade in over last 20 years and supervision of freight whether at
4
“Google’s IoT push continues with London driverless cars, VR headset & Go AI match, available at
http://www.cbronline.com/news/internet-of-things/ smart-technology/googles-iot-push-continues-with-london-
driverless-cars-vr-headset-go-ai-match-4804528”
5
“Secrets of driverless Cars, available at http://www.theatlantic.com/technology/archive/2015/12/ driverless-
secrets/417993/”
6
“Tesla to produce driverless Cars in 2 years timeline, available at http://www.dezeen.com/2016/01/11/elon-musk-
predicts-completely-autonomous-driverless-tesla-cars-in-two-years/”
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 5
sea or in the air, many miles away has been a vital part of the daily events of stakeholders
in this industry. Any mishandling of freight or even mishaps could result in massive losses.
IoT systems can go a great distance in reducing of the amount of mistake and over-watch
required in this business and market is gradually switching to internet and GPS based
solutions in order to track their consignments and safeguard that freight arrives in proper
One of the primary instances of the usage of IoT in this area is in relation to the
food supply chain to control the quality of the food products. These methods can keep the
dealers conversant of the condition of the products, who can then safeguard that suitable
amounts of the products are present in a proper state for sending to consumers.7
F. SMART CITIES:
There are many big cities that have embraced IoT based systems to expand city planning.
These cities now have smart parking, lighting and traffic solutions that deliver people with
improved amenities and are moving to the objective of a totally linked “Smart City”:
“An ideal urban space where roads, street lamps, parking meters, traffic signals, toll
towers, and local government bodies are all able to communicate with each other.”
The Govt. of India has started on an aspiring strategy of creating 100 Smart Cities
which banks on profoundly on M2M technologies by using a smart grid, automated waste
management etc.8
7
“How the Internet of Things is Revolutionizing Food Logistics, available at
http://www.foodlogistics.com/article/11366603/food-and-more-for-thought-how-the-internet-of-things-is-
revolutionizing-food-logistics”
8
“Smart cities need institutional reforms for Pvt. participation, available at http://www.business-
standard.com/article/economy-policy/ smart-cities-need-institutional-reforms-for-pvt-participation-
116040800193_1.html”
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 6
IoT’s association with Wearable devices creates tons of Information which have the
proficiency and the perspective to change everyone’s life mainly in the area of transport,
home automation, retail, and health. IoT will link more devices and more individuals to the
Internet, and ultimately enhance people to people connection. These instruments will
have the capability to know us individually, which will result in creating one of the most
debated issues of privacy. The second several machines start to interact with each other
there will be a huge volume of information that will be transmitted and conversed
between these devices and their users which will result in the disclosure of private data,
resulting concerns for privacy and data security. The key agreement that is required as
privacy laws for all states is free and informed consent. Procurement of consent from the
user in this circumstance becomes tough as a majority of programs are being run default
background settings and collecting private data as they are programmed to do so.
So the capability of the people to regulate the use of their private data or providing
informed consent results theoretically and lawfully thought-provoking. Also, the risk that
private data can be used for needs other than what it was initially planned for also rises.
The latest actions brought by the US FTC against TRENDnet gives a hint of possible mishaps
that may happen if actions are not taken to resolve the privacy issues that will damage IoT
networks. TRENDNet Company sold web integrated cameras which to be used for home
security, baby monitoring etc. The faulty software allowed unrestricted online viewing,
enabling hackers to post live videos of hundreds of customer cameras on the web,
displaying videos such as babies sleeping in their cribs and people performing their daily
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 7
works.9
The European Commission has always been ahead in terms of addressing privacy
concerns of European citizens. The draft Data Protection Regulation was put forward by
the European Commission in 2012 and was agreed upon by the European Parliament and
the Council of the European Union in December 2015.10 The GDPR was accepted on 14
April 2016 and became enforceable since 25 May 2018. As the GDPR is a regulation, not a
directive, it does not require state govt. to pass any supporting legislation and is directly
obligatory and pertinent.11 This Draft Regulation states that “taking into account the state
of the art, the cost of implementation and the nature, scope, context and purposes of
processing as well as the risks of varying likelihood and severity for rights and freedoms of
natural persons posed by the processing’ a information controller must ‘both at the time of
the determination of the means for processing and at the time of the processing itself,
minimisation, in an effective manner and to integrate the necessary safeguards into the
processing in order to meet the requirements of this Regulation and protect the rights of
information subjects. Since IoT is still evolving, it may be cost effective for technology
developers from a compliance perspective to design wearables and its embedded software
is in such a way that they address privacy concerns. The cost of the product is an integral
9
“TRENDnet Cameras Still Have Gaping Security Holes, 3 Years After FTC Settlement, available at
http://fortune.com/2017/11/15/security-camera-hack-ftc-trendnet-dahua-belkin/”
10
“Agreement on Commission's EU data protection reform will boost Digital Single Market, available at
http://europa.eu/rapid/press-release_IP-15-6321_en.htm”
11
General Data Protection Regulation, available at
“https://en.wikipedia.org/wiki/General_Data_Protection_Regulation”
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 8
personal information are covered under the Information Technology Act, 2000 (“ITA”) and
information Rules, 2011” issued under Section 43A of the ITA (as amended). Section 43A of
the ITA which deals with “protection of information in electronic medium by providing that
operates and such negligence causes wrongful loss or wrongful gain to any person, such
entity shall be liable to pay damages by way of compensation to the person so affected.
The Rules, inter alia, provide guidelines to protect ‘sensitive personal information or
information’ in the electronic medium by a corporate entity which possess, deals or handles
such information.” The law order the fundamental rules of privacy law that the corporates
should get free assent together with certain security compliance. Since the law on
individual data, in all circumstances, when utilized within the setting of IoT.
B. NET NEUTRALITY
Net impartiality is the standard that “all internet traffic is treated the same”, irrespective
of its nature or purpose. Net impartiality protects the open and uninterrupted Internet
access. As per this norm, no information can be selected over other. It means Internet
Service Providers (“ISP”) shouldn’t differentiate between varying types of data. Net
impartiality has been a much-debated topic in the USA between customer groups, govt.
officials and ISPs for more than a decade. “However, net neutrality has far-reaching
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 9
increasing, which would result in high-quality content being streamed seamlessly over the
internet. Without net neutrality, an ISP can charge a user more for using YouTube in
One of the many important facets for the success of IoT is the integration of various
systems, networks, and applications which are combined effortlessly. This will be a big
challenge without Net neutrality.12 Here, what has to be considered is how IoT and its
merger would be influenced in the event that there's no web Impartiality. There are
individuals who accept that having no web Impartiality might really be advantageous.
These groups argue that for IoT users and administrations, there's a few fascination in ISP's
being able to offer arranged activity for basic frameworks like supply chain management
and private security, where the unwavering quality of the association is fundamental.
When the systems are over-burden being able to shed non-important activity may be vital
for crisis administrations and the gadgets, they may depend upon.13 At the same moment,
there are advocates who emphatically say that not having web Impartiality will ruin future.
These groups contend that without web Independence ISP companies can find the
legitimate control to manipulate IoT gadgets that need to utilize their systems to
communicate with other gadgets. The individual who builds the chip in your car would
require the authorization of a portable carrier; so would the individual making computer
program to permit the iPhone to control all of the systems. These manufacturers of
systems and applications can have improved lawful and commercial prices, and many of
12
“What the Net Neutrality Ruling Means for The Internet of Things, available at http://www.machinetomachine-
technologyworld.com/articles/366860-what-net-neutrality-ruling-means-the-internet-things.htm”
13
“Network neutrality and the internet of things, available at http://paulwallbank.com/2014/01/16/network-
neutrality-and-the-internet-of-things/”
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 10
these might never become a reality, which will affect the upcoming growth in our world of
Communications and web services are still greatly regulated in India. Majority of
the laws were outlined decades ago and generally without consideration for new
conceptions. There are no precise rules that deal with web impartiality, but the Telecom
Department of Govt. of India does put a duty on all telecom operatives to deliver telecom
services in an unprejudiced manner till the govt. points opposite. This commitment is
portion of the Unified Permit which is the major permit that oversees of most the telecom
administrations in India. Bharti Airtel, one of the greatest telecom service suppliers in
India, presented a differential estimating model based on the sort of portable web. This
move was broadly described within the Indian media and got to be a petulant matter
among net web impartiality activists in India. As a result, the telecom controller
impartiality in India and give adequate directions. The telecom controller issued a debate
paper on net impartiality and over the best services,15 getting an intense reaction from the
sponsored by a number of well-known local businesses in India. After much talk, the
telecom controller as of late issued a direction that forbids ISPs from advertising data plans
to subscribers on the premise of the accessible content. The rules now prevents ISPs from
checking web traffic in an irrational manner or selecting one content over the other, thus
14
“The Next Big Battle in Internet Policy, available at http://www.slate.com/articles/technology/future_
tense/2012/10/network_neutrality_the_fcc_and_the_internet_of_things_.html”
15
“The top services for net neutrality, available at http://www.trai.
gov.in/WriteReadinformation/ConsultationPaper/Document/OTT-CP-27032015.pdf”
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 11
C. PATENTS
“In order for IoT and its convergence to exist and function properly, devices need to
communicate with each other for which devices need to use standardized technology.” This
may be required because different gadgets from different viable sources have to be
interfaced conjointly and the existing technology must permit the adding of gadgets.16 In
any case, in the event that uniform innovations are patented at this point, it'll create
obstacles for the advancement of IoT as any party receiving standardized innovation will
setting bodies take these factors into consideration while setting a standard and declare
such patents as standard essential patents (SEPs). The standard setting organization needs
to levy a condition on the SEP owner to license their patents to third parties on fair,
business has revealed that assenting to FRAND terms is not constantly forthright. The fresh
series of lawsuits that have happened in the smartphone business is instigated by Micro-
soft, Apple and Google and also due of the point that, there are tons of 3G and LTE patents
and many of the owners are not makers but somewhat are the so-called trolls. However,
with the smartphone and telecom market providing a model, it is hoped that a suitable
From an Indian point of view, software applications per se are not patentable in
patentable in India but would need to be scrutinized in light of the "Guidelines for
16
“Patent issues and the Internet of Things, available at http://www.taylorwessing.com/
download/article_patent_iot.html”
17
Ibid
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 12
Additionally, the Department of Industrial Policy and Promotion has issued a “Discussion
paper on Standard Essential Patents and their availability on FRAND terms”, engaging
participant remarks with a view to present an apt policy agenda to outline the onuses of
essential patent owners and their proprietors.18 It will be fascinating to see how this area
progresses when Indian patents would be examined as SEP alongside the FRAND
D. INFORMATION OWNERSHIP
The architectural backdrop of IoT carries its peculiar set of information proprietorship
problems. As machines will be flawlessly linked and interacting with each other, a large
amount of information will be created. Google Nest is the best example to understand the
probable information ownership issues that might arise in the future. Google Nest
thermostat is a device that learns a person’s schedule, programs itself and can be
controlled from the phone. It is claimed that this technology can reduce your heating and
cooling bills up to 20%. Google Nest is currently coordinating with companies such as
Mercedes to develop cars that can constantly interact with Google Nest thermostat and
know what time a person will be arriving home and accordingly Google Nest thermostat
will adjust itself so that the instant you arrive you will have your desired temperature. Now
this communication between the car and Google Nest thermostat will involve multiple
sensors including geo-location sensors that will generate information. This information will
provide insights into a person’s habit such as preferred routes, arrival timings, fuelling
habits etc. This information could be a great treasure for advertisers which can possibly
18
Standard Essential of Patents, available at “http://www.ipindia.nic.in/Whats_New/standardEssentialPa-
per_01March2016.pdf”
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 13
copyrighted work is created when an art is done by two or more authors with a purpose
that their efforts should be combined with each other. This rule does not look into the
angle of the number of commitments of each inventor, what is critical is the component of
intention of the inventors. One contention that can be made is that the simple reality that
two entities let their gadgets connected with each other and make data seem reflect the
deliberate of the parties to form joint possession. Be that as it may, there's no settled law
on this subject in connection to IoT and its union as per Indian laws. Again, issues may get
more complex and foggy when there are multiple devices interacting with each other
effectively resolved to a range by way of agreements between the machine creators and
the consumers and in a lot of scenarios, the agreements will be done between the
consumers and the creators by way of web based contracts such as click-wrap and shrink-
wrap agreements. “In case of a shrink-wrap agreement, the contracting party can read the
terms and conditions only after opening the box within which the product (commonly a
license) is packed. Thus, it becomes important to examine the validity of these contracts.
In the US, there have been instances where the courts have struck down specific terms of
contracts which were held to be immoral”. In the case of Comb v. PayPal, Inc19, the
California courts held that “the e-commerce agreement which obligated users to arbitrate
their disputes pursuant to the commercial rules of the American Arbitration Association
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 14
which is cost prohibitive in light of the average size of a PayPal transaction is immoral”.
In India, e-agreements like all agreements are ruled by the rudimentary doctrines
principal contracts in India, i.e. the Indian Contract Act, 1872 (“Indian Contract Act”)
which “inter alia mandate certain pre-requisites for a valid contract such as free consent
and lawful consideration. What needs to be examined is how these requirements of the
Indian Contract Act would be fulfilled in relation to e-contracts”. In this situation, it is vital
to take note of the Information Technology Act, 2000 (“IT Act”) which provides protection
for the rationality of e-contracts. There is no obligation as per the Indian Contract Act to
get written contracts physically signed. However, particular laws do have signature
necessities. For example the Indian Copyright Act, 1957 states that “an assignment of
copyright needs to be signed by the assignor. In such cases, the IT Act equates electronic
signature with physical signatures. Further, unless expressly forbidden under any statute,
e-contracts like click-wrap agreements would be enforceable and valid in India if the
requirements of a valid contract as per the Indian Contract Act are fulfilled. In India, the
jurisprudence on the issue of whether standard form online agreements are immoral or
not is not very developed. However, Indian laws and Indian courts have dispensed with
instances where terms of contracts (including standard form contracts) were negotiated
contracts, the courts can put a burden on the person in the dominant position to prove
that the contract was not induced by undue influence”. When it comes to IoT, in common
there is tiny or no scope for debates to be held between the machine creator and the
19
218 F.Supp.2d 1165
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 15
F. JURISDICTION
One of the key concerns that can come up in a disagreement between the machine maker
and the consumer is jurisdiction. The reason being the point at which numerous gadgets
are included there is a probability that such gadgets could be situated at various areas and
sometimes outside the territorial limits of a specific nation. In this manner, it would need
to be decided by the court (on a case to case premise) regardless of whether it has
determination, the courts in a nation have jurisdiction over people who are inside the
nation as well as to the exchanges and events that happen inside the natural borders of
the country. Hence in a web based world, if the gadget maker is offering its gadgets in a
specific nation straightforwardly to the clients, it might be required to defend any case
that may result in that nation. So, the machine maker must analyse the municipal rules
before advertising or vending its products or services as it might have the danger of being
sued in any jurisdiction where the goods are transacted or where the services are availed
of.
In the Indian context, In common many municipal laws offer for a “long arm
jurisdiction” as a result the practice of such municipal regulations have extra-territorial use
if an act or omission has caused in some unlawful or harmful consequence within the
region of the country. As per certain statutes of Indian laws which offer for extraterritorial
jurisdiction. Section 1(2) of the IT Act read along with Section 75 says that:
“-the Act shall extend to the whole of India and, save as otherwise provided under the Act,
it shall apply also to any or contravention thereunder committed outside India by any
person and
-the Act shall apply to any offense or contravention committed outside India by any person
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 16
Section 3 of the Indian Penal Code, 1869 says that “any person who is liable, by any Indian
law, to be tried for an offense committed beyond India shall be dealt with according to the
provisions of the IPC for any act committed beyond India in the same manner as if such act
G. SECURITY
As IoT has become embedded in daily life, attainment by trade controls to private devices
and infrastructure such as transport and power, the safety concerns in these matters
become more composite and have severer concerns. “IoT and its convergence provide
hackers with more susceptibilities to exploit and create significant security risks. Such risks
could take a variety of forms, depending on the nature of the information and devices in
question. For example in the perspective of e-health, the collection and rapid exchange of
increases risks in respect of patient privacy, but also has the far more alarming potential to
endanger life if one takes the example of implanted medical devices administering drugs
on the basis of independent information inputs. A system failure or more sinister malicious
attack on such a device could have dire consequences”. In the area of energy, hackers can
mark smart meters to effect big shutdowns, and in the area of home-based safety, it takes
slight imagination to expect the latent effects of a system break down or a malevolent
attack.20
Big companies such as “Google and Cisco are aware of the security issues and are
20
“The Internet of Things: The Old Problem available at http://media.mofo.com/files/Uploads/Images/140320-The-
Internet-of-Things-Part-2.pdf”
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 17
working to resolve the same. The best way to address security issues in devices is at the
designing stage itself and to frequently update the devices from potential new threats. In
addition, legal and legislative developments also need to take place in order to address the
above-mentioned security issues. The next question that needs to be answered is doing we
need a new law at the state level or is there a requirement for an international legislation.
One proponent has argued that in light of the various factual scenarios that can arise, it
appears to be hardly possible to come to a similar legal framework governing all sides”.
Besides, a diverse and different tactic might need to be accepted while outlining any law.21
Product accountability is the part of the rule in which creators, distributors, dealers, retail-
ers, and others who create goods accessible to the community are held accountable for
the damages those goods bring to property and physical harm. In the area of IoT, product
- Physical Hurt
- Property Damage
- Pecuniary Damage
persons and trades might have overwhelming damages. Calculations of basic medications
may be missed or required medicinal treatments precluded or a breaking down fire alarm
that may not raise alarm to property holders of a fire. Such gadget malfunctions may result
standards of negligence or absolute liability or strict liability under tort law. A court in a
21 “Internet of Things – New security and privacy challenges, Computer Law & Security Review”
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 18
product liability claim including an IoT gadget will utilize these standards to decide the
obligation of the producer of the gadget. Initially, product liability claims must be
demonstrated under the rule of negligence. With the end goal to demonstrate negligence
of a manufacturer, the consumer would usually need to prove a duty of care of the
the law advanced courts worldwide over different jurisdiction began applying the rule of
strict liability in product liability matters, this standard is more inclined towards the
consumer. Under this rule, the maker is at fault if the item seems to be damaged,
regardless of whether the manufacturer was not careless in making that item defective.
The motive for courts embracing the strict liability principle is that a manufacturer can
foresee possible dangers in relation to the goods and take steps to protect the goods from
these threats, whereas a customer can’t. The price of a physical harm, pecuniary damage
or property harm when it comes to a customer is a adversity whereas a maker may protect
himself by way of product accountability insurance and this is an extra price of doing busi-
In Indian the context, it might be vital for IoT system manufactures to procure and
shield themselves with product accountability protection and add this into deliberation
while doing the trade. Insurance agencies should search for offering customized product
liability insurance to IoT gadget makers, as in a few situations customary product liability
insurance may not totally secure the IoT gadget producers. In addition to strict liability and
related torts, India has a number of legislation including the Consumer Protection Act,
1986, which “protect consumers against defective products, poor services, anti-competitive
practices and prices, deceptive marketing (in the case of hazardous goods), among other
things. These consumer-oriented laws also provide for special courts/forums that work on a
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 19
fast track basis and protect and allow consumers to sue and obtain remedies easily when
The Internet of Things (IoT) Cybersecurity Improvement Act of 201722 is a bill before the U.S.
Senate that pursues to enhance the security of internet linked devices. The bill’s provisions
leverage federal purchasing power to expand the security of IoT devices by requiring, among
other things, IoT device, software, and firmware providers to certify compliance with specified
security controls and requirements relating to susceptibility patching and notification, unless such
contractors otherwise satisfy one of three waiver requirements. The bill also directs the
government contractors; to amend federal statutes, specifically the Computer Fraud and Abuse
Act (“CFAA”) and Digital Millennium Copyright Act (“DMCA”), to exempt certain “good faith”
activities by cyber-security researchers; and require all executive branch agencies to maintain an
inventory of IoT devices active on their networks. Below is a summary and summarising of some
The bill mandates that government agencies buying such products include in their procurement
1. The contractor (the entity selling the IoT device) provide written certification that:
a) The device does not contain any known security vulnerabilities or defects that are listed
in the NIST information base of vulnerabilities or another such national information base.
b) All components are capable of being updated securely from the vendor.
22
S.1691 - Internet of Things (IoT) Cybersecurity Improvement Act of 2017, available at
https://www.congress.gov/bill/115th-congress/senate-bill/1691/text?format=txt
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 20
d) Does not include any fixed or hardcoded credentials used for remote administration,
2. That the contractor will notify the purchasing agency of any known security vulnerabilities
to any new security vulnerability discovered through any of the “national information
5. A contractor requirement to provide the purchasing agency with information on the ability
“Exceptions may be granted if the executive agency reasonably believes that the device has
severely limited functionality as defined. Within 180 days after enactment, NIST shall define what
this means”.
“Exceptions also exist for existing third-party security standards for devices that provide an
equivalent or greater level of security than that described above. These must be NIST qualified.
The same exceptions are available where agency security evaluations standards already exist.
The bill requires that not more than 180 days after enactment, the head of each executive agency
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 21
establish and maintain an inventory of IoT devices used. OMB is instructed to issue guidelines for
the agencies for this inventory no later than 30 days after enactment and to work with the
Though there are many weaknesses in this bill, it is a stride in the correct course. It is the
first of its kind bill which will deal with internet connected systems particularly. It also deals with
Europe is now protected by the world's strongest information protection rules. The mutually
agreed General Data Protection Regulation (GDPR)23 came into force on May 25, 2018, and was
designed to reform laws that protect the personal information of individuals. Before GDPR started
to be enforced, the previous information protection rules across Europe were first formed during
the 1990s and had struggled to keep pace with quick technological changes. GDPR alters how
businesses and public sector organizations can handle the information of their customers. It also
boosts the rights of individuals and gives them more control over their information. The aim of the
GDPR is “to protect all EU citizens from privacy and information breaches in today’s information-
obsessed world. Although the key principles of information privacy still grip true to the previous
directive, many changes have been proposed to the regulatory policies; the key points of the
GDPR as well as information on the bearings it will have on business which can be seen below:
Arguably the biggest change to the regulatory landscape of information privacy comes
with the prolonged jurisdiction of the GDPR, as it applies to all companies processing the
23
“The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20
years, available at https://eugdpr.org/”
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 22
company's location. Previously, the territorial applicability of the directive was vague and
referred to the information process in the context of an establishment. GDPR makes its
and processors in the EU, regardless of whether the processing takes place in the EU or
not. The GDPR also applies to the processing of personal information of information
subjects in the EU by a controller or processor not established in the EU, where the actions
required) and the monitoring of behaviour that takes place within the EU. Non-EU
the EU.
b. Penalties
Million (whichever is greater). This is the maximum fine that can be imposed for the most
serious infringements e.g. not having sufficient customer consent to process information
or violating the essential of Privacy by Design concepts. There is a tiered method to fines
e.g. a company can be fined 2% for not having their records in order (article 28), not
notifying the supervising authority and information subject about a breach or not
conducting an impact assessment. It is important to note that these rules apply to both
controllers and processors, meaning ‘clouds’ are not exempted from GDPR enforcement.
c. Consent
The conditions for consent have been strengthened, and companies are no longer able to
use long illegible terms and conditions full of legalese. The request for consent must be
given in a clear and easily accessible form, with the purpose for information processing
attached to that consent. Consent must be clear and unique from other matters and
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 23
provided in an intelligible and easily accessible form, using clear and plain language. It
Breach Notification under the GDPR, breach notifications is now mandatory in all member
states where an information breach is likely to result in a risk for the rights and freedoms of
individuals. This must be completed within 72 hours of first having become aware of the
breach. Information processors are also required to notify their customers, the controllers,
e. Right to Access
Part of the expanded rights of information subjects outlined by the GDPR is the right for
or not personal information concerning them is being processed, where and for what
purpose. Further, the controller shall provide a copy of the personal information, free of
f. Right to be Forgotten
Otherwise called Data Deletion, the right to be forgotten qualifies the data subject for
have the data controller eradicate the individual data, stop promote circulation of the
data, and possibly have outsiders stop using of the data. The conditions for eradication, as
laid out in article 17, incorporate the data never again being pertinent to unique purposes
for handling, or a data subject pulling back assent. It ought to likewise be noticed that this
privilege expects controllers to contrast the subjects’ rights with the public interest for the
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 24
g. Information Portability
GDPR presents data versatility, the privilege for a data subject to gather the private data
concerning them, which they have beforehand given in a typical utilize and machine-
readable format and have the privilege to exchange that data to another controller.
h. Privacy by Design
Privacy by design as an idea has existed for a considerable length of time, however it is just
barely ending up some portion of a lawful prerequisite with the GDPR. At its centre,
security by configuration requires the nearness of data shielded from the beginning of the
effective way… in order to meet the requirements of this Regulation and protect the rights
of information subjects". Article 23 calls for controllers to collect and regulate just the data
completely fundamental for the consummation of its obligations (data minimization), and
in addition restricting the access to private data to those who want to process such data.
Under GDPR it isn't important to submit notices to every local DPA of data handling
Model Contract Provisions (MCCs). Rather, there are interior record-keeping necessities, as
further clarified underneath, and DPO arrangement is mandatory just for those controllers
and processors whose core exercises comprise of handling tasks which require normal and
of data or data identifying with criminal convictions and offenses. Vitally, the Information
Protection Officer:
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 25
• Must be given proper assets to do their undertakings and keep up their master
information
• Must not complete whatever other errands that could result in an irreconcilable
circumstance.”
To finish up, there are a critical number of prerequisites that can be identified with EU GDPR. It is
critical to comprehend these prerequisites, and their suggestions for the organization, and
execute them inside the setting of the organization. Such execution would require a committed
A. Indian Government published its draft approach on IoT with an aim, (i) to make an IoT business
in India of USD 15 billion by 2020. This will likewise prompt an expansion in the linked gadgets
from around 200 million to more than 2.7 billion by 2020. According to the Gartner Report, the
aggregate income made using the IoT business would be USD 300 billion and the linked gadgets
would be 27 billion by 2020 all around. It has been assumed that India would have an offer of 5-
6% of worldwide in IoT industry, (ii) To create IoT items explicit to Indian requirements in the
automobile, supply chain management, smart cities, automated metering and observing of
a. Smart City: “To set-up a Smart city model which would embrace deployment and display
of IoT concepts to be used in the development of Smart City. Some of the key features of a
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 26
• Smart parking.
• Tele-care.
• Woman Safety
• Smart Grids.
• Waste management.
• Digital-signage.
• Water Management
b. Smart Water: (i) To setup Potable water checking tools to monitor the quality of tap water
in all government-owned education institutes and public places. (ii) To setup project to
spot real-time leakages and wastes of factories in rivers and other natural water bodies.
(iii) To setup project for monitoring of water level variations in rivers, dams, and reservoirs,
c. Smart Environment: (i) To setup project for alarm and control of CO2 emissions of
factories, pollution emitted by cars and toxic gases generated. (ii) To setup projects to
create alarms based on circulated control in specific places like buildings, bridges, or
d. Smart Health: (i) To setup projects for monitoring various vital parameters of patients like
subtle changes in pulse, respiration, heart condition, temperature and preventive warning
remote patient location including old people's home and ambulance. (ii) To setup projects
for supportive dementia and other mentally unhealthy patients from getting lost. (iii) To
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 27
e. Smart Waste Management: To promote the ‘SWACH BHARAT’ initiative, we may setup
projects to create products which are solar powered trash container and trash compactor
f. Smart Agriculture: (i) To setup project for precision farming which uses information
analysis to adapt operations. The project may include monitoring of soil moisture,
vibrations, earth density and pests to detect dangerous patterns in land conditions and
create an online update mechanism for farmers. (ii) To set up a project to allow farmers to
monitor online, the temperature of grain bins and collect an alert if the temperature rises
outside of an acceptable range to help them protect grains in storage areas. This also can
g. Smart Safety: To set up a project to build a wearable device for women, child and old
h. Smart Supply Chain & Logistics: (i) To set up a project for enabling universal ambulance
service at any place using any kind of device. (ii) To enable the logistics chain managed by
government for essential food items to ensuring need-based refilling and reduction in
B. Governance Structure:
supervision in the emerging area of IoT. The committee should comprise of:
I. Government-
c. Technology organizations
d. Network organizations.
c. Networking
d. Sensor Technologies
by Secretary, DeitY including representatives from Government for governing all IoT
led by Director (IoT Operations & Smart City support). The role of the PMU would be, but
• Provide ongoing implementation support to various initiatives within the IoT policy
• Track the performance of IoT initiatives vis-à-vis planned timelines and highlight issues
Committee.
“We may record here that (Aadhaar) enrolment is of voluntary nature. However, it becomes
compulsory for those who seek to receive any subsidy, benefit or service under the welfare scheme
of the government expenditure whereof is to be met from the Consolidated Fund of India." This
quote is from the judgment of the Aadhaar case24. Although this judgment is not related to IoT, it
is considered as a monumental step by Indian Judicial System regarding protection of privacy and
guidelines on how to use this personal information and this judgment will have significant bearing
in the minds of the Legislature when they frame the regulatory framework for IoT related matters
1. SC held that “it is very difficult to create a profile of a person simply on the basis of
biometric and demographic information stored in CIDR”. But the order does dilute some
provisions pertaining to data protection. For instance, it has directed that authentication
records are not to be kept beyond a period of six months, whereas the Aadhaar Act
fundamental right, the order states that any restraint on privacy must meet three tests.
a. backed by law
c. proportionality
The existence of the Aadhaar Act and delivery of welfare benefits fulfill the first two
requirements. The order noted that the third test of proportionality has also been met
24
K.S. Puttaswamy and another vs. UOI, 2018 SC
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 30
because:
a. the purpose of the act is to ensure deserving beneficiaries of welfare schemes are
correctly identified;
Right to privacy on the one hand and right to food, shelter, and employment on the other.
But the majority order directs that Section 7 of the Aadhaar Act, 2016, which says proof of
Aadhaar number is necessary for receipt of certain subsidies, benefits, and services, etc.,
would cover only those benefits for which expenditure is drawn from the Consolidated
Fund of India.
3. The order stated that "any purpose" is susceptible to misuse and can only be a purpose
backed by law. It also found that allowing any corporation or person to use Aadhaar for
individual, would enable commercial exploitation of private data and hence held to be
unconstitutional. Regulation 27 has been struck down, which provides archiving of data for
a period of five years. Retention of data beyond the period of six months is impermissible.
Section 47 of the act, which provides that only UIDAI can file a court complaint in case of
violation of the act. SC held this section must be amended to also allow the filing of such
4. While SC upheld the Aadhaar-PAN Tax Linkage, at the same time SC struck down Aadhaar-
Banking linkage and Aadhaar-Mobile linkage, terming it as “violates the right to privacy of
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 31
8. CONCLUSION:
To sum up the above discussion on “Internet of Things” ensuring the ways of web based business,
cloud computing, and BigDATA, has resulted in a certain portion of the e-world. As the time goes
by, the life of each human being has become further entangled and reliant on an internet,
wherein e-commerce has given us facilities of online marketing, cloud computing, retrieving and
using web based services and unlimited information, the ability to collect small bits of distinct
data, to build a complete research of a whole business. Though, IoT has stirred a foot forward, it
visualizes a future where trades, productions, govt. and people are unified through machines that
considerably decrease the necessity for human involvement. This sequentially delivers an
abundant of commercial prospects and yet, there are a lot of concerns, both technology and law
related which will be required to be discussed. In upcoming future, expectation is that such
concerns would be efficiently fixed in order with an end goal to permit for an open market, where
customers have freedom and capability of using infinite number of choices that will be accessible
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 32
Bibliography
http://www.marketwatch.com/story/internet-of-things-presents-enormous-untapped-
potential-for-canadian-businesses-2016
revolutionizing-retail-industry.aspx
4. Google’s IoT push continues with London driverless cars, VR headset & Go AI match,
technology/googles-iot-push-continues-with-london-driverless-cars-vr-headset-go-ai-
match-4804528
http://www.theatlantic.com/technology/archive/2015/12/ driverless-secrets/417993/
http://www.dezeen.com/2016/01/11/elon-musk-predicts-completely-autonomous-
driverless-tesla-cars-in-two-years/
http://www.foodlogistics.com/article/11366603/food-and-more-for-thought-how-the-
internet-of-things-is-revolutioniz¬ing-food-logistics
http://www.business-standard.com/article/economy-policy/ smart-cities-need-
institutional-reforms-for-pvt-participa¬tion-116040800193_1.html
9. TRENDnet Cameras Still Have Gaping Security Holes, 3 Years After FTC Settlement, available
at http://fortune.com/2017/11/15/security-camera-hack-ftc-trendnet-dahua-belkin/
RGSOIPL 17IP63011
INTERNET OF THINGS (IoT) - Legal Issues, Opportunities & Challenges 33
10. Agreement on Commission's EU data protection reform will boost Digital Single Market,
available at http://europa.eu/rapid/press-release_IP-15-6321_en.htm
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
12. What the Net Neutrality Ruling Means for The Internet of Things, available at
http://www.machinetomachine-technologyworld.com/articles/366860-what-net-
neutrality-ruling-means-the-internet-things.htm
http://paulwallbank.com/2014/01/16/net¬work-neutrality-and-the-internet-of-things/
http://www.slate.com/articles/technology/future_
tense/2012/10/network_neutrality_the_fcc_and_the_inter¬net_of_things_.html
gov.in/WriteReadinformation/ConsultationPaper/Document/OTT-CP-27032015.pdf
download/article_patent_iot.html
http://www.ipindia.nic.in/Whats_New/standardEssentialPaper_01March2016.pdf
18. New guidelines on information ownership and liability could be issued to address ‘internet
guidelines-on-information-ownership-and-liability-could-be-issued-to-address-inter¬net-
of-things-phenomenon/
http://media.mofo.com/files/Uploads/Imag¬es/140320-The-Internet-of-Things-Part-2.pdf
21. Internet of Things – New security and privacy challenges, Computer Law & Security Review
22. S.1691 - Internet of Things (IoT) Cybersecurity Improvement Act of 2017, available at
https://www.congress.gov/bill/115th-congress/senate-bill/1691/text?format=txt
23. The EU General Data Protection Regulation (GDPR) is the most important change in data
https://www.mygov.in/sites/default/files/master_image/Revised-Draft-IoT-Policy-2.pdf
RGSOIPL 17IP63011