INTERNET OF THINGS & ITS LEGAL IMPLICATIONS

INTERNET OF THINGS & ITS LEGAL IMPLICATIONS

Introduction:

Internet of Things is a network of devices connected via the internet that can interact directly with each other without the need of any human intervention. This uninterrupted interaction between the devices is often referred to as machine-to-machine communication, or M2M. We are already surrounded by numerous electronic devices that aid and assist our personal and professional lives. All such electronic devices require at least a miniscule level of human input but with the advent of Internet of Things (IoT), such human involvement will cease to exist. Besides being an extensive part of our private lives, this technology will soon enter professional workplaces, including manufacturing and service industries. It has the capacity to benefit both industries and consumers in innovative ways through varied applications. The market size of IoT in India is expected to reach USD 9 billion by 2020. The leading factors contributing in this upsurge are IoT organizations, comprising 60 percent of start-ups and large investment by the Government of India[1]. Therefore, considering the capacity of this technology in transforming industries, it is essential to analyze its effects upon the civil liberties of consumers.

Privacy concerns:

Being private is different from being secret. Individuals may not perform certain actions if they are under surveillance, even if those actions are legal. It is known to be the normalizing effect of surveillance. Privacy allows individuals to be who they are; it allows them to maintain autonomy and their individuality. In the words of Justice D.Y. Chandrachud[2], privacy, in its simplest sense, allows each human being to be left alone in a core which is inviolable. Hon’ble Supreme Court has upheld the right to privacy as a fundamental right under Article 21 of the Constitution of India. The said right to privacy includes ‘informational privacy’, and thus recognizes that an individual may have control over the dissemination of material that is personal to him.

Data collection is the primary requirement for the functioning of IoT devices. These devices are able to communicate with consumers, collect and transmit data to companies and compile large amounts of data for third parties. With innumerable devices communicating with each other through the internet, the possibility of data breach is high and as more devices are introduced, this issue will only complicate further.

Legal Framework:

This part will comprehensively review all laws and regulations with the aim of identifying gaps and pitfalls. India does not have any specific regulatory policy for the governance of IoT. The provisions relating to data protection of individual personal information are covered under the Information Technology Act, 2000 and the Reasonable Practices and Procedures and Sensitive Personal Data or Information Rules, 2011 issued under Section 43A of the ITA (as amended). Section 43A of the Information Technology Act deals with protection of data in electronic medium and provides that when a body corporate is negligent in implementing and maintaining ‘reasonable security practices and procedures’ in relation to any ‘sensitive personal data or information’ that it deals, possesses or handles in a computer resource that it owns, operator controls and such negligence causes wrongful loss or wrongful gain to any person, such entity shall be liable to pay damages by way of compensation to the person so affected.

Proposed Framework:

The Indian legal system can neither follow the traditional ‘principle based’ or ‘rule based’ regulatory intervention nor can it initiate ‘early regulatory’ intervention. The framework governing IoT has to be such that encourages innovation while ensuring consumer safety. Presently, legislatures around the world face a similar problem when enacting laws for the governance of emerging technologies. The innovation cycle in the tech-industry has reached an exponential pace that leaves comparatively less time for the society and regulatory bodies to respond. This creates a gap between innovation and regulation and this gap is often termed as, ‘The Pacing Problem’. An increase in the gap causes unpredictability and higher contingency effects. Therefore, there is a need for regulation to be quick and flexible, as the judiciary cannot always take the burden of legislature and counterbalance its shortcomings. The legislature has to introduce policies and laws that propose preventive measures. The focus has to be shifted from ‘ex post’ laws to ‘ex ante’ laws for the prevention of data breaches and an increased efficiency by effective avoidance of litigation.

1. Technological experts’ involvement in parliamentary committees, governmental departments, law reform organizations, technology assessment agencies, ethics bodies and Courts is an absolute necessity.

1. The scheme of cooperation and management incentives has to be established by the Central Government in its dealings with IoT development companies rather than relying on primarily conventional command-and-control regulation.

1. A specifically drafted ‘Privacy Policy’ shall be mandatory that regulate the collection of private information, scope and extent of the usage of such information and the steps taken to ensure the protection of the collected information.

1. The service provider shall adopt a precisely drafted ‘Terms & Conditions’ which, regulates the liability and responsibility of the service provider in case of an unlikely event of a data breach and provides for dispute resolution mechanisms.

1. The mist surrounding data ownership and relationship between data principal-data fiduciary has to be cleared.

Conclusion:

It can be established that India’s legal framework is not adequately equipped to counter the threats that IoT poses. Therefore, it is prudent upon the Indian Legislature to establish a strong ex ante regulatory framework for the functioning of IoT instead of relying upon corrective laws and increasing the Judiciary’s burden. However, certain investigation is still required into the nature of ‘machine generated data’ and the ownership of original data that is created out of the interaction between various devices in an IoT environment. Moreover, nations need to inquire into data ownership, data sovereignty and its relationship with geographical storage of such data.

[1] IoT: Landscape and Nasscom Initiatives, NASSCOM, May 2017, https://www.wfeo.org/wp-content/uploads/stc-information/L3-IoT_Landscape-by-S_Malhotra.pdf.

[2] Justice K.S. Puttaswamy (Retd.), and anr. v. Union of India and ors., (2017) 10 SCC 1

By Sameer Samal:-