Internet of Things (Iot): Legal Considerations for Businesses

The Internet of Things (or, IoT) is a fast-growing, technological phenomenon which refers to the connection of objects to the internet via machine-to-machine communications (M2M), for example, by sensors, in order to collect real-life, real-time data of how we are interacting with the world around us. Everything from cars and wearables, to home and office appliances have all been integrated into this Internet of Things, and the list continues to grow.

For example, Samsung’s new smart fridge is one of the latest objects to be digitalized as it photographs the fridge’s contents every time its door closes and makes the photograph viewable to the consumer over the internet when the consumer goes shopping. The IoT is even being integrated into entire cities to create what are becoming known as smart cities, of which Barcelona is a primary example. By analysing the way ordinary objects are being used, the IoT opens the possibility of providing innovative solutions to everyday problems.

Undoubtedly, the opportunity for businesses to benefit is huge. By facilitating a greater understanding of how a businesses’ products are used, it allows for improved product development and marketing strategies. However, with 6.4 billion objects already connected in 2016, and the vast amount of data being generated, various legal issues arise which businesses have to take into account. The list below is by no means comprehensive, but provides an overview of some of these considerations:

Privacy and Data Protection

By equipping products with internet connectivity and data collection capabilities, companies could be exposed to potential liabilities regarding how the data they collect is stored and used. Currently all data collected by the IoT is regarded as personal data, as there is potential to cross reference data to reveal an individual’s identity. Therefore, companies will have to ensure that any data collection or processing of that data is according to the current regulations stipulated by the EU Data Protection Law.

Cyber security

Companies dealing with IoT devices, be it manufacturing or selling them, will have to seriously consider the security of these devices and if they meet standard security protocols and laws regarding data (encryption, etc.). A lapse in security could lead to them facing liabilities for a lack of data protection, as well as misrepresentation of products if the company has claimed the devices to be secure.

Data Ownership

All companies should determine who owns the data that is collected from the devices. This can be a grey area in many cases. Does the manufacturer claim ownership, the product designer, or even the service which is storing the data? Businesses should be clear on which third parties are able to access their data and who is granted or can claim ownership of it.

IoT in the workplace

Even for companies that are not directly involved in the IoT, there is still the potential for liabilities when adopting these devices in the workplace. For example, if such technology is collecting data on employees. In this case, businesses have to ensure that their existing employment contracts, etc. are up to date and include an agreement on data collection.

The technological advancement of the IoT is moving at such a rapid pace that it is still considered a grey area from a legal perspective, as it remains unclear how it is being regulated. Many regulations and laws are being modified and created as and when needed to meet the demands. Current regulation of the IoT is being spearheaded at the EU level, so businesses will have to ensure they are complying with the EU laws on data protection, etc.


The IoT is a rapidly growing phenomenon/sector, which presents a huge opportunity for businesses that choose to invest in it at this early stage. However, they will have to consider the legal implications of the IoT and keep up to date on any new laws which arise in response to this technology. The regulation of the IoT is as complex as the technology itself. Since it is cross-border in nature, the laws which govern it are being established at the EU level. As regulators are continually responding to it with new and updated laws to ensure the protection of individuals and their data, it is vital that businesses are appropriately informed of the legal requirements to avoid any potential liabilities that they could face.

Jodie Fothergill & Karl H. Lincke

If you need additional information,

Please note that this article is not intended to provide legal advice.

Related Articles