The Industrial Internet of Things and its legal dilemmas
The Industrial Internet of Things also known as Industry 4.0 has the highest potentials of growth within the IoT, but it hides relevant legal issues.
The figures of the Industrial Internet of Things
According to McKinsey, the IoT will have a total potential economic impact of $3.9 trillion to $11.1 trillion a year by 2025.
But within such figures, it is interesting to see that the highest expectations are around the usage of IoT technologies within factories, as showed in the chart on this side.
Such growth derives, among others, from the possibility to drive efficiency by means of the monitoring of industrial processes, of manufacturing machines and of delivery chains through sensors that can, among others,
- predict malfunctionings or failures and therefore avoid downtimes;
- identify any lack of service within the manufacturing process, enabling corrections to improve productivity and cut costs; and
- track the whole manufacturing process, including workers by means for instance of wearable technologies and geolocation systems, to avoid errors and the misusage of devices or machines and enable their exploitation in a more efficient manner.
The “hidden” legal issues of Industry 4.0 technologies
In a previous article, I had referred to Big Data as the “money maker” of the Internet of Things. And this “formula” is even more valid when it comes to Industry 4.0 technologies.
Are “industrial” data personal data?
Data collected from factories can have a different nature. If such data can be associated, directly or indirectly, to an individual, this obviously triggers privacy issues. This is not a restricted scenario because the efficiencies of the IoT require also to track individuals.
I covered in a previous article the recent changes introduced by the Italian Jobs Act to enable the usage of technologies allowing the monitoring of employees in order to either improve the productivity of a company or perform the working activity. European laws such as the upcoming EU General Data Protection Regulation (GDPR) would prevail over national laws. Therefore the new flexibility provided by the Jobs Act might not result to be 100% reliable and require for instance to run a data protection impact assessment under the terms of the GDPR.
Additionally, once personal data is collected, the goal is to use it with the lowest possible level of restrictions. Therefore the implementation of pseudonymization, segretation or encryption technologies is valuable to further exploit it.
How do you protect data and IIoT technologies?
A tricky issue is to identify the most appropriate right to be used in order to protect data generated from factories. Such data can be confidential information or trade secrets, but is there a copyright or at least a database sui generis right on it?
In a period of time when the protection of software through intellectual property rights such patents is not at its hype, it shall be assessed whether the usage of IoT technologies led to the creation of a protectable model of business.
Finally, when Industrial Internet of Things technologies are adapted to the manufacturing process of the different customers, an issue pertains to the potential design rights on these customizations, especially when there is a relevant contribution from the customer.
Who is the owner of the data?
There is no easy answer to this question. When it comes to personal data, individuals to whom it relates have privacy rights on such data which cannot be waived. Individuals can grant their consent to the usage of its data, but shall keep the control at any time on it, with the right of subsequently withdraw the consent previously granted.
But, as mentioned above, the same data might be confidential information, a trade secret or represent the intellectual property of companies that for instance created large databases containing such data.
Subject to privacy law restrictions, the economic exploitation of data can be contractually agreed. And this is particularly relevant also in the light of the new data portability right that is provided by the EU Privacy Regulation. The right of an individual to have his data ported to the next supplier might not prevent the previous supplier to agree with its customer, at the time of the initial contractualization, a restriction on the usage of the same data for business purposes, even when ported to another supplier. It will be interesting to see the position of data protection authorities on the matter, but this is a fascinating topic.
Is data kept secure?
Cyber risk is exponentially becoming a threat for any business. The EU Data Protection Regulation requires to implement “appropriate” security measures. But this is not just a question of bearing large IT investments since, as recently happened, very smart guys might find an access into a system and all of a sudden the most secure system might become insecure.
And this risk is one of the reasons why interoparability of Internet of Things technologies is having such a hard time. The system of a different supplier interconnected to your system might be the source of a cyber attack. But the Internet of Things requires an “orchestration” of different technologies from different suppliers and, as previously mentioned, you cannot do IoT alone.
Security is a dynamic concept and requires the implementation of organisational and technical measures aimed at limiting the risk of access to information systems and enabling the immediate reaction to a cyber attack. The implementation of a privacy by design approach and the reliance on a cyber risk insurance policy can help, but the whole internal organisation of a company has to change.
What liability if things go wrong?
In case of interconnected technologies such as those of the Industry 4.0, when there is a malfunctioning it is difficult to determine the perimeter of the liability of each supplier. And the matter is even more complicated when it comes to artificial intelligence systems which rely on a massive amount of collected data so that it might be quite hard to determine the reason why a machine took a specific decision at a specific time.
How can liability clauses and service levels be arranged if the efficiency of the technology depends also on information coming from other systems which might not be 100% correct, might be corrupted or just victim of a cyber attach that is due to interconnected technologies? Service levels might not for instance be “static” as they might increase/decrease during the lifetime of a product due to the occurrence of external factors which are not the typical force majeure events.
Such variables make more difficult to build a defence in a potential dispute, especially in case of physical harm caused to individuals since at that stage product liability provisions preventing liability exemptions would apply.
This topic is really fascinating, what is your view on the matter? This is the time when companies shall address such such issues, also because of the upcoming tax savings that are going to be provided for Industry 4.0 technologies.
We will discuss the topic at an event named “Internet of Things and Industry 4.0: Strategies to increase competitiveness” whose details are available here. And if you found this article interesting, please share it on your favourite social media!
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.