Blockchain, artificial intelligence and IoT are the future, but are companies ready for the legal issues relating to the new models of business?
The IoT models of business and the shift towards services
The Internet of Things obliges companies to change their models of business since one-off contractual relationships where they were selling a product are replaced by long term relationships for the provision of services with continous exchanges of data, potential liabilities and contractual issues. This is enhanced by artificial intelligence and blockchain technologies which increase the potential benefits, but at the same time also with higher reliance on the proper functioning of technologies.
You can review the topic first in Italian as part of my videoblog Diritto al Digitale below and in English in the article
The shift that is happening in the models of business can be quite well represented in the image below of a “pizza as a service“. Even the more traditional businesses might turn into a service if for instance, products are no longer purchased as part of specific order, but on the basis of a monthly fee which is calculated on the needs of the purchaser through sensors that collect information on the actual consumption of each product.
The new IoT models of business unvail unexplored legal issues that used to be unknown by a number of companies addressed, as part of my Diritto al Digitale video series, in the video available here in Italian and below in a more detailed outline in English focusing on 3 specific issues.
Who is the owner of IoT data?
The questions to be responded are multiple and I tried to summarize them in the slide below:
The answer to this question depends on whether collected data are personal data or just M2M data.
What happens if they are personal data?
If data collected are personal data, obviously the service shall comply with the terms of the EU General Data Protection Regulation. In this respect, the main factor to be considered is the requirement to build the process adopting a privacy by design approach. This is a responsability on the data controller (usually the client), but in order to enable data controllers to comply with the principle, data processors (i.e. service providers) shall provide their clients with evidence of its implementation during the development of the technology, its tailoring to the needs of the client and during the whole period when the service is exploited and also with reference to the termination activity.
Can you ignore privacy compliance in case of non-personal data?
Unfortunately, data protection regulations cannot be ignored also in case of M2M data. Indeed, according the current draft of the European ePrivacy Regulation, also machine to machine communications will fall under the umbrella of privacy rules introducing additional confidentiality obligations and providing the fines prescribed by the GDPR for their breach.
What kind of rights can be held on data?
Ownership of data under privacy laws is not always in line with what prescribed under intellectual property laws. However, the first point to consider is whether it is possible to hold IP rights to IoT or artificial intelligence data, even if recorded on a blockchain.
The issue had been reviewed by the European Commission which had reached the conclusion that there is no certain answer. Indeed, at moment the most frequent scenario is that data ownership is “linked to the machine” i.e. the sole way of exploiting data is to use the technology of the supplier from which data cannot be extracted. But, apart from this issue, in relation to other protections, it appears that
- copyright could not be enough strong as the element of the intellectual effort might be lacking;
- database sui generis right could be a valid protection, but it requires to show the effort taken in the collection and arrangement of data;
- trade secret protection, whose regime recently changed, is definitely a valid solution, but requires that the company has taken actions to protect the information as a trade secret; while
- contractual protection still seems to be the best option, especially in a scenario where courts still do not have a consolidated position on data ownership of IoT data. But contractual clauses shall be carefully drafted in order to avoid that there is an uncovered layer of data whose ownership has not been regulated.
What liabilities can arise from IoT, artificial intelligence and blockchain technologies?
The issue that arises with blockchain, AI and IoT models of business deriving from the usages of such technologies is that they imply a much higher level of reliance by companies on their proper functioning. Indeed, in case of predictive maintenance IoT technologies for instance, manual checks will be no longer performed. This means that in case of malfunctioning of the technology, the potential damages might be considerably higher.
The issue further increases in relation to artificial intelligence systems that can actually replace entire departments of companies with a complete change in the models of business. This means that the contract shall provide for a disaster recovery plan when in case of failure of the AI system, the services replaced by the system can be provided otherwise.
Also, since artificial intelligence systems are exponentially developing autonomous features that are not under the control of their manufacturer, there is a liability issue around who shall be held liable in case of malfunctioning and damages. The risk is that a compulsory insurance coverage will be required, but this might limit the growth of the market.
What contractual structure and jurisdiction clauses with the new IoT models of business?
In case of large services agreements, the issue is whether there should be a single global agreement or country-specific agreements. This is linked to the need to allocate liabilities and risks at the leval of each company/country. However, it is also linked to potential tax and regulatory implications due to the different regime on data ownership and the potential tax implications due to the transfer of databases that might represent for instance a going concern.
Once the contractual structure is determined, the applicable law shall be identified. UK law appeared to be a frequent solution in global agreements due to the law of the precedent in place in Great Britain. But the scenario might change with Brexit, posing companies in a situation where it might be safer to identify the law of country in continental Europe.
As to the forum selection clause, an arbitration clause might be the most appropriate option for large agreements, while when it is agreed to identify a competent court, the recommendation is to pick the same court of the country whose applicable law regulates the agreement. Otherwise there is a higher risk of misinterpretation of local laws.
The blockchain, AI and IoT models of business will definitely lead to new open legal and regulatory issues that I will try to cover.