Birmingham’s new Midland Metropolitan University Hospital, due to open in 2022, has recently been labelled a digital “super hospital” for its state-of-the art technology. This will apparently include software solutions which enable the hospital to use Internet of Things (IoT) technology to reduce the need for maintenance of medical equipment, with the aim of improving patient safety and reliability at a lower cost to the NHS.
The software being implemented in the new hospital is just one example of how the IoT is being used by innovative Birmingham based companies and organisations to find creative solutions to existing problems and use a data driven approach in their businesses.
What are the key risks, from a legal perspective, of using the IoT and how can they be minimised?
What is the Internet of Things?
There are on average 10 IoT connected devices per household, so it is assumed that you will now be somewhat familiar with the IoT, even if it is just knowledge of something like Amazon’s Alexa or the Google Nest. However, it is worth setting out a brief definition of the IoT here at the outset.
The IoT describes the network of physical devices (the ‘things’ in IoT) that are embedded with software, processors, sensors and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet.
What are the risks of using the IoT and how can I minimise these?
Supply chain and terms
One of the main difficulties with IoT contracts, a catch-all phrase for the legal documentation around the sale, re-sale or provision of IoT solutions or products, is that often IoT services involve significantly more parties than traditional services (for example, sensor manufacturers, hardware manufacturers, IoT operating systems vendors, IoT software vendors, mobile operators, device manufacturers, third party app developers).
Because the IoT product or solution has a larger number of businesses and individuals that are part of the supply chain, it is more complicated to contract, as each of these parties will have risk or obligations that may need to be passed on down the supply chain.
This often results in there being a number of additional layers of legal documentation. The terms in all these legal documentation need to ‘marry-up’ and appropriately deal with and pass on risk, obligations, and appropriate licences.
When provided with standard terms by large scale vendors of public IoT solutions or products, (such as Amazon or Google) it is commonplace only to receive a warranty from the vendor to use ‘reasonable endeavours’ to correct non-compliance with the specifications contained within those terms. This approach is often accepted where the differences in the respective bargaining powers of the parties is considerable (a ‘take it or leave it’ offering).
Where the IoT solution or product is more bespoke, or the bargaining powers are more equal, as is likely the case with the solution provided to Midland Metropolitan University Hospital, vendors are more likely to negotiate warranties to correct non-compliance with specifications.
Given that IoT devices often process personal data, it comes as no surprise that, many of the data processing activities involved in the operation of IoT fall within the scope of the General Data Protection Regulation (GDPR).
In order to comply with the GDPR’s principle of ‘privacy by design’, data protection should be built into any IoT solution from the very outset. What does privacy by design mean? It means that the concepts of transparency, fairness, purpose limitation, data minimisation, data accuracy and data subject rights should be built into the design of the IoT product. All of this should be documented and evidenced to prove compliance.
The GDPR principle of transparency has also proven to be a stumbling block to IoT solution providers. The majority of IoT providers fail to explain adequately to customers in their privacy policies how their personal data is processed and by whom. This is often due to the fact that IoT services involve significantly more parties than traditional services.
Licensing and IP
Another risk when contracting in and around the IoT is in the arrangements for the licensing of relevant intellectual property and software, in particular patents. It is common practice in other industries to ask the supplier or distributor for a warranty that the intellectual property rights have been paid for and to seek an indemnity against IP claims in your contract.
The difficulty when dealing with IoT contracts is that it has become common for the owners of key IoT patents to refuse to give a licence to suppliers or distributors to use their intellectual property. This is means that those vendors cannot give the usual warranties and indemnities to their customers that the products are free from infringement claims, which has a knock-on effect down the supply chain.