Legal considerations for IoT

Introduction

Internet of Things (IoT) projects are a complex multiparty undertaking, requiring the cooperation of asset owners, technology providers, consultants, communication service providers, and a range of other stakeholders. IoT projects have a range of technologies that have legal implications such as copyright ownership of circuit board designs and firmware. Adding to this, the securing of legal rights for the use and maintenance of the ICT systems is critical to the ongoing operation of these projects.

Successful delivery and operation of these assets requires effective communication, a sound understanding of the legal landscape, and practical systems and procedures to secure the strength of your legal position if things escalate

Ownership of the legal rights required enable an IoT project to function throughout its life cycle should be treated as a key project deliverable. The legal rights underpinning the business model (eg. developer, service provider, product reseller, maintenance provider) should also be secured in writing to avoid legal disputes about who owns items such as software licences, firmware and hardware, and what rights each party has to use them.

A common source of legal disputes in IoT projects is relying on verbal assurances rather than formally documenting agreements in writing, as verbal assurances tend to carry little weight in court.

Terms and legislation relevant to IoT projects

Some legal terms and legislation relevant to IoT projects are defined below:

• Express terms (contract): Terms that are agreed between contracted parties, either in writing or verbally.
• Implied terms  (contract): Terms that are not expressly written in to the contract, or verbally agreed, but can be implied by the court based on common law or the actions and intentions of the contracted parties (see section below on effective contract management of IoT projects.
• Estoppel: This is a point of law which prevents a party from denying something. There are two kinds of estoppel:
  • Promissory: if one party has promised another party that something will happen, and the second party relies on this promise and suffers detrimental effects it is not kept. For example, if an IoT company designs a system to monitor and send alerts about the condition of airfields, which will only be commercially viable if a major airport agrees to be a customer. The designer emails or phones the airport and lets them know that they intend for them to be a customer and the airport agrees. If the designer designs the system, and the airport later decides not to become a customer, it is possible that under estoppel, a court can rule that the airport does need to become a user of the system, or award damages to the designer. It is better if the promise and possible detriment are documented in writing.
  • By convention: if two parties conduct business in a particular way, then one does something to contradict that. For example, if a client pays a communication provider’s monthly fees late for several months and they accept those late payments without penalty (even though the contract says fees need to be paid on time or supply will be cut off). If the communication provider suddenly decides to cut off supply due to a late payment, the court may rule against them as they have set a convention contradictory to their written contract by accepting late payments.
•  Telecommunications law: including the Telecommunications Act 1997 and the Radiocommunications (Low Interference Potential Devices) Class Licence 2015.
• Australian Consumer Law (ACL): Some elements of ACL are particularly relevant to IoT projects:
  •  (Statutory) Unconscionable conduct (Section 20 of the ACL) is the principal by which a stronger party is not allowed to take advantage of a weaker party in supplying or acquiring goods. This can apply in some cases if software is purchased and does not work as expected or have the help desk support required.
  • Misleading or deceptive conduct: The Competition and Consumer Act (2010) states that a person must not engage in conduct that is misleading or deceptive, or is likely to mislead or deceive. In 2013, the Australian Competition and Consumer Commission (ACCC) took Google to the High Court over its display of sponsored links. The ACCC lost, because the court ruled that reasonable users would understand that the content of the sponsored links was created and endorsed by the advertisers, not Google.
  • Warranties & unfair terms: ACL imposes mandatory warranties and invalidates unfair terms. This may be useful for small IoT businesses or consumers who purchase software or services with inflexible terms and conditions (eg. as defined on the software company’s website when purchase is made online).
• Other relevant legal areas include:
  • Intellectual Property: It is important to know who owns the intellectual property of the software, firmware and hardware used in projects, as if it is produced by independent contractors for a parent company, disputes can disadvantage clients. It is also important to clarify who owns the intellectual property rights for solutions and products produced.
  • Copyright: This is important as IoT projects use software, firmware and hardware which is subject to copyright. In one copyright case IPC Global took Pavetest to court because a developer had taken source code and firmware from IPC Global to Pavetest and used it to develop a system. Even using a small, functionally significant part of the software code can be a breach of copyright and result in damages being awarded to the copyright holder.
  • Negligence: This may be applicable if there is a duty of care which was not carried out responsibly, and damage results.
  • Security of Payment Act: This may be relevant when IoT systems are installed in buildings, as it ensures that suppliers of construction work and related goods get paid on time. One example of a case was between Ampcontrol SWG Pty Limited and Gujarat NRE Wonga in 2013, when Gujarat failed to meet a payment deadline.
  • Home Building Act: This may be relevant for systems installed in residential homes.
  • Privacy legislation: this governs confidential information that may be collected by the system. Considerations can include a privacy policy and mandatory reporting of data breaches

Sources of legal disputes in the IoT industry

Software rights can be a significant vulnerability for IoT projects. For example, a software supplier can tender software to competitors or threaten to disable system software as leverage during a dispute unless there has been a written agreement that prevents them from doing so. Software companies can also go out of business, or be subject to intellectual property disputes, so it is important to determine what assurances and guarantees are needed to ensure that your project can continue to use necessary software.

Liability clauses are also an important consideration: if a system supplier falls behind in delivering goods required by a project, this can be a significant cost, and agreement should be made about how that will be dealt with.

Direct supply of parts and services from a supplier can also be a vulnerable point for IoT companies relying on particular system suppliers unless a written distributor or supply agreement is put in place. Courts are also wary of making rulings that help companies establish monopolies in order to make their business models effective, as they want to ensure that the end user is assured ongoing supply of goods.

Safeguarding legal rights for IoT projects requires a broad understanding of legal measures available. For example, an agreement to ensure that there are no backdoor channels to disable software or exploit other system vulnerabilities, such as cyber security, could be approached by ensuring there is a warranty against these backdoors being present, liquidated damages if they do arise, and court injunctions if the company supplying your software introduces backdoor channels after agreeing not to. One area that could be used in such a case if it goes to court is damage to the goodwill of the business using the software, which is a form of intellectual property.

One recent example of a dispute between an IoT company and a software supplier was between Australian company TMA Australia, which installed and maintained car park guidance systems for large clients, and the supplier of the systems, Indect. Prior to the dispute, there had been some discussion of TMA being the exclusive distributor for Indect systems in Australia (they were the sole distributor at that time), but this was never agreed or formalised in writing.

TMA Australia had installed 15 systems in the four years leading up to the dispute, and signed maintenance agreements over 5-10 years for those systems, which had an expected life of around 15 years. Following a dispute over late supply of parts which led TMA to withhold payment of invoices, this dispute escalated to the point where Indect introduced three-monthly software authenticity checks and threatened to disable software in installed systems. When TMA announced that it would use another system supplier, Indect refused to supply parts for existing installations directly to TMA, but forced them to buy parts to fulfil their maintenance contracts through a third party distributor.

Effective contract management of IoT projects

If a contract to relies on a standard terms and condition sheet to lay out legal rights of each party in an IoT project, it is important to clarify which terms and conditions are relevant, and what these terms and conditions are referring to specifically for each project. To ensure that each party has read the terms and conditions sheet, a good practice is to require initials and dates at the bottom of each page of the Terms and Conditions. This can allow companies and suppliers entering into identify and resolve issues and differences in contract interpretation early, rather than disputing them following installation of systems when the stakes and operational impacts are higher.

As mentioned in the section above, there are two kinds of terms in a contract: express and implied. Express terms are specifically agreed between parties, either in writing or orally (written terms are easier to verify).

Implied terms are not written into a contract or agreed verbally, but can still apply to projects if they are part of the common law (these are terms that are implied by law). Standard contractual terms that are implied by law are:

• goods for sale are fit for their intended purpose: eg. a sensor sold for ocean temperature monitoring operates underwater
• professional services will be rendered with reasonable care

Implied terms cannot contradict what is written in the contract (eg. if a contract states that sensors do not need to be fit for underwater use, the court will not rule that this term was implied) , and the intentions of the parties at the time they made the agreement. They can also be terms that allow the reasonable effective operation of the contract, or be an obvious implied condition (ie. it goes without saying that…). The implied term must also be able to be expressed clearly. Complex and convoluted implied terms are less likely to be approved in court.

Terms can also be implied by fact if there has been no attempt by the contracted parties to record the entire contract in writing, based on the intentions and actions of the contracted parties. For example, one term implied by fact by the court in the previous example was that Indect had to facilitate the software authenticity checks they imposed on TMA Australia, because the terms of the software licence purchase implied that it would be licenced for use for the lifetime of the system, and be fit for purpose.

However, TMA Australia was unsuccessful in their attempt to get the courts to rule that because they had entered into contracts to purchase systems from Indect, it was an implied term that they should continue to receive direct supply of parts and services for the life of the system at a price which was no less favourable than that offered to other Australian distributors. This was because at the time those contracts were made, there were no other distributors of the system in Australia, and therefore the court stated that no term could be implied because it would be difficult to gauge what sort of price would result before more distributors were on board.

Effective dispute avoidance and resolution

It is better to avoid a dispute rather than resolving one. Some ways in which the likelihood of a dispute taking place can be reduced are:

• Ensure terms are agreed in writing and clearly understood by contracted parties 
• Maintain legally acceptable documentation (eg. minutes of discussions and confirmed acceptance, merge files for a running log of projects, initialled printed documentation)
• Be above board with customers. Particularly for IoT operators dealing with installations in residential properties, it can be fast and inexpensive for clients to make a claim with the state or territory civil and administrative tribunal (VCAT, QCAT). If the customer wins their hearing, it might mean that both their legal costs and damages need to be paid
• Employ a long term strategy with project partners you are dealing with regularly. Try to lock in some agreements in writing as they occur, even if you are not in agreement on everything. Embarking on the project without any agreements in place leaves a lot of room for dispute.

Should a dispute occur, it is important to consider alternatives for coming to an agreement, and the strength of each legal party before going to court. This needs to be weighed against the potential for the time, cost and reputational damage of failing to reach an agreement outside court, as well as confidentiality implications. Legal advice should be sought early to assist with this process. It is also beneficial if teams have some understanding of the technology involved.

Depending on which court the action is made in, the cost of court actions in the IoT space can be in the order of tens of thousands of dollars in preparation before the trail, once the lawyers, barristers, expert witnesses and QCs are paid their fees. For each day in court, the cost in legal fees can be in the order of tens of thousands of dollars, plus the time required to attend court.

Range and Precedence of statutory requirements

Some IoT projects can come under more than one piece of legislation, eg. Australian Commonwealth and state or territory legislation. There are also technical standards and statutory regulations that are relevant to IoT projects. These legal requirements may contradict each other or be inconsistent, so it is important to consider which order of precedence should be given to each level. In Australian law, the order of precedence is:

•  Commonwealth legislation: eg. Australian Consumer Law (this over-rules any contradictory or inconsistent state or territory legislation)
•  State or territory legislation: eg. Home Building Acts for IoT projects based in residential properties (eg. smart home projects). Both Commonwealth and state and territory law over-rule regulations and standards drafted under legislation.
• Regulations or standards: eg. Ministers can approve Australian standards for particular products, however these will be over-ruled if they are contradicted by the overarching legislation.
• Technical standards: These standards apply to system design and are particularly relevant for IoT projects. They include:
  • Electromagnetic compatibility
  • Radio communications compliance
  • Specific product standards
  • Specific field-related standards (eg. technical standards for IoT projects in medical industry).

Sources: The information on this page was primarily from the following: 

• Presentation by Ashley Kelso, Senior Associate, AustraLaw titled Managing the legal risk of IoT projects