Internet of Things – Indian Legal Perspective
The internet of things (IoT) is a set-up of interconnected objects, people or systems that process and react to physical and virtual information. It achieves outcomes that aim to improve user experience or the performance of devices and systems. The expression IoT is increasingly being used to define objects that talk to each other.
Consider the following scenario: An alarm-clock transmits one’s wake-up time to the coffee-maker which in turn collects the information to perform the activity of making a cup of coffee available at the appropriate time. Further, the coffee-maker in turn transmits the information to the car to set the temperature inside to comfortable levels by the time one drives. The car in turn indicates the offices electrical switches to be switched on and signals the computer to prepare the schedule.
Simply put, the IoT is made up of several devices – from simple sensors to smartphones and wearables – connected together, which gather and analyze information and help perform a particular task or learning from the process. When many devices act in unison, they are known as having “ambient intelligence”.
The Indian government released a draft ‘Internet of Things Policy’ in 2015, aiming to promote the creation of an IoT ecosystem and development of IoT products specific to Indian needs in areas, inter alia, of agriculture, health, water quality, and natural disasters. Governments around the world are also waking up to the potential of machine-to-machine (M2M) communication in solving metropolitan issues, and increasingly exploring newer concepts to get at par with the changing technological trends.
M2M refers to automated exchange of data between machines, installations, individual modules, and systems – all without human intervention. The stark difference between M2M and IoT arises where M2M focuses on communication among machines. IoT, on the other hand, seeks to build on this concept and connect ‘things’ with ‘systems’, ‘people’, and the likes. M2M, which has been used as a tool for inventory management and fleet tracking, is now recognized as a tool to provide better governance.
Regulations pertaining to M2M communication. National Telecom (NT) Cell, the government body dealing with policy and regulatory aspects related to M2M communication, released a National Telecom M2M Roadmap in May 2015. After this release, the NT Cell formulated KYC (know your customer) norms for SIM-embedded M2M devices, a numbering scheme for M2M, registration of MSP (M2M service oprovider) and M2M pilots. India’s Department of Telecommunication (DoT) sought recommendations from the Telecom Regulatory Authority (TRAI) on roaming issues, spectrum requirement, and quality of service (QoS) in M2M communications. Consequently, TRAI released its consultation paper titled Spectrum, Roaming and QoS related requirements in Machine-to-Machine Communications in October 2016, followed by its recommendations on this consultation paper on 5 September 2017.
The DoT issued a notification on 16 May 2018 for implementing restrictive features for SIM cards used only for M2M communication services and related KYC instructions for issuing M2M SIM cards to organizations providing M2M communication services. The restrictive features, inter alia, include non-transferability of mobile connections, adherence to KYC norms by M2M service providers prior to SIM issuance, calls/sms to be from a predefined set of numbers, and predefined IP addresses for data communication. Emergency numbers such as police and ambulance are exempted from the restrictions. (The full text of the notification is available at:http://dot.gov.in/sites/default/files/M2M%20Guidelines.PDF?download=1 )
Privacy and data protection. With IoT and M2M connecting more things and people to the internet, it will consequentially transform lives especially in the areas of health, home automation, retail and transport. The communication between multiple devices, and enormous data transfer between their users, would result in sharing personal information, thereby raising privacy and data protection concerns. It is imperative that such privacy issues be considered at the first stage.
Protection of sensitive personal data or information is covered under the Information Technology Act 2000 (ITA), and The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. According to section 43A of the ITA, a body corporate not implementing and maintaining reasonable security practices and procedures in respect of sensitive personal data or information possessed, dealt or handled by it in a computer resource owned, controlled or operated by it, is liable to pay damages to the person so affected for wrongful loss or gain to any person. The Rules mandate the basic principle of privacy law that the body corporate needs to obtain informed consent along with certain privacy compliance practices.
The ITA also imposes stringent penalties of imprisonment up to two years or fine up to 100,000 rupees or both, on any person who secures access to any electronic record, information etc., and who, without consent of the person concerned, discloses such record, information etc., to any other person.
Data ownership and intellectual property rights. Seamless connectivity and communication among devices resulting in large amounts of data generated and prepared by two or more service providers would lead to ownership conflicts.
Under traditional copyright law, a joint ownership in a copyright work is created when prepared by two or more authors who intend that their contributions be merged. It is the intention and not the quantum of contribution that is relevant. One argument is that the mere fact that two entities let their devices interact with each other and create data could reflect the intention of the parties to create joint ownership.
An M2M environment facilitates data generation and content creation including machine generated data. The question that arises is who claims IP rights in content/data generated, when original data is created by interaction of various devices in an M2M environment, which may include a new process of arriving at desired results? Agreements executed between M2M service providers and device manufacturers need to enunciate the ownership of the title and claim to the IP rights, especially considering the fact that the IP rights confer upon the owner a host of other rights like licensing and commercialization of the IP to further exploit its commercial utility. Stringent privacy policies of the M2M service providers would be necessary to safeguard the privacy and protection of the consumer data generated and collected in the M2M environment.