Managing legal risk from IoT systems in business premises

The Internet of Things (IoT) plays a central role in underpinning technologies that support the path to net zero, as our research into decarbonising technologies for cities with Economist Impact has highlighted. IoT technology facilitates monitoring and automation. It can enable more efficient building management or energy consumption. It also facilitates many aspects of the challenge of balancing supply and demand for power where an increasing proportion of supply is delivered by renewable generation such as solar or wind farms. But there are legal risks that need to be understood around operating in spaces where these new technologies are deployed, including data privacy, cybersecurity and questions of liability. 

IoT power and benefits

IoT devices are "things" – potentially more or less anything – that are connected to the internet and incorporate processing power and an energy supply. Some IoT devices have integrated sensors to collect data; some are more focused on receiving and reacting to data (for example, via actuators to carry out actions); and some IoT devices both collect data and respond to it. IoT systems are often integrated with cloud-based data storage and analytics, potentially with artificial intelligence functionality to enhance their decision-making capabilities, and often deliver a measure of automation. 

In the built environment, IoT systems can be used to control heating, ventilation and air conditioning (HVAC) systems, lighting, security controls, or to optimise the efficiency of energy consumption. IoT systems can help to reduce energy consumption (and therefore bills) by creating transparency around use patterns to enable optimisation. The data collected can be fed into predictive maintenance and repair schedules, to avoid unplanned downtime. Data about the location of people in a space can be fed into HVAC systems to make sure that the air remains fresh and the temperature is cool in busy areas. IoT systems can also be used for workplace management, such as identifying available desks or parking spaces. 

These systems can be powerful tools for efficiency and optimisation (often contributing directly to sustainability strategies). 

But as third party IoT systems become ever more present in the built environment, businesses need to take note of their presence and be conscious not only of the legal risks that may flow from them but also the untapped opportunities that they may create.

Who controls the IoT system ?

As IoT systems proliferate, a business many find that there are sensors and monitors in the places and spaces which it occupies that are not under its control. In an office environment, for example, it will often be the asset managers responsible for running the building who control the HVAC system – not necessarily the landlord, tenants or any other user of the space. The business whose vehicles, drivers and activities are being monitored may not have any access to or control over the data being collected.

It is necessary to know which systems are active, and what they do. It is also important to understand what will happen if these automation systems do not work as they were designed to, including who will be responsible for triggering any emergency systems. These liability aspects are particularly important when negotiating tenancy agreements and conditions agreed with insurers.

What data is being collected? 

If data about identifiable individuals is being collected, data privacy legislation may be relevant. The EU General Data Protection Regulation (GDPR) and/or its UK counterpart will apply (in the relevant jurisdictions) where a person is identifiable from data, whether or not it includes their name. 

Sensors might keep track of a building's temperature or CO2 levels and in itself this will not be personal data. However, where an individual can be identified potentially from a combination of data points, it may qualify as personal data. This is a highly fact-driven assessment. 

As smart buildings evolve and the amount and types of data collected increase, the risk needs to be borne in mind that they may start processing personal data, triggering the application of EU or UK data regulation. Data protection principles must be adequately implemented, including that every processing activity must have a valid legal basis at all times. A Data Protection Impact Assessment must be performed and kept up-to-date.

Non-compliance with data protection legislation carries potentially heavy sanctions so it is important that businesses are aware of what data is being collected about their staff, movements and activities, and where any data privacy obligations fall.

Who 'owns' or can access the data? 

Under many legal regimes, the "ownership" of data is a developing field. In England and Wales, for example, pure information is not considered by the law to constitute property. However, data often carries clear commercial value in practice. Intellectual property rights may offer protection, but will only apply to some forms of data (for example, where data comprises a work that is copyright) or formats (such as database rights). Apart from personal data and requirements in some regulated sectors, there is currently not much regulation of data. Frameworks of detailed rights and obligations over data are more likely to flow from negotiated contractual arrangements than to be set out in legislation.

There is currently no common or standardised approach in relation to interoperability of data, or on the question of access for customers, users or others to non-personal data about their activities that has been gathered by third party hardware, software, platforms or systems. This reinforces the need to consider these issues when negotiating contracts with the suppliers or controllers of such systems (particularly landlords or building management). 

In the absence of any such framework, the business that possesses a dataset can essentially decide how to use it, whether to share it, and how to exploit it. If a business chooses to reserve data for itself rather than sharing it, it can be very difficult for another party to access the data, even if the data concerns that other party or its activities – as might be the case for data collected from a building's IoT systems. 

There is a policy-level concern among legislators that a closed, proprietary approach to datasets could hamper productivity by constraining the availability of a key raw material for innovation. The EU Commission is understood to be working on legislation to open up access to data collected through IoT systems in a business context. Proposals are likely to be included in the "Data Act" – expected to be published in the first quarter of 2022. 

What are the security ramifications?

Third party systems that are connected into a business's systems can increase the  "attack surface" of that business. It is essential to understand which other systems an IoT system is connected into. 

There are numerous examples of IoT devices creating cybersecurity vulnerabilities, such as a smart fish tank that enabled hackers to steal data from a casino. Connected devices can be taken over and grouped together for a mass attack intended to crash another organisation's website (Distributed Denial of Service or DDoS attacks). Interconnectedness can also increase the threat of ransomware attacks. 

In some circumstances, responsibility for cybersecurity is provided for in law. This is particularly the case for personal data, and for activities which fall within critical infrastructure legislation (such as the EU's Networks and Information Security Directive, and its equivalent in the UK). 

As regards personal data, the entity acting as a controller of the IoT system's processing activities will, under data protection law, bear the responsibility of ensuring that robust security measures are in place that are aligned with the risks caused by high volumes of generated data. 

More generally, it is essential to understand whether third party IoT systems in a building create access into the systems of those occupying a space, and to understand and manage any vulnerabilities or risks that they might create or increase.

Are risks being managed and opportunities leveraged? 

As part of the "data-consciousness" that is increasingly needed in all commercial sectors, businesses need to be aware of the data-collecting IoT systems that are operating around them. 

As a first step, businesses should make sure they understand what data-collecting systems are in place in the space and what data they are collecting. Understanding data flows within a building may need to be part of the due diligence around new premises. 

It is also important to understand who has access to the data and who could have access. It may be that the data could have value beyond the purpose that it has been collected for and may offer insight into the activities of the businesses active in the space being monitored.

Finally, it is essential to understand whether third party IoT systems in the building interconnect at any point with the occupier's systems. The risk of a digital back door needs to be considered and resulting risks managed. Where appropriate, cybersecurity expectations may need to be worked into the performance obligations in contracts, potentially with reporting and/or auditing requirements.

Regulation of data is currently limited to specific areas. However, legislators and policy makers are beginning to understand the significance of data in the digitally transforming economy and new legislation can be expected. The potential for new requirements to open up access to IoT data is worth careful monitoring and any opportunities should be grasped.

If you would like to discuss any of the issues raised, please do not hesitate to contact the authors or your usual Osborne Clarke contact.