Our new products are connected – what implications does that have?

The business and its products

Consider a business that produces tools and machinery that are to be used by other businesses in their manufacturing processes. The products are sold globally, either directly to customers, or indirectly via dealers or distributors. 

The newest generation of these products is capable of connecting to the internet, and transferring data collected by sensors in the products to an online service. The business intends to provide this online service to end users of the products. The users will be able to log into the online service, see their fleet of products, and view certain information collected about those products such as malfunctions, battery status and location. The business intends to develop functionality in the future which will also allow users to manage their manufacturing process, or third party machinery, remotely using the service. 

The fact that this new generation of products is connected (that they are 'Internet of Things' or 'IoT' devices) has numerous implications for the business and its legal position. What would this business need to do in order to implement this new connected business model? 

The evolving business model 

Often a business which is introducing IoT products into its product range will be able to provide a high level description of the service and its plans. But a common challenge is understanding the key issues and risks that the IoT element introduces from a legal perspective. 

To better understand these issues and risks, running a workshop for the key stakeholders will be helpful. The business should establish a team including perhaps the C-level executive who is responsible for pushing the project forward internally; the head of the design or engineering department which developed the products; the head of the IT-development team which developed the online service; a project manager; and in-house or external legal counsel specialising in data, commercial contracts and the regulatory environment. 

The key aims for the legal counsel at the workshop would include: 

• Finalising the new business model from a legal perspective, and assisting the business in understanding all of the elements involved (including the relevance of the intervention of third party suppliers, and considering whether the business would be provided as an operational expense solution, as a service model including software and devices, or as a capital expense solution just for the devices); 
• Defining the legal deliverables to be included in the project plan; and 
• Defining the key objectives for the project team in delivering the project. 

For these exercises, a usual starting point is a white board! Legal counsel should describe the business model from a legal perspective, and then help the project team to understand how the new IoT functionality of the products, despite being a simple addition, changes the business model in a very fundamental way. 

This might be the original business model:

However, by connecting the products to the internet, and providing an online service directly to
the end users, the legal relationships can become a lot more complex, as demonstrated below:

Key insights 

The number of important legal relationships that the business has multiplies in the new business model. Previously the business had a traditional linear sales model, but now that the products are IoT devices, and have digital services associated with them, the business will have direct contractual relationships with all end users. This will be the case even if the end user does not purchase directly from the business. 

And some of the contractual relationships are with entirely new categories of partners with which the business is unlikely to have dealt in the past. Alongside the end users of the products, the business also has new contracts to establish with software developers and hosting providers. These relationships will involve new kinds of risks and require detailed due diligence in legal areas with which the business may not previously have had to grapple, such as complex data protection issues. 

For example, something the business may not previously have had to consider is who has the right to use the data which is generated by and collected from its IoT products. This data will be valuable information, and is likely to provide useful insights for both the end user and the business itself. 

Other issues to consider include which legal entity will provide the online service; where that entity will be established; where the data associated with the service would be hosted; and how this would be related to the sales organisation, which is likely to be organised on a country-by-country basis. 

Data-driven business models The role of legal teams in delivering success Download the full report >

Continuing the project 

Following any workshop, the legal elements necessary for the business to successfully launch the new IoT products, and the accompanying service, will need to be integrated into the overall project. Moving forwards, legal counsel is likely to need to support the business with a number of legal deliverables including: 

• A risk matrix on providing the online service, covering tax, data protection, commercial and consumer law, intellectual property, and competition law. 
• An assessment of the business under applicable data protection laws. 
• Drafting terms and conditions and privacy policies for the new relationships being established. 
• Negotiations with some of the essential dealers. An evaluation of the necessity to amend current insurance policies or to take out a cybersecurity insurance policy. 
• The provision of the relevant documentation required, if applicable, for the certification of IoT products, according to standard market practices. 
• Setting up the proper contractual structures with suppliers involved in the business model, ensuring, among other things, a proper allocation of responsibilities, reliable connectivity, detailing the ownership of IP assets and data and ensuring adequate service level agreements are in place. 
• An assessment on potential restrictions to the import/export of the IoT products to any of the countries where the business model will be offered.

Developing compliant connected products in the future 

As with other aspects of legal risk, although the addition of IoT sensors into products may, in a practical sense, be straightforward, there are numerous implications when it comes to ensuring that safe and compliant IoT products are placed on the market. 

Existing product safety laws were not written in the context of modern connected technology. Although connected products must comply with the Radio Equipment Directive, potentially other CE marking directives, and even applicable technical standards, product safety laws generally do not contemplate connected products and the Internet of Things. 

This means that it is often difficult: (i) for a business to know whether it is acting in compliance with applicable requirements; and (ii) for end users to know if they are purchasing products which represent best practice in terms of security and system integrity. 

There are also risks introduced at both ends of the supply chain. The data collected by the products is valuable, however it might also be confidential, and the business must ensure that the cybersecurity of the products does not leave its users vulnerable. 

In response to these risks and regulatory uncertainties, the EU has begun to introduce initiatives to ensure that connected devices are safe for both businesses and consumers. 

Amendments to the Radio Equipment Directive mean that, by mid-2024, manufacturers of connected devices will need to incorporate features to avoid harming or disrupting the networks they connect to, protect personal data that they might collect, and minimise the risk of monetary fraud. 

A proposal for a European Cybersecurity Resilience Act is also anticipated for the second half of 2022, which is expected to establish harmonised standards for connected products throughout their lifecycle.