The Internet of Things (“IoT”) is poised to fundamentally alter the way industries approach procurement, processing and distribution. With the accelerated adoption of IoT under the auspices of Industrie 4.0, manufacturers will need to account for an expansion of the regulatory regime applicable to their processes and products. To this end, we set out below the key regulatory challenges and compliances that are likely to apply to “smart manufacturing” operations going forward.
1. Privacy and data protection
If your IoT device collects or deals with sensitive personal information of individuals (for instance through software or applications (“apps”) required to operate such devices) you should obtain express consent for the collection, storage and/or use of such data, as required under Indian data protection and privacy laws. Account for such privacy issues at the product design stage itself.
Further, keep in mind that Indian privacy laws are under major reconsideration - the Personal Data Protection Bill, 2018 envisages inter alia a data protection authority and also specifies provisions for data collection and storage, mandating data localisation. Be prepared to amend your privacy policies and terms of use if necessary to comply with any changes to the law.
2. Cybersecurity
Digital interconnectedness exacerbates the threat and scale of cyber intrusions in the manufacturing process. In production facilities, compromised IoT devices can lead to low product quality, downtime, damage to equipment and facilities and even safety concerns for workers. Digital supply chains, while fundamental to efficient management and optimal flow of resources, are vulnerable to shutdowns, data breaches and other attacks.
Meet these challenges proactively by integrating device protection at the design stage, conducting periodic cyber risk audits, and also consider instituting measures to respond speedily to any security breaches.
3. Product liability and recall issues
Liability under Indian consumer protection laws for defective/hazardous good and services, unfair trade practices, misleading advertisements etc. can be imposed on the retailer, manufacturer, assembler and/or any other person who puts his own mark on a good manufactured by another person.
As such, where an IoT device malfunctions resulting in loss or damage, you (as the manufacturer or brand owner) could be held responsible, even if you haven’t directly contracted with the retail customer. While free-of-cost services (such as a free app) do not give rise to consumer claims under Indian consumer protection laws, a claim under tort may still be possible.
While there is currently no process mandated for recall of defective goods (with the exception of specific industries such as food, medical devices and automobiles), the regulatory position is due to change under the Consumer Protection Bill, 2018 which proposes to set up a central authority to regulate consumer rights, misleading advertisements, recall of hazardous goods, etc., and defines product liability and grounds for compensation.
4. Validity of e-contracts
For a contract to be valid under Indian law, express consent/acceptance from the parties is required. This would also apply to contracts formed over the internet, such as for the use of software or an app accompanying an IoT product.
In such instances, a click-through contract where the users of the device or app are asked to click “I Agree” to confirm acceptance of the relevant terms of use is recommended. The terms of use of the device/app can also provide for “acceptance by conduct”, i.e. that the download and use of the app constitutes the user’s acceptance of your terms.
5. IoT-focused M&A
As IoT becomes an increasingly critical product function and integral to the manufacturing supply chain, it will become necessary for manufacturers to bring this capability in-house, particularly given the constant innovation in the IoT space. To this end, traditional manufacturers will find value in the acquisition of IoT-focused tech companies.
Given India’s tech startup ecosystem, Indian tech companies are likely to be the focus of such investment and acquisition going forward. If you are considering this route, be aware of the intricacies of acquiring technology companies in India.
6. Intellectual Property (“IP”) ownership
Designing, developing and manufacturing IoT products may involve multiple parties for the various components of the IoT device – external product, IoT app, connecting sensors, communication software etc. In such a situation it can be tricky to precisely identify which entity owns the underlying IP, and multiple parties may stake their claim to the IoT product.
This is particularly relevant given that IP rights confer upon the owner a host of other rights such as licensing and commercialisation to further exploit the commercial utility of the IP.
The parties may also be located across various jurisdictions, which may complicate the determination of which country’s IP laws will apply.
As such, contracts that involve IoT devices must specifically enunciate ownership of title, and claim to, IP. Further, the contract should also contemplate which entity will own any new content, data or processes generated as a result of the use of the IoT device (for instance, based on user preferences) and/or the interaction of multiple IoT devices and service providers.
7. Net neutrality
A fundamental factor for the success of IoT is the unobstructed convergence of various integrated services, networks and applications. The absence of net neutrality marked by the failure to treat all data on the internet equally, and discrimination based on the user, content, website, platform or application, will critically impact the success of devices and processes relying on IoT. Internet service providers will then have control over what services, applications and devices can use their networks to communicate with others.
While in India there are no specific laws that deal with net neutrality, the Indian Telecom Regulatory Authority has released recommendations that require internet service providers to refrain from exercising any form of discrimination, restriction or interference in the treatment of content. However, no overarching policy or regulation has been formulated as yet.
8. Dispute resolution and jurisdiction
If you choose to contract with Indian users through a local entity (for instance for tax, foreign exchange control or other reasons), this will impact your choice of governing law and jurisdiction.
Under Indian law, two Indian parties cannot exclude the application of Indian law to a dispute between them (as this runs contrary to Indian ‘public policy’ as understood by Indian courts). Indian courts will also be more inclined to exercise their jurisdiction if a dispute involves Indian parties exclusively (as opposed to an Indian party and an overseas party).