Legal Issues Pertaining To Internet of Things (IOT)

The cyber laws particularly the laws pertaining to data protection and data security in India are in the nascent stage and are still developing, with the only significant legislations being the Information Technology Act, 2000 (“ITA”) and the “Reasonable practices and procedures and sensitive personal data or information Rules, 2011”. Due to the paucity of legislation in this regard, the legal issues pertaining to an IoT service provider can be fully addressed only by drafting and executing agreements incorporating relevant provisions to safeguard the interest of both the IoT service provider and the IoT user. The key issues to be taken into consideration for an IoT environment have been discussed below:

Data Privacy & Protection

With innumerable IoT devices talking to each other via the internet, the potential for a data security breach is high and as more and more IoT devices are introduced in the market, this issue would only complicate further. The provisions relating to data protection of individual personal information are covered under the Information Technology Act, 2000 (“ITA”) and the “Reasonable practices and procedures and sensitive personal data or information Rules, 2011” (“Rules”) issued under Section 43A of the ITA (as amended). Section 43A of the ITA deals with protection of data in electronic medium and provides that when a body corporate is negligent in implementing and maintaining ‘reasonable security practices and procedures’ in relation to any ‘sensitive personal data or information’ that it deals, possesses or handles in a computer resource that it owns, operates or controls and such negligence causes wrongful loss or wrongful gain to any person, such entity shall be liable to pay damages by way of compensation to the person so affected. Further, Section 72 of the ITA, enunciates penalty for breach of the confidentiality and privacy of the data collected.

In order to ensure the privacy and protection of the data collected, the IoT service provider can have specifically drafted privacy policy detailing the private information that is collected by the service provider, the scope and extent of the use such information is put to and the steps taken to ensure the protection of the collected information.

The Service provider can also adopt precisely drafted terms & conditions which typically regulate, Limitation of Liability, Responsibilities of the service provider and consumer/user, Indemnification, Intellectual Property Rights, Assignment/Licensing, and Dispute Resolution etc.

Further, in order to ensure compliance with Section 72 of ITA, the service provider can execute stringently drafted Non-Disclosure Agreements with its customers.

Liability Issues

Considering the volume of the data/ information and the number of stakeholders involved, which in all likelihood is going to increase in the coming time, the service provider may be required to outsource the responsibility of accumulating, processing and safekeeping of the data to third party “specialist data brokers/vendors”. In such a scenario, it is pertinent that, prior to any disclosure to any third party, the service provider takes all the reasonable steps to ensure that there is no breach of the privacy and data protection clauses. The Service provider can also execute separate vendor agreements providing guidelines to protect “sensitive personal data or information” in accordance with the provisions of the Indian IT Act.

The service provider needs to strike the right balance concerning the “allocation of risk”. This is particularly vital in order to set the limitation of liability for the service provider in the event of breach of data privacy and non-disclosure requirements. The allocation of risk can be dealt with by incorporating relevant provision in the terms & conditions of use of service. Alternatively, the service provider can have software End User Licensing Agreements (EULA) drafted that incorporate the relevant clauses which can be executed each time a user of IoT agrees to use the service provider’s software/services.

Data Ownership

Due to the involvement of multiple stakeholders/IoT users, involvement of third parties and the multitude of sources of the data, the data may come into possession of many data processors. The IoT service provider, being the data controller would essentially determine the scope, extent, manner and purpose of the use of the personal data, whereas the service provider may have different third party data processors, functioning to process the data on the instance and under the control of data controller. Therefore, an aspect worth noting is that since there are numerous channels of dissemination of the data/information and multiple stakeholders involved, the IoT service provider (data controller) at all times should ensure that the line between data controller and data processor does not get obscured. Additionally, the Machine Generated Information (MGI) and Machine to Machine Communication (M2M) generated in an IoT environment would also pose ownership and liability issues.

In light of the above, the allocation of risk and responsibilities between the parties must be defined precisely in particular, which party bears the liability for any damage caused to the user of an IoT and which party owns the information generated by the IoT project. Hence, warranties and indemnities regarding data protection, security and privacy will become important to help draw the line between data controller and data processor which are made all the more complex by the large number of stakeholders involved in an IoT environment. The question that who will own the data will be purely based upon the agreement between the two entities.

Privity of E-Contracts

The issues pertaining to data ownership, security and privacy in an IoT environment can be reasonably addressed by contracts between device manufacturers/ IoT service provider and the IoT users. These contracts may be entered by way of click wrap and shrink-wrap contracts which are basically End User Licensing Agreements (EULA) governing the terms and conditions of use of the software or device. Like any normal contract, an e-contract can form a valid and binding relationship between the parties under the Indian Contract Act if it fulfils the essentials of a valid contract as provided under Section 10 of the Act. In an IoT environment, there is no privity of contracts between multiple IoT users which may lead to complexity in case of a dispute. Therefore, the draft agreement should contain express provisions regarding third party liabilities and dispute resolution.

Product Liability & Consumer Protection

In case where an IoT device malfunctions, or if data or software is compromised or lost, individuals and businesses may suffer devastating losses. Such device failures may result not only from a device defect but also from a network failure to provide communications as needed. Thus, it will be important for IoT device manufacturers to purchase and cover themselves with product liability insurance.

Intellectual Property Rights

An IoT environment facilitates data generation and content creation including Machine Generated Data. The question that arises is, “When an original data is created by virtue of the interaction of various devices in an IoT environment, which may include, inter alia, a new process of arriving at desired results, who claims the IP Rights in such content/data/process?” The ownership of the title and claim to the IP Rights needs to be expressly enunciated in the agreements executed between IoT service providers and device manufacturers/consumers, especially considering the fact that the IP rights confer upon the owner a host of other rights like licensing and commercialization of their IP to further exploit the commercial utility of their IP.


The legal wisdom regarding the IoT is inadequate due to the lack of sentience and awareness in this regard. With the advancement in technology, the IoT environment continues to evolve at an unprecedented rate and the legal acumen regarding IoT cannot lag behind for long. Europe, US and Australia have already embraced the legal implications of an IoT environment and it is about time that Indian legislature triggers a befitting enactment!

About the author: Anirudh Sarin, Trademark Attorney at Khurana & Khurana, Advocates and IP Attorneys and can be reached at




Leave a Reply

Your email address will not be published.

twenty + 15 =


  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • September 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010