Internet of things (IoT) has received a very positive response from Indian government and Indian entrepreneurs. Although everybody is very enthusiastic about IoT and its usage in India yet nobody is aware about its usage policies and regulatory framework. This situation has arisen as we have neither a dedicated e-commerce law nor a law governing IoT and its uses in India. As a result everybody is just deploying IoT based systems and devices in India without knowing the seriousness of their actions and omissions.
IoT usage and deployment can give rise to IoT privacy, data protection, cyber security and civil liberty issues in India. However, world over these techno legal issues of IoT are still in infancy stage. India has also been trying to bring a policy and regulatory framework for use of IoT in India by various stakeholders. Issuance of draft IoT Policy of India (pdf) and Revised Draft IoT Policy of India (pdf) are instances of such efforts but they are not sufficient to cover the areas and operations of innovative technology like IoT.
It is obvious that we need techno legal framework for successful and wide scale use of IoT in India. However, this is a difficult task to manage as we have very few techno legal professionals in India and other jurisdictions that can assist in this regard. This is the reason why India is still struggling to enact privacy, data protection and cyber security laws in India. As a result, India has a very poor track record of civil liberties protection in cyberspace and surveillance and censorship issues of Digital India and Aadhaar projects are in active violation of provisions of Indian Constitution.
Perry4Law Organisation (P4LO) believes that as we would start mass deployment of IoT making it omnipresent, all stakeholders would be apprehensive as the cross linking nature of IoT would offer new possibilities and methods to influence and to exchange data and information. This leads to a variety of existing and new potential risks concerning data security, privacy and data protection, which must be considered in advance. The severity and likeliness of each risk will depend on the circumstances in which each IoT application / system is deployed.
Naturally privacy, data protection and cyber security are complementary requirements for IoT services in India. In particular, data security and data protection are regarded as preserving the confidentiality, integrity and availability of information provided by Indian citizens. Perry4Law Organisation (P4LO) also believes that cyber security is an essential and basic requirement while providing of IoT related services by the industry or government. This is required not only to ensure information security for the organisation itself but also for the benefit of Indian citizens at large.
For instance, IoT presents a variety of potential security risks that could be exploited to harm consumers by: (a) having unauthorised access and misuse of personal information; (b) facilitating attacks on other systems; and (c) creating risks to personal safety. Similarly, privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time. These days behavioural targeting is very common among companies who rely upon historical and real time data to analyse and influence consumer’s interests and choices. Companies might use this data to make credit, insurance, and employment decisions. Even if companies are prevented by law for not taking such a course of action still these risks to privacy and security could undermine the consumer confidence necessary for the technologies to meet their full potential, and may result in less widespread adoption.
Perry4Law Organisation (P4LO) strongly recommends that companies developing IoT products and services in India should implement reasonable security practices and procedures. These must include cyber security best practices, e-discovery best practices, cyber law due diligence (pdf), Internet intermediary liability law compliances, etc. Similarly, there must be a dedicated crisis management plan for cyber attacks against IoT in India so that IoT and critical infrastructures can recover from sophisticated cyber attacks as soon as possible. For instance, the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) has recently published the Guidance on cyber resilience for financial market infrastructures (pdf) (“Cyber Guidance”). As per this Cyber Guidance, the Financial Market Infrastructures (FMIs) must develop cyber capabilities to resume their operations within two hours following a cyber disruption. India must also develop robust and resilient cyber security infrastructure so that systems dependent upon Information and Communication Technology (ICT) can come online as soon as possible.
There are some long-standing Fair Information Practice Principles (“FIPPs”) like notice, choice, access, accuracy, data minimisation, security, and accountability that should apply to the IoT segment. Indian IoT stakeholders must also follow these principle and privacy and data protection best practices so that IoT services can be provided in a legal and law abiding manner not only in India but also in other jurisdictions. Conflict of laws in cyberspace raise complicated techno legal issues that IoT stakeholders must be prepared to deal with. For instance, recently Microsoft has won a case where the US Government was forcing it to disclose e-mail data and details stored in Ireland’s data center. Microsoft argued that as the data was stored in Ireland, it was subject to Irish rather than US law, regardless of the company providing the infrastructure. Thus, IoT stakeholders from India must be aware of and comply with laws of different jurisdictions if their products and services are also offered in those jurisdictions.
Perry4Law Organisation (P4LO) hopes that IoT stakeholders would find this article useful and we also wish them all the best in their projects and business activities.