Internet of things (“IoT”) is becoming a reality now, and slowly it is surrounding all of us, be it smartwatches, smart television, smartphones and suchlike, all these things have one thing in common, i.e., “smart”. How do these devices become smart? The answer here is simple – they become smart because the internet enables them, and it makes them work on the principle of Artificial Intelligence. These devices dwindle human intervention, which is beneficial for major sectors as it aggrandizers their efficiency and productivity. Many people believe that Artificial Intelligence and IoT are the same things. However, this is not the case here. Artificial Intelligence and IoT are not the same things, yet the latter depends on the former. In simple words, just like what the brain is for the human body, the same thing is AI for IoT. The best example of this is the Tesla Car which is in many discussions across the country. These cars have the auto-pilot mode, which reduces the danger of accidents to a more significant extent. Another example is the famous Alexa by Amazon. You need to change the song or switch off the lights. Alexa will do it for you even without touching anything. This IoT has considerable prospects in our country, becoming an essential part of the future.

The primary aim of this article discusses the different legal issues that arise in the context of IoT. The leading legal issues that I came across were Privacy (profiling, geolocation, personal information, etc.), Data Security, Product Liability. The environs of the IoT massively bank on the assemblage of data which also consist of sensitive personal information. The central question that arises here is that Who owns the data generated by these sensors? How may such information be put to use? Are such gadgets, as well as the data they generate, secure? Moreover, are our customers aware of the legal ramifications that such data creates? Due to its dynamic nature, which includes an increasing number of technologies and shows various changing aspects, IoT lacks a comprehensive understanding of emerging privacy challenges

Concerns Related To Data And Privacy

There is no doubt that the IoT ecosystem offers several novel applications that will boost the IT sector along with the economy but it faces some severe threats like malware, botnets etc. The whole IoT ecosystem is dependent on collection of data which includes private and sensitive information. In smartphones, due consent is asked from the users, but practically this thing is not possible in the case of fitness bands and smartwatches as the companies try to make affordable devices and it lacks various security covers, hence putting the data in danger.

In order to protect the data of the users, there is the Information Technology Act, 2000 and Reasonable Practices and Procedures and Sensitive Data or Information Rules, 2011, which states the provision which is present to protect the data of each individual. Out of the whole act, there are two most essential provisions regarding this, i.e., Section 43A and Section 72. Section 43A of the IT act provides compensatory liability when a person possessing personal data in his device leaks the data to someone due to negligence “without the consent” of the concerned person. Section 72 of the IT act provides a provision where if any person who has the data of another person shares it with another person “without the consent” of the concerned person, he will be liable for imprisonment and fine. According to the decision held in K.S. Puttaswamy v. Union of India, Privacy is a fundamental right under Article 21 of the Indian Constitution.

Nevertheless, the main concern here is that the IT act only covers data and not IoT. The act fails to clarify the ways, limitations and provisions are required to safeguard the users. The government itself promotes the usage of IoT as no doubt it is very beneficial for humankind, but the government here fails to provide even one provision to resolve disputes related to it.

Let us take an example, suppose there is a CCTV company which provides internet-enabled cameras to its users. Due to some technical defects, it was possible to watch and even listen to with the use of the IP address. If any hacker accesses these recordings, then it will be a matter of grave concern. This threat clearly shows the importance of some efficient approach towards the individual's privacy.

There is a way that IoT companies should follow in order to protect the privacy of their users:

  1. They should monitor their software to know the potential defects and make specific regulations to control them.

  2. They must inform all its users about the potential threat they can face during the usage of the device.

  3. The IoT companies must develop a robust security system in all their devices to protect their customers in all conditions.

  4. The most important thing is that the IoT companies must be held liable if they fail to discharge their duty to protect their users' privacy.

Prospects Of Laws And Their Liability

The provisions of the IT Act must be followed and applied to the IoT as it will give some direction for the protection of data of the users to some extent. It should be ensured that the companies are taking each possible step to ensure their users' privacy while sharing it with third parties. Many companies ask for any information from the user even if it is not allowed, so it must be ensured that the companies are asking for only such data necessary for them and ensure that there is no breach of duty at any cost.

The second thing is that in many conditions, it is difficult to say who is the owner of the user's data. Let us take an example in this scenario for better understanding. There is a company named Augury that sells a device used to control the temperature. The device can curtail the temperature as required. Now this company has a tie-up with an automobile company Tesla which manufactures luxurious cars. Here Augury shares data with Tesla so that they can know their location and arrival timing. Whenever the person arrives, the device automatically sets up the climate of the room accordingly. Now the question that arises is who will take ownership of the data of the user? This point is still ambiguous, and it is high time to bring clarity in this regard because the owner's determination has become a point of conflict.

The IoT encompasses every connection among objects, including machine-to-machine (“M2M”) systems used to communicate real-time data and information. This is generally used to share data between two devices without any human intervention. It is generally more prevalent in main metropolitan cities and a part of the IoT as both of them focus on sharing data where the former uses the machine for it whereas the latter uses two similar devices. The M2M has the same problem as IoT, i.e., it cannot determine the owner of the data. The data in the M2M environment is highly insecure, so there is an urgent need for a highly secure interface to protect the user's privacy.

There are also certain situations where these IoT devices harm the owner. For example, if there is a device used by the owner for his health monitoring and due to some malfunctioning, it misses some vital medication that could even lead to the user's death. These concerns are often ignored, but steps must be taken to prevent such situations. In these scenarios, the liability must be fixed on the manufacturer either by negligence or strict liability. In this regard, some laws like the Legal Metrology Act, 2009 and the Consumer Protection Act, 1986, provide for punishment in these situations.

Suggestions To Minimize The Danger

The prospect of the IoT relies on judicial interpretation because it is a new area of study and lacks proper legislation. Several areas are still ambiguous and need clarity which can only be achieved through proper legislation as it will help in the smooth functioning of this technology. The data protection and the privacy rights of the users must be clearly defined in the legislation for its efficient functioning, and there must be a proper line between the controller and the processor of the data.

During the manufacturing stage, the companies should ensure to incorporate all the necessary security measures instead of doing it in the stage of data collection to reduce the probability of a breach. These companies often fail to educate their employees about data security and how they are secured. That is the reason why many employees take security measures lightly. These employees must be trained efficiently in order to bring the best security measures to these devices.

Many companies demand unnecessary information, so the users must have a right where they can decide which data to share and which data not to share. Like the example of Augury and Tesla companies where the third party also has access, the parent company should ensure that the third party has the proper security measures to protect the individual's data.

Once legislation is brought with all these essential conditions, it must be binding on all the companies. Generally, these types of legislations are only advisory in function, which kills the sole purpose of enacting these legislations. Therefore, it is imperative to bring legislation that must be binding and has strict punishment provisions in case of leakage of the data.


The IoT has enormous prospects in our country, and it will play a significant role in the progress of the IT sector of the nation. However, as usual, everything has some demerits which need to be addressed. Otherwise, they can be very harmful to society. It is high time to bring this technology under the legal ambit in order to prevent its misuse. There is no doubt that some current legal frameworks are efficient to deal with this technology, but due to its dynamic nature, it is necessary to bring separate legislation to cover every aspect of this technology. In today’s world, almost everything is covered under IoT like our phones, watches, fans, lights etc. hence controlling their ambit is very necessary.

This article has been written by Ritu Raj. A second year law student at National Law University and Judicial Academy, Assam.