Explore the full briefing

What is the Internet of Things?

What is an IoT platform?

What are the economic, sectoral and geographical impacts of IoT technology?

Are there vulnerabilities in the technology?

What are the key operational issues?

What are the key legal considerations?

What are the issues to consider in acquiring IoT technology?

What should manufacturers and suppliers of IoT technology be doing now?

What will the future of IoT technology look like?

What will the impact be on specific industries?

Businesses wishing to invest in, or to acquire, an existing IoT business, or to purchase or have IoT technology developed for them, will need to consider a number of issues.

M&A and due diligence

IoT technology raises a significant number of complexities in relation to a proposed share or business acquisition or investment involving it.  As a result, particular attention needs to be paid to due diligence, among other issues.  Some of the more pressing considerations include:

  • Due diligence and warranty considerations (technology): although not exhaustive, the issues might include: (1) do the target’s commercial contracts exclude or limit liability in relation to loss or corruption of IoT data and data in transit? (2) does the target’s IoT connectivity include roaming or a licensed telecommunications activity? (3) where are the target’s IoT points of presence globally? (4) is the target’s IoT technology subject to export controls? (5) does the target have an IoT privacy policy and does it comply with legal requirements in the jurisdictions within which the IoT points of presence operate? Does such policy provide for who has the right to exploit such data, and who owns the intellectual property rights in it (if any)? (6) are freedom to operate patent searches necessary or desirable? (7) is the target an operator of an essential service or a digital service provider under the Cyber Security Directive or equivalent legislation? (8) are the target’s IoT products free from product liability claims, product safety claims and environmental liabilities (including in relation to disposal of IoT devices)? (9) are the target’s IoT patents valid and enforceable, and does the target infringe any third party intellectual property rights?
  • Security: IoT technology is potentially very sensitive in the context of national security. To protect their national security interests, regulators in the U.S., the U.K., China and other jurisdictions are increasingly scrutinising foreign investment in strategically sensitive sectors of their economies: 
    • U.S.: on 13 August 2018 the U.S. President signed into law the National Defense Authorization Act (NDAA), which included the Foreign Investment Risk Review Modernization Act 2018 (FIRRMA).  This marked the most significant change in over ten years in the law governing the Committee on Foreign Investment in the United States (CFIUS).  The FIRRMA Pilot Program, which commenced on 10 November 2018: (1) expands the scope of transactions subject to CFIUS review to include certain non-controlling investments made by foreign persons in U.S. businesses involved in critical technologies, including emerging and foundational technologies, related to specific industries; and (2) makes effective FIRRMA’s mandatory declarations provision for transactions that fall within the specific scope of the pilot program.  Additional guidance is expected regarding the criteria for identifying emerging and foundational technologies.  Businesses involved in sensitive technologies that are contemplating transactions that involve foreign investment in the U.S. need to carefully evaluate the impact that these changes may have on those transactions;    
    • U.K.: in recent years the U.K. Government has become increasingly concerned about what it sees as its limited powers to deal with national security threats arising out of business transactions. Emerging new threats combined with technological and economic change have created a new national security environment.  On 24 July 2018 the U.K. Government published a white paper on National Security and Investment. It set out the U.K. Government’s plans to take new powers to scrutinise acquisitions and other investments in the UK on national security grounds. The proposed regime, supported by guidance, is a broad, voluntary notification system backed by a wide-ranging “call-in” power for the U.K. Government.  It is targeted at a range of sensitive sectors of the economy, including connectivity technologies central to IoT technology. The U.K. Government is likely to respond to the consultation with a draft bill in 2019 and to then seek to introduce legislation;
    • Europe: in 2020, a new EU framework coordinating the review of foreign direct investment based on national security and public order considerations will enter into effect.  The new EU framework will impose certain minimum criteria on reviews by EU member states, provide for the exchange of information among member state authorities and empower the EU Commission to advise member state authorities on potential investments.  The EU Commission will not have the power to approve or block investments itself, however; these powers will remain with member state authorities; and
    • China: The Foreign Investment Law of China is in force from 1 January 2020.  Under it China adopts a pre-entry national treatment regime with a “negative list”. This means that foreign investment will be regulated in the same way as investment made by Chinese domestic investors, and  for industries not falling within the scope of negative list, international investment in them will not be subject to project-by-project prior approval from Chinese authorities. It provides for a ban on forced technology transfers, free remittance of foreign exchange according to relevant legal procedures, wider access to government procurements, participation in formulation of industry standards, fair and reasonable compensation for public interest expropriation, and more flexibility to negotiate and determine corporate governance structures and key contract terms for investments in China.  The Foreign Investment Law has one generic clause providing that China will adopt a national security review for foreign investments which have or may have bearing on China’s national security, and that decisions of the national security review are to be final. Apart from that generic requirement, the Foreign Investment Law does not contain any further details relating to the national security review process.  It is anticipated that Chinese authorities may pass separate implementing regulations to provide for details in relation to national security review. 

IoT collaborations and JVs

IoT collaborations typically take the form of an unincorporated joint venture (contractual) or an incorporated special purpose vehicle.  In terms of the technology, and given the importance of standards (and standard-essential patents) in relation to IoT technology, the parties will need to consider the position on intellectual property rights in particular: do they wish to form a patent pool or are they intending to maintain separate ownership of contributed intellectual property rights? 

Another key issue is who (as between the various participants) is to own the data generated?  Is it to be owned by one participant and licensed to the others?  What problems might co-ownership of data give rise to?

Contracting for development and licensing of IoT technology

Contractual provisions will vary according to whether the technology is being developed and licensed, or simply licensed, and whether what is being provided is an IoT device, a service, or a combination.  Key in all such arrangements will be provisions regarding the use, ownership and rights to exploit any generated IoT data, along with appropriate data privacy provisions.  Product liability in relation to IoT devices will need to be addressed, along with product safety / product recall (where relevant) and product disposal / decommissioning obligations (including purging data).  A technology vendor will also wish to address the question of liability for loss or corruption of data, and entirely exclude such liability in relation to data in transit (whether over the Internet or otherwise).