The Law of the City – is it smart enough?

What makes a “smart city” smart? Increasingly, the answer lies in the deployment of connected devices and the “internet of things” (IoT). From traffic and transport to energy management systems, key functions are being equipped to provide real-time and actionable data to inform the operation of city-wide systems and services. Machine to machine (M2M) communication drawing data from sensors embedded into objects, vehicles, street furniture and infrastructure vastly increases the potential for gathering and using data about everything from traffic jams to pedestrian flows, energy demand and supply, outages and maintenance needs in utility services. These developments reflect similar trends in extractive industries, manufacturing and logistics which are rapidly adding up to the “fourth industrial revolution”.

Smart city and “industrial internet” developments jostle with domestic and consumer-facing innovations to create an increasingly complex and interdependent web of connections. All, of course, depend on the capacity and resilience of electronic communications networks, and all either create or intensify the challenges facing regulators responsible for ensuring competitive access to efficiently managed networks. They also generate huge and expanding quantities of data at every scale, from individual to complex organisation, and with that data comes new and enhanced vulnerabilities.

Law and regulation, typically, lag some decades behind technological development. The result is that courts and regulators in any jurisdiction, whether common law or code-based, generally have to reach for the legal tools that provide the closest analogies from earlier stages of development to deal with new challenges. While that remains true of legal and regulatory responses to IoT and smart city developments, it is possible to identify areas in which legal issues are likely to arise.

Electronic communications networks

A key challenge for regulators is how best to accommodate M2M and IoT within regimes that have tended to assume close control over spectrum often (as in Poland and India during 2015) involving auctions under which operators pay extremely large sums for licensed frequencies. With M2M and IoT increasingly being directed to unlicensed or “white space” spectrum, such as that vacated by analogue tv services, tensions are becoming apparent between licensed operators and the developers of IoT devices. A key battleground is the treatment of interference. Many IoT devices are designed to operate across a range of frequencies, scanning for currently unused bands. Where IoT devices use frequencies that are close to licensed parts of the spectrum, the holders of expensive licences understandably demand protection.

One key mechanism is the “kill switch”, a database-driven mechanism that allows regulators to force the disconnection of offending IoT devices. For IoT developers and investors, viability can depend on the approach taken by regulators in each jurisdiction to this key question: when and how should a “kill switch” be used? How far can IoT developers warrant the reliability of their services when faced with anything more than a momentary switch-off. For others, the stakes might be even higher as IoT devices play an ever-more significant role in critical systems ranging from traffic safety to healthcare. Arguably, established electronic communications operators who have become used to being the “disruptors” now themselves face disruption as governments and regulators enter into close and mission-critical relationships with IoT device providers.

In the UK, the sector regulator Ofcom has elected to avoid the issue, instead opting for a “guard band” approach, under which channels considered most likely to risk interference may not be used. While that approach marks a clear attempt to balance interests, it does rule out the use of potentially key parts of the available spectrum.

Product liability

Who would be responsible if a self-driving car crashed and caused death or personal injury? As technology develops and regulations are put in place, the prospect of self-driving cars on city streets is becoming far less futuristic or fanciful. Questions of liability are also moving from the realms of thought-experiment and into reality. Equally, who would be responsible if a wearable device designed to administer medication failed due to a regulatory intervention or a data breach? Such questions would not be resolved by reference to a wholly new body of specially-created law. Rather, they would have to be dealt with by applying existing principles and causes of action.

Data

Perhaps the most significant areas of concern relate to the ownership, processing, use and security of data generated by IoT devices and smart city infrastructure. Data concerning individual location, activities and even intimate personal information will be gathered and stored. Who is responsible? In Europe, much attention is currently focused on implementation of new data laws extending duties to cloud service providers. Other concerns focus on the question of how resource-starved municipal authorities might seek to fund smart city projects. If, and to the extent, that the solution lies in commercial partnerships or public-private joint ventures then a key question must be how far private sector involvement is driven by the potential value of data. For civil society, the balance between security and facility is a live and pressing question.

Contract structures

The coming together of public and private entities and the meshing of young technology with old infrastructure in commercial partnerships and public-private joint ventures can create a challenging array of relationships. Multiple service and system suppliers may be involved in the development, testing and implementation of some solutions whilst interfacing with existing infrastructure can create the risk of potential gaps in legal responsibilities.

As is often the case, lessons can be drawn from analogous situations. In particular, consortium and multi-sourcing models have been developed from an interest in “best of breed” contracting or “select sourcing”. This is a strategy of allocating different components of a project to separate best of breed suppliers. Structures vary. The suppliers may be grouped in a consortium, or the procuring entity may contract with each separately, whilst placing supplier management and integration responsibilities onto a lead supplier. This results is an interesting matrix of relationships, up and down between the procuring entity and suppliers, and from side to side with operating level and integration agreements between the suppliers. However, the upside of this complexity is that the approach can lessen the performance and credit risk for the procuring entity. The cutting edge technology may reside within a start-up venture, whilst the project financing and organisational demands require the involvement of an established “name” to add muscle.

Alternatively, large and established players may well opt for acquisition. Recent examples include the 2014 acquisition by Huawei of “internet of things” pioneers Neul (the name being the gaelic word for “cloud”).

Overview

Any survey of the legal and practical issues affecting smart city projects and IoT implementation rapidly arrives at the realisation that they touch the full range of communications law and regulation, data law, commercial contracts, tort and product liability, administrative and even constitutional law. Further, they require close attention to questions of jurisdiction, governing law and cross-border liability and enforcement. Globalisation of data services requires an understanding of issues in every relevant jurisdiction.

Whether through our directly connected offices in London, Paris, Luxembourg, Switzerland Bahrain and Qatar, or our professional networks (the Association of European Lawyers and ALFA International), we are exceptionally well-placed to keep pace with those developments.

This article was written by Malcolm Dowden and David Berry. For more information please contact David at +44 (0)207 203 5022 or david.berry@crsblaw.com