Legal Aspects Of The Internet Of Things


Whilst there is still no formally accepted definition, the Internet of things (hereinafter IoT) is generally understood as everyday things, objects and devices that are connected to the Internet. The range of things is vast and increasing: watches, glasses and other wearables; health indicators; home automation like smart meters and connected lightbulbs, thermostats and fridges; right up to autonomous vehicles and connected cities. They include consumer facing devices as well as B2B devices to assist in manufacturing and supply chain management but generally don’t include smartphones, tablets, laptops and other computers themselves. What links all these things is their connection to the Internet through sensors to record, process, store and transfer data, whether they communicate between themselves, with computers or with people

In the early days of the PC, it was “chips with everything”. Now, in the era of the fourth industrial revolution, it’s “chips and sensors” with everything. Only a few years ago, there were more people in the world than things connected to the Internet. We’re just towards the start of this trend but on current estimates there are 25 billion things connected to the Internet at the moment and by 2020 this will rise to 50 billion. These new developments will bring enormous benefits to all of us in our daily lives as consumers in everything from healthcare to the home to transportation and insurance. And there will be benefits in the future that we can’t even begin to foresee at the moment. The rub is that much of the data that these connected devices generate and use will be personal data and some of that will be highly sensitive. And it’s really the issues about personal data and security that lie at the heart of the legal aspects of the IoT

Key Practical IoT Legal Issues

For lawyers advising clients on projects related to the IoT, there’s a wide range of legal issues to be aware of. Commercially, the IoT will give rise to new patterns of business and business ecosystems, and the contracts underpinning them will need lawyering. Particular sectors like healthcare and financial services for example are likely to develop their own rules touching on IoT and at a more general level, consumer protection rules are also likely to be extended.

But it’s really in the areas of privacy, data protection and security that the most pressing legal issues arise. And there have been three reports over the last couple of years from government bodies on both sides of the Atlantic addressing practical legal issues around the IoT in these areas.

  • First, in the EU, the Article 29 Working Party is an independent advisory body on data protection and privacy set up under the current data protection Directive 95/46. In September 2014, it published an Opinion on the IoT (Working Paper 223) (‘Opinion’). The Opinion sets out the main issues, how the existing and future law should apply to the IoT and recommendations to stakeholders. Helpfully, it provides pointers looking ahead to May 2018 when the General Data Protection Regulation come into force.
  • Secondly, in January 2015 the US Federal Trade Commission published a staff report on the IoT called “privacy and security in the connected world” which covers similar ground from the US perspective.
  • Third, and most recently, NIST – the US National Institute of Standards and Technology – in November 2016 published a technical report from the engineering perspective on all aspects of security relating to the IoT.

Legal Regulations on IOT

There is no specific legal regulation on the Internet of objects in Turkish law. However, the provisions in some laws may be related to the subject. First of all, it is necessary to mention the Law No. 5651 on the Regulating Broadcasting in the Internet and Fighting Against Crimes Committed through Internet Broadcasting. The purpose of this Code is to regulate the obligations and responsibilities of the content provider, location provider, access provider and collective use providers and the principles and procedures regarding the fight against content, location and access providers with certain crimes committed on the Internet (Law m.1).

In accordance with Article 8 of the Law, it is decided to block access to the publications which is made on the internet and which have sufficient reason for suspicion, which is consisted the crimes specified in hereby code. If the data collected through the IoT is published on the Internet in a way to committee such crimes, access to the relevant website may be prevented.

In the Article 243 of the Turkish Penal Code, the crime of entering and staying in the information system was regulated. The things of internet system which is constituted via connected things each other can create an information system in the sense of the Turkish Penal Code. The person who unauthorizedly entered this system is deemed to committee a crime. In the Article 244 of the Turkish Penal Code, the crimes namely destroying or replacing of the information and preventing and disrupting of the functioning of the information system was regulated.

Another law that may be related to IoT is the Code on Consumer Protection. In article 5 of this Code, contractual terms, which are included in the contract without being negotiated with the consumer and which cause imbalance against the consumer in violation of the rules of honesty in the contractual rights and obligations of the parties are formed as an unjustified terms. The unfair terms in the contracts made with the consumer are strictly null and void. In addition, pursuant to Article 55 of the Turkish Commercial Code, it is also unfair competition to use the general terms and conditions of the transaction, which are prepared in accordance with the principle of honesty.


The IoT will continue to be a top priority for regulators in the data protection and security areas. Compliance with the broadening and deepening requirements of data protection law will continue equally to be high on the agenda of all participants in the IoT ecosystem.