In Part 2 of this article on the legal landscape related to smart manufacturing, we take a look at legal issues surrounding data ownership, data privacy, as well as the implications of artificial intelligence, which is rapidly making inroads to the manufacturing arena.
The inspiration for two blog posts (Part 1 and this Part 2) on a much less discussed aspect of Industry 4.0 comes from last month’s Smart Manufacturing, 3D Printing & Industry 4.0 Forum event in Singapore, where ARC Advisory Group chaired a panel, Future of Manufacturing: The Emerging Legal Challenges, comprising lawyers Matt Pollins, partner and head of commercial/TMT at legal firm CMS Singapore and Wong Hong Boon, manufacturing and supply chain legal counsel at 3M Singapore, along with Ani Bhalekar, Head of IoT/Industry X.0 & Mobile Practices for ASEAN+, Accenture; CK Vishwakarma. CEO/Founder of IoT interest group IoTSG; and Dean Shaw, Industry Solutions Director, Microsoft.
What follows are the questions posed by ARC to the panel in the second half of the session and a summary of the subsequent discussions.
Q: Industrial IoT systems can involve data transfer between multiple parties; for example, data from a plant owner’s machine sent to the machine manufacturer and also to a third-party service organization. In such cases, who owns the data?
The straight legal answer is that there are question marks over whether you can really own data as an intellectual property. So that means because data is not easy to own, you need to get it nailed down in the contract between the customer and the vendors on who can control it.
But it is a huge issue – who owns or who should own the data. In a large autonomous vehicle project in the mining industry, the deal almost did not happen because the vehicle supplier wanted to own the data, so as to improve their product in perpetuity. The customer’s perspective was that it’s my mining site, why should you own the data – we want the data. The commercial answer really lies in negotiating those two opposing views.
Generally, when we talk about data in the manufacturing context, there are many possible types of data, such as design data, operator data, data generated from the processes, etc. So when you start discussing issues around data ownership it is important to keep in mind that not all data are the same. Also important is to assess whether the data in question actually has value and understand how the data would or could be used by another party.
Among C-level executives, data ownership is often a red herring i.e. an unnecessary distraction. That’s because the perception of ownership comes from private property – your car, your house, etc. – with which you can do whatever you want. And that leads to a preconceived notion that you also have the ability to deal with “your data” any way you can. But really, it’s much more about the rights of the parties involved and what they can and cannot legally use the data for.
Q: We are hearing a lot about the European Union’s new General Data Protection Regulation (GDPR). Is this something that companies in Southeast Asia need to be concerned about?
There is some misunderstanding among some companies that because this is an EU regulation it does not apply to this region; however, that’s not quite true. GDPR mandates that companies which collect or process data of EU nationals are required to follow certain regulations. The most onerous is that if there is a data breach you need to inform regulators within 72 hours. The penalty for contravening GDPR regulations – four percent of worldwide turnover – is also not trivial. So if you are a company operating in, say, Singapore and you collect or process data of EU nationals, you need to comply with the GDPR.
Do note, however, that the GDPR only concerns personal data – data that relates to individuals; it does not apply to operational data from a machine or a process. If you are a manufacturing company considering adoption of, say, an IIoT-based predictive maintenance solution for a machine, you don’t need to worry about GDPR because there is no personal data involved. You should still be concerned about data confidentiality and security, because you may not want competitors to know about your plant performance, but these are not data privacy issues relevant to GDPR.
While most of information used in manufacturing does not involve personal data, there are certain categories where personal data may be involved. For example, increasingly, manufacturers are making products to order for individual consumers. Because you might deliver the product directly to the end customer, you need to hold the addresses and other relevant information of individuals, and these are personal data. Hence, make sure you analyze your processes thoroughly in order to establish all instances of personal data collection and processing.
Q: With the prevalence of wearable technology, it’s becoming common to track the activity and location of operators in the plant. Is the ensuing data classified as personal data?
Yes, it is personal data but the organization can use it because you probably consented to that as part of your employment agreement. Generally, you can demand to know what data your company holds about you. Some countries in Southeast Asia do have what’s called data subject access rights.
In a mining industry project involving 1800 contractors on site, it was important to make sure the contractors were billing for the correct hours and executing the assigned work orders. This led to an Industrial IoT solution for worker location tracking. While adoption was voluntary for the contractors, there was universal take-up because the solution also kept workers safer in a mining environment with a known history of worker injuries and equipment damages. Probably because of the clear benefits to the workers and to the enterprises, there were no great concerns raised about data privacy and what could perhaps be perceived as rather invasive use of technology.
Q: Considering the burgeoning area of artificial intelligence, are there certain legal issues that we should be concerned about? For example, the question of liability in the case of an industrial accident involving an AI based robot or autonomous vehicle?
In this scenario, it’s really about causation – what caused the issue? Is it a malfunction with the machine? Did your supplier program the machine incorrectly? Is it an individual who wandered into an area that he was not supposed to be in? Is it your fault for telling the worker he was not supposed to go there? So it really depends on what caused the accident and what legal remedies you may have against the vendor, if any.
You should already have a contract between you and the machine supplier specifying who is responsible in different situations and that should generally be sufficient. Most categories of liabilities have to do with negligence and there are already laws covering negligence, and also criminal laws if it was a deliberate act on the behalf of a programmer. So in the context of AI, you have existing laws covering these different scenarios and so we don’t really need to introduce new laws to stop machines being evil.
For manufacturers starting to adopt AI based systems, it is important to understand the decisions coming from artificial intelligence and what suppliers are building into their algorithms. These are aspects to consider when talking to potential vendors and developing the subsequent contracts with a selected supplier.