The Internet of Things: approaches to liability

Think of a world where physical objects are seamlessly integrated into an information network; cars, homes, books, watches, spectacles, kitchens and so on. And where the physical objects can become active participants in business processes that is, they become ‘smart’, coupled with services being available to interact with these ‘smart objects’ over the Internet, analyze their state and any information associated with them, taking into account security and privacy issues. That is the Internet of Things (IoT) and it is here.

Mckinsey estimates that IoT impact on the global economy might be as high as $ 6.2 trillion by 2025 and there lies the issue. Given the current surge in cyber-attacks, businesses and consumers will be keen to understand liability and risk allocation in IoT.

The curse in the blessing

We are now able to control the various connected devices on the network using an app on our phones and tablets. However, like anything digital, these networks run the risk of being hacked. The question is who is liable when something goes wrong?

As the IoT can connect devices from different manufacturers, it is possible for a user to own a smart TV from maker X, a smart coffee machine from maker B, and a smart air vent from maker A, which are all controlled by a smartphone from maker Z that runs on software created by a third-party. Looking at the complexity of these connected devices makes it much harder to establish who is liable, under current laws and regulations, when something goes wrong.

Even on a simple level, if a smart cooker leaks when a smart toaster is turned on, causing it to explode and burn down a house, the owner has a plethora of companies who are liable for the loss. These range from the retailer, to the manufacturers, through to the developers of the phone app or cooker-toaster software. Will one party be solely accountable? Or will the parties involved in creating and processing the integrated data components of the cooker and toaster be liable to some extent?

This interoperable risk is heightened as many of these devices are likely to be mass produced and therefore, not secure enough to protect personal data.

Product liability

The situation with product liability may not be that complex today. When a stand-alone consumer device is malfunctions within a specified period of time, the user is entitled to certain remedies that are implied into every sale.

Product liability law in Kenya is governed by the Consumer Protection Act (the CPA) which introduced statutory liability for defective products. Liability under the CPA exists alongside liability in negligence, and in some cases a common law claim may succeed where a claim would not be available under the CPA. The CPA applies to both products used by consumers and products used in a place of work. The CPA imposes strict liability on manufacturers of defective products for harm caused by those products. This means that people who are injured by defective products can sue for compensation without having to prove that the manufacturer was negligent. It is merely necessary to prove that the product was defective, and that any injury or damage was most likely caused by the product.

Product liability will continue to play a role in the IoT. For example, if a smartwatch develops a mechanical fault shortly after purchase the user is able to return it to the seller.

Degree of liability

Worryingly to manufacturers of IoT devices, network providers and software developers, a user may bring a claim against one or all of them following a device malfunction or security breach. It is not clear if the aggrieved user will be required to prove that they have suffered damage as a result of an IoT player’s actions or if the courts will adopt a ‘strict liability’ approach.

Alternatively, courts can consider apportioning liability between everyone in the IoT product and network circle, regardless of their culpability. But even this poses problems. For example in a security hack of a network router, a court would have to decide if liability lies with the router manufacturer, the internet service provider or the actual hacker. The latter option may prove problematic as many hackers are anonymous.

Criminal or civil remedies

Currently, the law is not clear whether an aggrieved user is entitled to a criminal remedy, a civil remedy, or both. All likelihood points to the severity of the liability. For example, a mere malfunction of a smart fitness monitor leaving the user unable to measure their heart rate at the gym, is not likely to give rise to a civil or criminal conviction.

Futuristically on the other hand, a smart city malfunction could create both criminal and civil liability. For example, if smart traffic lights installed by a county council malfunction, and an automated car driving under them is incompatible with the traffic lights, meaning that the car fails to stop and drives into an oncoming vehicle, the result could be serious injury to road users. A situation like this could raise claims of criminal liability. However, it appears unfair to hold the car owner/driver responsible for causing injury when the culprit was in part the malfunctioning traffic lights and in part the malfunctioning car. In this type of situation, looking outside the traditional liability frontiers may be required.

IoT is still a work in progress

Regardless of how they are used, there is always the potential for a device to malfunction or for a network to be hacked. The IoT will create new risks and this in turn will require a focus on liability.

Indeed IoT is still in its early stages. The legal fraternity needs to consider either new forms of liability, or new ways to manage and apply existing laws to different entities in the IoT supply chain. With the security and privacy risks a growing public interest issue, the IoT is still a work in progress.

Getting regulatory approvals for Fin-tech: It’s not a one stop shop yet.

Fin-tech in Kenya was pioneered by Safaricom’s M-pesa application at a time when there was no regulation, pushing the unbanked and informal sector (which represents 80% of the total job market) to buy mobile phones and move from brick-and-mortar banking into the digital economy. Since then, Fin-tech has expanded to person-to-business (P2B – utility payments, shopping etc.), business-to-business (B2B), and credit and savings services, purchasing and transferring of airtime and so on.

Regulatory Framework

The current regulatory framework poses challenges that could potentially be a barrier to innovation and investors. Fin-tech obscures the current independent sectors of regulation; telecommunications and banking presenting an overlap between different ministries and Government agencies. It involves confirming with these agencies whether licensing or authorization is needed to operate, in addition to understanding which licenses would apply.

Generally, a tech company looking to launch Fin-tech in Kenya should be aware of the following licenses and applications.

1. An application to be authorized and designated as a payment service provider from the Central Bank of Kenya (CBK) for the money transfer services it would offer its proposed users. CBK has to be satisfied that the tech company has a minimum core capital of Kenya Shillings five million (KES.5,000,000/=) to be licensed as an electronic payment service provider. The CBK may label/designate the platform as a payment system if it believes that its payment system poses systemic risk, is necessary to protect the interest of the public, or if designation is in the interest of the integrity of the payment system. Though Kenya Electronic Payments and Settlement System (KEPSS) is the only payment system that is known as having been designated, the decision to designate remains with CBK.

2. Application to the Communications Authority of Kenya (CA) for a Content Service Provider (CSP) license, an Application Service Provider (ASP) license and /or a Network Facilities Provider (NFP) license;

  • Where the platform features sending SMS’s using a network carrier in Kenya, it will be considered to be providing a communication service under Kenya Information and Communication Act and thus a Content Service Provider CSP license would be needed.
  • Where the platform provides notifications and alerts in connection with the Fin-tech products that it offers, the platform will need to be licensed as an application services provider (ASP) by the CA.
  • Where the tech company will in addition to the above set up and operate communications infrastructure (based on satellite, mobile or fixed), it shall be required to procure a Network Facilities Provider (NFP) license.
  • If the application will only be web based then CA approval may not be needed however this needs to be confirmed by them.

3. If the platform offers cross border sending or receiving of money (money remittance), the tech company has to be licensed as a money remittance operator. For this license, the company has to demonstrate that it has a core capital of at least Kenya Shillings twenty million (KES. 20,000,000).

4. Other legal requirements that would be considered are money laundering, bribery, consumer protection, data protection and cybercrime.

M&A, Data Protection and online shopping

Kenyan consumers are increasingly turning to online distribution channels such as Kilimall, Jumia and Rupu to select and buy products. The traditional sales model of wholesale has been disrupted.

FMCG businesses have to adapt to these new selling methods. Social media and its effect on how consumers select and experience their products is a direct FMCG issue. Facebook and Instagram have transformed the way in which branded products are presented to the consumer. Retail shelf space is slowly becoming a thing of the past with social media opening up new opportunities carrying the potential to increase sales and lower costs. With sales migrating online, there is a direct contact and interaction with a consumer through the user visiting the brand owner’s website. And when the consumer opts-in, interactions and e-marketing is made possible through email and text messages. The result is that an FMCG business will be receiving and processing personal data. The Kenya Information and Communications (Consumer Protection) Regulations provides for the opt-in principle in which an FMCG business can market to a consumer electronically but only after having accorded the consumer an opportunity to accept or reject inclusion in the marketer’s mailing list.

Looking at Google’s Terms of Service for example, for a consumer to use the service, he/she has to agree that Google can use the person’s data in accordance with their privacy policies (usually by ticking a little check box that at the bottom of the screen). Their privacy policy indicates that they use the information they collect from all their services to provide, maintain, protect and improve them, to develop new ones, and to protect the company and their users. They also confess that they use the information to offer consumers tailored content like more relevant search results and adverts.

Data protection and electronic direct marketing compliance of the FMCG business are therefore key considerations. A key requirement in the UK is for certain information to be provided to data subjects (the individuals to whom the personal data relates) about the types of data collected and the purposes for which the business processes those data. In addition, circumstances where personal data may be disclosed to a third party will also need to be ascertained. As noted in  previous posts, data breaches are potential deal breakers in a target business, and it will be appropriate to ascertaining as part of due diligence, which third parties process personal data on the FMCG business’s behalf.

Cyber Security – What if Yahoo was a Kenyan Company?


On 22nd September 2016, Yahoo confirmed a cyber-attack in which over 500 million personal accounts were compromised. This was arguably the largest cyber security breach in history. The information obtained by the hackers includes names, email addresses, telephone numbers, dates of birth and in some cases, security questions and answers.  This comes in the wake of the on-going merger with Verizon Communications in which Yahoo is selling its core business (search, email and messenger assets as well as advertising technology tools) for USD 4.8 Billion.

While not as embarrassing to its members as the Ashley Madison hack from 2015, this recent event raises a good prompt to question whether Kenyan law is relevant to the internet. What if Yahoo was a Kenyan company?  What would be the legal outcome of this breach?

Kenyan context 

Kenya’s legislature is attempting to keep up with evolving cyber security issues.  Existing law does not impose any sanction or penalty on to the Kenyan equivalent of Yahoo however there are three bills which would change this.

The Data Protection Bill 2013, the Computer and Cyber Crimes Bill 2016 (CCC) and the Cyber Security and Protection Bill 2016 (CSP) are based on the equivalent laws in South Africa and the UK and aim to incentivize companies to increase their internet security and to prohibit certain acts in the use of the internet. It is unclear if, or when, they will become law.

The Data Protection Bill aims to regulate the collection, retrieval, processing, storing, use and disclosure of personal data. The Bill proposes that all companies will be required to put in measures to protect data against loss, destruction and manipulation. Failure to put in adequate security measures will attract a penalty of 100,000 Kenya Shillings or to imprisonment of 2 years or both.

The CSP and the CCC share the same vision of regulating cyber crimes but adopt competing methods to try and deal with this issue. The CCC is a Government Bill whereas the CSP is privately sponsored, so there is currently no clarity on when or if these bills will be progressed.

The CSP aims to establish a Response Unit in the ICT Ministry to receive and investigate reports on cyber threats. The CCC proposes additional investigative procedures for police officers.

The CSP proposes an information sharing mechanism between public and private companies (and with each other) whereas the CCC is seeking to improve international co-operation for prosecuting cyber crimes.  Broadly, the goal of both bills is to hasten investigations and prosecution of cyber crimes.

Relevantly for corporations, the CSP would require a company suffering a cyber-breach to report it to the Response Unit within 7 days of it occurring. Failure to do so will be an offence.  Worryingly, for corporations, there is no element of knowledge to trigger the 7 day reporting requirement.  A company could be in breach of this provision if it were hacked and did not discover this fact for a significant period of time.  As mentioned above, the CSP bill does not currently have government support and so its chance of becoming law is not high.  However, its existence, and the Government’s CCC bill shows that the Kenyan legislature is moving towards regulating and imposing penalties in this area.  It is only a matter of time before one of these bills is enacted.

Separate to the legal outcomes, from a commercial perspective, a cyber-attack is bad for business. Yahoo not only faces potential class action suits, and reputational damage but the likelihood of the hack being a deal breaker on the merger with Verizon is high. With the potential for new legislative penalties in Kenya on the horizon, companies should place data protection and cyber-security on their risk management agenda sooner rather than later and before a cyber-breach occurs, not as a result of one.

Below is a clip on simple cyber security tips  we can all embrace from the Herjavec Group a cyber security firm.

Vodacom ordered to pay ‘Please Call me’ Inventor

A South African inventor  has won his legal bid to compel Vodacom, a leading mobile phone telco to compensate him for inventing a popular messaging service ‘Please Call Me’. The service which is also used in Kenya was introduced by Vodacom in February 2001. It allows prepaid customers to send a message for free to other users asking to be called back.

The inventor Kenneth Nkosana Makate, was employed by Vodacom (Pty) Limited, as a trainee accountant. In November 2000, he conceived the Please Call Me idea which he intended to sell to a willing buyer. After seeking advice from within Vodacom, he approached Mr Geissler, who at the time was Vodacom’s Director and Head of Product Development. Makate entered into an oral agreement with Vodacom’s Director and Head of Product Development according to which Vodacom would experiment with the idea and if it proved commercially viable, Makate would be paid a share of proceeds from the product, subject to terms to be negotiated. Makate instituted a claim against Vodacom in the High Court after his demands on Vodacom to honour the oral agreement were unsuccessful. In the High Court Vodacom contended that in terms of Makate’s employment contract, the idea was Vodacom’s property for which Makate was not entitled to compensation. Vodacom, however, did not proceed with this claim as Makate conceived the idea outside of his scope of work. The matter proceeded to the Constitutional Court, which ordered Vodacom to compensate Makate for inventing the Please Call Me service.

This case highlights the importance of companies having proper policies and procedures in place to deal with the protection and enforcement of their intellectual property. This will help create certainty for both employers and employees and will also ensure that these important intellectual property assets are properly commercialized in accordance with good business practices.

For the full judgement, see below.

CCT 52-15 Kenneth Nkosana Makate v Vodacom (PTY) Limited

KM and the rise of AI

Having worked in Knowledge Management (KM) for a year now, one thing is becoming increasingly clear. Current KM techniques have little chance of success in law firms, especially if they are the first projects undertaken.For example, iManage is only as useful as the naming conventions applied to the document and therefore cannot work as a standalone KM solution. How is it that we still cannot Ctrl F on a scanned document?….i digress. If IBM can come up with Watson or Dan Roth with Discovery Cracker, then we are on the verge of seeing KM becoming increasingly automated and not just for the Save, Search and Retrieve model, but in discrete, well-considered projects that can be scaled up and rolled out throughout a firm with high chances of success.

Further, targeted, incremental approaches that work within the existing knowledge flow of the firm are being preferred. Examples of areas that should be given careful consideration are:

A. Litigation. Take the software CaseMap ( ). CaseMap allows you to pull information that otherwise might be hidden in legal pads, bankers’ boxes, or in the memories of individual lawyers into a format that allows lawyers to gather and analyze facts in a helpful manner. Through a simple method of tagging information, lawyers can use CaseMap to find answers to questions previously difficult to obtain. .

CaseMap creates a method for looking at the information involved in the case in a variety of ways and preparing and testing strategies as well as determining where additional work may be required on a case. In addition, a lawyer can determine the strengths and weaknesses of a case and the role that individual witnesses will play in developing a case.

B. Client Relationship Management. A highly important area in KM and Business Development is client relationship management (“CRM”). CRM is  a method of gathering, associating and using in an efficient manner information that you have about customers. The holy grail of CRM in law firms is to promote the cross-selling of business to existing clients. This area is an especially fertile one for potential knowledge management and artificial intelligence projects.

C. Conflict Checking/Chinese walls. Conflict checking is an area of difficulty for many law firms, especially as the number of clients increases and as companies enter into more joint ventures and combinations. While traditional databases can be of great assistance, often potential conflicts can only be seen by lawyers who are personally familiar with the relationships between a variety of companies and people. While CRM efforts will have a spillover effect in the area of conflict checking, the application of artificial intelligence specifically to conflict checking holds a great deal of promise. check ( )


Predictive coding software changing the legal landscape

In Pyrrho Investments Limited and another v MWB Property Limited and others [2016] EWHC 256 (Ch), the UK High Court considered whether to permit the use of predictive coding in an electronic disclosure exercise. This is the first reported English High Court decision on this issue (although predictive coding is well-established in the US and has previously been approved by the Irish High Court (Irish Bank Resolution Corporation Limited and others v Sean Quinn and others [2015] IEHC 175)).

“Predictive coding” (also known as computer assisted review), works by analyzing the coding decisions made on a sample document population, and extrapolating those decisions across a wider population. The judge in this case advised that “best practice” would be for a single, senior lawyer, who has mastered the issues in the case, to then consider the initial representative sample (marking it as relevant or not), in order to “train” the software to review the whole document set. Further statistical sampling by humans (usually taking at least 3 rounds) is then conducted to ensure the quality of the exercise. Once an acceptable level of accuracy is reached, the software then categorizes all the documents. (See also the more detailed description of the process at paragraphs 19-24 of the judgment.)

This was a multi-million pound case with 3.1 million electronic documents to review. The parties had agreed on the use of predictive coding between themselves, subject to the court’s approval.

The judge referred to the references to automated electronic disclosure in Goodale v Ministry of Justice [2009] EWHC B41 (QB). He also considered some of the US authorities and the Irish Bank case where the use of predictive coding had been contested (paragraphs 25-31, judgment). He approved the use of predictive coding because:

  • Experience in other jurisdictions suggested that predictive coding is useful in appropriate cases. There was nothing to suggest it was less reliable than manual and keyword review (and it may be more reliable).
  • It brings consistency, and could allow the electronic documents in this case to be reviewed at proportionate cost. A full manual review would be unreasonable.
  • It was not contrary to the CPR (see PD 31B.25), the parties had agreed that it should be used and trial was some way off so there was scope to use other methods if need be.

Case: Pyrrho Investments Ltd v MWB Property Ltd & Ors [2016] EWHC 256 (Ch) (16 February 2016)