The Internet of Things (IoT) broadly refers to physical objects embedded
with sensors and actuators that are connected to the Internet.
Some examples
include wearables such as fitness devices that can track users’ activities;
smart home products such as surveillance systems and lights that can be
controlled remotely; smart cities with intelligent traffic management that are
armed with sensors in roads and vehicles.
In fact, reports have shown that
there are already billions of IoT devices in use and their numbers continue to
grow exponentially with the advance of technology. These devices produce huge
volumes of data, which creates both opportunities and also legal challenges.
This article aims to provides an overview of the
potential legal and liability issues for IoT businesses in Hong Kong (with a
specific focus on data privacy and data security) and recommendations on how to
minimize those risks.
IoT and
Data Privacy Laws
There is currently no IoT-specific legislation in Hong
Kong. Accordingly, legal issues relating to IoT are subject to the general laws
of Hong Kong. With respect to data privacy issues, the general provisions and
the data protection principles (DPPs) under the Personal Data (Privacy)
Ordinance (Cap. 486) (PDPO) apply. Although the Privacy Commissioner has issued
various guidance notes on the collection and use of personal data through the
Internet, there are no specific guidance notes on IoT.
Data
Security
From a regulatory perspective, data security remains
the paramount concern for IoT devices. There are various risks that data
collected by such devices could be compromised, including through cyber-attack,
infection by malware, hacking or unauthorized surveillance. The consequences of
such a data breach can be dire, as it may not only involve monetary loss (such
as losses resulting from identity theft), but may also lead to life-threatening
injuries or death (for example, when the data breach involves life-sustaining
devices like pacemakers).
In Hong Kong, DPP 4 of the PDPO provides that data
users must take all practicable steps to ensure that personal data is protected
against unauthorized or accidental access, processing, erasure, loss or use. If
a company engages a data processor such as a cloud provider or a third-party
data center, the company must adopt contractual or other protections to ensure
the security of the data. This is important because under section 65(2) of the
PDPO, the company is liable for any act done or practice engaged in by its data
processor.
Although a contravention of the DPPs does not
constitute an offence in itself, the Privacy Commissioner may serve an
enforcement notice on a data user for contravention of the DPPs. A data user
who contravenes an enforcement notice commits an offence and is liable on first
conviction for a fine of up to HK$50,000 (approximately US$6,450) and
imprisonment for a maximum of two years.
Apart from enforcement actions by the regulators,
consumers who suffer loss or damage as a result of a data breach may also
institute civil claims against the tortfeasors. Section 66 of the PDPO provides
that an individual who suffers damage by reason of a contravention of a
requirement under the PDPO may be entitled to compensation and the Privacy
Commissioner may grant legal assistance to the aggrieved individual who intends
to initiate proceedings to seek compensation. According to the Privacy Commissioner’s
Annual Report (2014–15), the Privacy Commissioner handled 11 applications for
legal assistance during the year, of which one case was granted legal
assistance.
IoT
Enforcement Case in the U.S.
Whilst to date there has not been any enforcement
action relating to IoT products in Hong Kong, it is not surprising that
enforcement actions have already appeared in other jurisdictions where IoT
products are more prevalent. In the first known IoT enforcement action in the
US, the Federal Trade Commission (FTC) charged security camera maker TRENDnet
for misrepresenting its cameras as “secure”.
The company markets
video cameras under the trade name “SecurView” that allow users
to monitor their homes remotely. As a result of a security breach where over
700 cameras were tapped, the FTC found that the IoT product was not as secure
as it claimed and hackers were able to access the live feeds of many cameras
with minimal effort.
The FTC’s complaint alleged that “these compromised live feeds displayed
private areas of users’ homes and allowed the unauthorized surveillance of
infants sleeping in their cribs, young children playing, and adults engaging in
typical daily activities.” The case was settled in 2014 and
pursuant to a Consent Order, TRENDnet was (amongst other things) prohibited
from misrepresenting the security of its cameras, and it was obliged to
implement a comprehensive security program to address the security risks.
In Hong Kong, the Trade Descriptions Ordinance (Cap.
362) (TDO) makes it an offence to apply a false trade description to any good.
This is a strict liability offence and the maximum penalty on conviction is a
fine of up to HK$500,000 (approximately US$64,500) and imprisonment for five
years. It remains to be seen whether the Hong Kong Customs & Excise
Department will follow the FTC’s footsteps in pursuing claims related to false
trade descriptions with respect to the security features of IoT devices. The
TDO can be applied widely and in our view may catch any exaggerated claims by
sellers or manufacturers of IoT devices.
Recommendations
on Data Security
Whilst not binding in Hong Kong, the following six
best practices provided in an FTC report entitled the “Internet of Things – Privacy &
Security in a Connected World” published in January 2015 (FTC
Report) provide a useful guide for companies in minimizing risks associated
with IoT devices:
(i) As part of the security by design process, (a)
conduct a privacy and security risk assessment; (b) adopt a data minimization
policy; and (c) conduct testing of the security measures before launching the
relevant products.
(ii) Provide appropriate security training for
relevant staff and ensure that security issues are addressed at the appropriate
level of responsibility within the organization.
(iii) Engage reputable service providers that are
capable of maintaining appropriate security.
(iv) Employ multiple layers of security to defend
against security threats.
(v) Implement access control to limit unauthorized
access to consumers’ devices, data and networks.
(vi) Continue monitoring the product throughout its
life cycle and notify users of security risks and updates. If companies decide
to limit the time during which they provide security updates, they should
disclose to the customers the safe “expiration dates” for the IoT
devices after which the security risk is heightened.
Notice and
Consent
Other than data security, provision of notice and
choice to IoT users continues to play an important role in the IoT. In a recent
media statement, Mr. Stephen Wong, the Hong Kong Privacy Commissioner, said, “[m]any
IoT devices increasingly include functions such as tracking fitness and health,
which means more personal data elements are being collected and shared across
apps and other devices without the knowledge or consent of the consumers… [i]t
is important for companies engaged in these activities to make known to the
consumers their personal data policies and practices, types of personal data
they hold and how the data is used.”
Under the PDPO, companies are required to provide
notice to the data subjects prior to the use of their personal data and to
obtain the data subjects’ consent when their personal data is used for a new
purpose. Accordingly, when the IoT device involves the collection and use of
personal data, companies should ensure that it takes all practicable steps to
notify the data subject of how their personal data will be used and in
particular, the information required under DPP 1, including the purpose of
collecting the personal data, the classes of transferees of the personal data,
the right to request access and correction of the data, etc. Given that such
notice shall be given on or before the collection of the personal data,
companies engaged in IoT should ensure that the personal information collection
statement is provided to the users prior to the collection of their personal
data. In practice, this may be at the stage of the activation (or even
purchase) of the device.
Recommendations
on Ways to Provide Privacy Notice
In the FTC Report, it was noted that providing notice
in the context of IoT devices can be challenging due to the ubiquity of data
collection and practical obstacles in providing information when the IoT
devices lack displays or user interfaces. In recognizing the constraints, the report
has suggested other creative and novel ways of providing notice. Some options
include providing notice at the point of sale; within the initial set-up wizard
or in privacy dashboards (e.g. the Google Dashboard provides users with
transparency and control over data associated with their Google account);
developing video tutorials (e.g. Facebook offers a video tutorial to guide
consumers through its privacy setting page); or affixing a QR code or similar
barcode that, when scanned, would take the consumer to a website with
information on the company’s privacy policy. Privacy notice can also be
provided in a companion device, for example, on a paired smartphone instead of
the IoT device.
For IoT devices that are not targeted at specific
users, privacy notice would need to be provided through public channels.
Examples of public channels include signs posted in public places and privacy
beacons, which are small devices that can transmit data wirelessly to other
devices nearby (e.g., Apple uses iBeacon technology throughout its retail
stores).
Drones
Drones, which are unmanned aircraft controlled
remotely by computers or individuals, are evolving rapidly. Drones can be
highly privacy-intrusive when fitted with cameras and sensors. In this respect,
the Hong Kong Privacy Commissioner has issued an updated guideline on the use
of drones that suggests various ways to provide privacy notices to affected
individuals, including the use of flash lights to indicate that recording is
taking place, placing corporate logos and contact details on the drones, and
announcing the drone operation in the affected area in advance. Apart from data
privacy issues, there are also issues relating to security and safety over the
use of drones, as evidenced in a recent arrest by the Shenzhen Police over a
plot to use drones to disrupt a visit by a top Chinese politician in Hong Kong.
These issues will need to be addressed by the government, sooner rather than
later, before any disaster happens.
Conclusion
The IoT presents numerous opportunities and benefits,
yet before such products and systems are widely embraced, legal issues such as
data privacy and data security and other policy and technical challenges must
be tackled. As the law will continue to catch up with the rapid development in technology,
new regulations and guidelines will likely come into play to deal with the
legal issues arising from the IoT. In the meantime, it is vital for IoT
businesses to take proactive measures to minimize the potential legal risks and
liabilities.
No comments:
Post a Comment