The Internet of Things (IoT) broadly refers to physical objects embedded with sensors and actuators that are connected to the Internet. Some examples include wearables such as fitness devices that can track users’ activities; smart home products such as surveillance systems and lights that can be controlled remotely; smart cities with intelligent traffic management that are armed with sensors in roads and vehicles. In fact, reports have shown that there are already billions of IoT devices in use and their numbers continue to grow exponentially with the advance of technology. These devices produce huge volumes of data, which creates both opportunities and also legal challenges.

This article aims to provides an overview of the potential legal and liability issues for IoT businesses in Hong Kong (with a specific focus on data privacy and data security) and recommendations on how to minimize those risks.

IoT and Data Privacy Laws

There is currently no IoT-specific legislation in Hong Kong. Accordingly, legal issues relating to IoT are subject to the general laws of Hong Kong. With respect to data privacy issues, the general provisions and the data protection principles (DPPs) under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) apply. Although the Privacy Commissioner has issued various guidance notes on the collection and use of personal data through the Internet, there are no specific guidance notes on IoT.

Data Security

From a regulatory perspective, data security remains the paramount concern for IoT devices. There are various risks that data collected by such devices could be compromised, including through cyber-attack, infection by malware, hacking or unauthorized surveillance. The consequences of such a data breach can be dire, as it may not only involve monetary loss (such as losses resulting from identity theft), but may also lead to life-threatening injuries or death (for example, when the data breach involves life-sustaining devices like pacemakers).

In Hong Kong, DPP 4 of the PDPO provides that data users must take all practicable steps to ensure that personal data is protected against unauthorized or accidental access, processing, erasure, loss or use. If a company engages a data processor such as a cloud provider or a third-party data center, the company must adopt contractual or other protections to ensure the security of the data. This is important because under section 65(2) of the PDPO, the company is liable for any act done or practice engaged in by its data processor.

Although a contravention of the DPPs does not constitute an offence in itself, the Privacy Commissioner may serve an enforcement notice on a data user for contravention of the DPPs. A data user who contravenes an enforcement notice commits an offence and is liable on first conviction for a fine of up to HK$50,000 (approximately US$6,450) and imprisonment for a maximum of two years.

Apart from enforcement actions by the regulators, consumers who suffer loss or damage as a result of a data breach may also institute civil claims against the tortfeasors. Section 66 of the PDPO provides that an individual who suffers damage by reason of a contravention of a requirement under the PDPO may be entitled to compensation and the Privacy Commissioner may grant legal assistance to the aggrieved individual who intends to initiate proceedings to seek compensation. According to the Privacy Commissioner’s Annual Report (2014–15), the Privacy Commissioner handled 11 applications for legal assistance during the year, of which one case was granted legal assistance.

IoT Enforcement Case in the U.S.

Whilst to date there has not been any enforcement action relating to IoT products in Hong Kong, it is not surprising that enforcement actions have already appeared in other jurisdictions where IoT products are more prevalent. In the first known IoT enforcement action in the US, the Federal Trade Commission (FTC) charged security camera maker TRENDnet for misrepresenting its cameras as “secure”. The company markets video cameras under the trade name “SecurView” that allow users to monitor their homes remotely. As a result of a security breach where over 700 cameras were tapped, the FTC found that the IoT product was not as secure as it claimed and hackers were able to access the live feeds of many cameras with minimal effort. The FTC’s complaint alleged that “these compromised live feeds displayed private areas of users’ homes and allowed the unauthorized surveillance of infants sleeping in their cribs, young children playing, and adults engaging in typical daily activities.” The case was settled in 2014 and pursuant to a Consent Order, TRENDnet was (amongst other things) prohibited from misrepresenting the security of its cameras, and it was obliged to implement a comprehensive security program to address the security risks.

In Hong Kong, the Trade Descriptions Ordinance (Cap. 362) (TDO) makes it an offence to apply a false trade description to any good. This is a strict liability offence and the maximum penalty on conviction is a fine of up to HK$500,000 (approximately US$64,500) and imprisonment for five years. It remains to be seen whether the Hong Kong Customs & Excise Department will follow the FTC’s footsteps in pursuing claims related to false trade descriptions with respect to the security features of IoT devices. The TDO can be applied widely and in our view may catch any exaggerated claims by sellers or manufacturers of IoT devices.

Recommendations on Data Security

Whilst not binding in Hong Kong, the following six best practices provided in an FTC report entitled the “Internet of Things – Privacy & Security in a Connected World” published in January 2015 (FTC Report) provide a useful guide for companies in minimizing risks associated with IoT devices:

(i) As part of the security by design process, (a) conduct a privacy and security risk assessment; (b) adopt a data minimization policy; and (c) conduct testing of the security measures before launching the relevant products.

(ii) Provide appropriate security training for relevant staff and ensure that security issues are addressed at the appropriate level of responsibility within the organization.

(iii) Engage reputable service providers that are capable of maintaining appropriate security.

(iv) Employ multiple layers of security to defend against security threats.

(v) Implement access control to limit unauthorized access to consumers’ devices, data and networks.

(vi) Continue monitoring the product throughout its life cycle and notify users of security risks and updates. If companies decide to limit the time during which they provide security updates, they should disclose to the customers the safe “expiration dates” for the IoT devices after which the security risk is heightened.

Notice and Consent

Other than data security, provision of notice and choice to IoT users continues to play an important role in the IoT. In a recent media statement, Mr. Stephen Wong, the Hong Kong Privacy Commissioner, said, “[m]any IoT devices increasingly include functions such as tracking fitness and health, which means more personal data elements are being collected and shared across apps and other devices without the knowledge or consent of the consumers… [i]t is important for companies engaged in these activities to make known to the consumers their personal data policies and practices, types of personal data they hold and how the data is used.

Under the PDPO, companies are required to provide notice to the data subjects prior to the use of their personal data and to obtain the data subjects’ consent when their personal data is used for a new purpose. Accordingly, when the IoT device involves the collection and use of personal data, companies should ensure that it takes all practicable steps to notify the data subject of how their personal data will be used and in particular, the information required under DPP 1, including the purpose of collecting the personal data, the classes of transferees of the personal data, the right to request access and correction of the data, etc. Given that such notice shall be given on or before the collection of the personal data, companies engaged in IoT should ensure that the personal information collection statement is provided to the users prior to the collection of their personal data. In practice, this may be at the stage of the activation (or even purchase) of the device.

Recommendations on Ways to Provide Privacy Notice

In the FTC Report, it was noted that providing notice in the context of IoT devices can be challenging due to the ubiquity of data collection and practical obstacles in providing information when the IoT devices lack displays or user interfaces. In recognizing the constraints, the report has suggested other creative and novel ways of providing notice. Some options include providing notice at the point of sale; within the initial set-up wizard or in privacy dashboards (e.g. the Google Dashboard provides users with transparency and control over data associated with their Google account); developing video tutorials (e.g. Facebook offers a video tutorial to guide consumers through its privacy setting page); or affixing a QR code or similar barcode that, when scanned, would take the consumer to a website with information on the company’s privacy policy. Privacy notice can also be provided in a companion device, for example, on a paired smartphone instead of the IoT device.

For IoT devices that are not targeted at specific users, privacy notice would need to be provided through public channels. Examples of public channels include signs posted in public places and privacy beacons, which are small devices that can transmit data wirelessly to other devices nearby (e.g., Apple uses iBeacon technology throughout its retail stores).

Drones

Drones, which are unmanned aircraft controlled remotely by computers or individuals, are evolving rapidly. Drones can be highly privacy-intrusive when fitted with cameras and sensors. In this respect, the Hong Kong Privacy Commissioner has issued an updated guideline on the use of drones that suggests various ways to provide privacy notices to affected individuals, including the use of flash lights to indicate that recording is taking place, placing corporate logos and contact details on the drones, and announcing the drone operation in the affected area in advance. Apart from data privacy issues, there are also issues relating to security and safety over the use of drones, as evidenced in a recent arrest by the Shenzhen Police over a plot to use drones to disrupt a visit by a top Chinese politician in Hong Kong. These issues will need to be addressed by the government, sooner rather than later, before any disaster happens.

Conclusion

The IoT presents numerous opportunities and benefits, yet before such products and systems are widely embraced, legal issues such as data privacy and data security and other policy and technical challenges must be tackled. As the law will continue to catch up with the rapid development in technology, new regulations and guidelines will likely come into play to deal with the legal issues arising from the IoT. In the meantime, it is vital for IoT businesses to take proactive measures to minimize the potential legal risks and liabilities.