Consumers are increasingly using connected devices and smart technology that store information that can be connected to a person. This raises a number of issues, including privacy, security, software licensing and compliance with data protection legislation.

On April 11, 2016 the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPDjoined a global Privacy Sweep (sweep) exercise to examine privacy transparency relating to the Internet of Things (IoT) devices such as smart electricity meters, Internet-connected thermostats and wearables. Just as IoT brings new business opportunities, it raises new legal issues as devices compile an unprecedented volume and variety of personal data.

The PCPD is one of 29 of the Global Privacy Enforcement Network (GPEN) "privacy enforcement authorities" members who selected a type of device most appropriate for their jurisdiction. Hong Kong chose to examine how fitness bands produced in Hong Kong collect and use personal data, and how the device users are kept informed of privacy-related matters.

The GPEN has grown from 13 privacy enforcement authorities in 2010 to 59 authorities across 43 jurisdictions in 2015, with plans to further expand across Africa, Asia and South America.

Mr. Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong said that “Many IoT devices increasingly include functions such as tracking fitness and health, which means more personal data elements are being collected and shared across apps and other devices without the knowledge or consent of the consumers. It is important for companies engaged in these activities to make known to the consumers their personal data policies and practices, types of personal data they hold and how the data is used.”

The sweep exercise is expected to provide findings on the challenges and impact of privacy and data protection on IoT devices in general, and more specifically on fitness bands, the results of which will be made public in the third quarter 2016.

Concerns identified during the sweep may result in follow-up work to broaden awareness of data privacy rights and responsibilities, such as public education and promotion, outreach to organizations and/or enforcement actions.