Those involved in the IoT industry in Asia should take note that data protection compliance can no longer be ignored in favour of rapid technological and market opportunities. Even though many data protection laws – including in Hong Kong – were drafted in the days of filing cabinets, cutting edge technologies in today’s digital world must operate within the existing compliance frameworks.
Hong Kong’s Privacy Commissioner for Personal Data (“PCPD“) is the latest privacy authority – and one of the first in the Asia Pacific region – to study and make recommendations on privacy protections amid rapid developments in the Internet of Things (“IoT“). A local study last year by the PCPD highlighted IoT device manufacturers and associated app designers in the local market were not adequately notifying device users of data privacy and security rights and measures.
The new, non-binding but persuasive guidance in particular recommends:
- Adopting “privacy by design” from the outset, including as regards data collection (not being excessive) and data security (incorporating appropriate safeguards when transmitting and storing personal data). While this is recommended for all new projects across all industries, many data protection authorities consider this a “must” for new technologies such as IoT and will – if a complaint were made – question why privacy was not taken into account during the initial design phase.
- Adopting “privacy by default”, namely adopting default settings which are least privacy intrusive. This includes not being excessive in data collection. For example, a IoT manufacturer should offer opt-out choices if its supporting mobile app would access data in the user’s smartphones that is not directly relevant or necessary; or, preferably, engineer the system from the outset so that only directly relevant or necessary data is collected.
- Allowing data subjects to exercise their rights, including providing clear instructions to allow users to delete data, as well as contact details to allow access/correction of personal data etc. Again, this can be more challenging in the IoT environment but, just because a system involves limited human interaction, the PCPD has made clear that an individual’s right to enquire about how their personal data is handled must be recognised and acted upon.
The UK Government has today published a white paper setting out its approach to the forthcoming negotiations on exiting the European Union, and its vision for a ‘post-Brexit’ settlement. In a chapter entitled ‘Ensuring free trade with European markets’, the white paper outlines the Government’s intention to retain data protection standards in the UK which are equivalent to those in the EU.
The free flow of data between the UK and continental Europe is an important foundation of cross-border trade, and a fact of life for many UK and EU businesses and consumers. EU law, both in its current form through Directive 95/46/EC, and in the General Data Protection Regulation (“GDPR“), which will apply from May 2018 onwards, restricts the transfer of personal data from the EU to ‘third countries’ which do not have a level of data protection recognised as equivalent by the European Commission. This is expressly addressed in the white paper, which commits the Government to seek a solution which preserves stable data transfers between the UK and EU once the UK officially becomes a third country:
8.39 The European Commission is able to recognise data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely.
8.40 As we leave the EU, we will seek to maintain the stability of data transfer between EU Member States and the UK.
Whilst an equivalency decision is not specifically referred to as the Government’s goal, this is a strong indication that the UK is not planning to deviate significantly from the GDPR standards which it will adopt, whilst it is almost certainly still a member of the EU, in May 2018.
The statements contained in the white paper are the latest in a line of public pronouncements which have helped to give a degree of clarity and reassurance around the UK Government’s plans for data protection law in the UK in the wake of Brexit. In her first speech as the new Information Commissioner in September 2016, Elizabeth Denham talked about the ‘fundamental importance’ of data flows between the UK and the EU, and about the need for consistency of law and standards. More recently, the UK’s Data Protection Minister, Matt Hancock, confirmed in evidence given to the House of Lords Home Affairs sub-committee that (i) the UK will implement the GDPR in full in May 2018; and (ii) that, as and when the UK revaluates its legal framework post-Brexit, it needs to prioritise data sharing with international partners.
Given the potential for upheaval caused by Brexit across a whole range of areas which are based, directly or indirectly, on EU law, it is encouraging to be given an indication that the UK is leaning towards a strategy of stability and equivalence in the field of data protection. The GDPR represents a once-in-a-generation change in data protection and privacy law, which the UK Government, the ICO and businesses have been gearing up to for several years. The inference from these latest statements is that that preparation will not be in vain, and that the broad framework of the GDPR will be the basis for UK data protection law both in sixteen months’ time, and in the eventual post-Brexit landscape.