Those involved in the IoT industry in Asia should take note that data protection compliance can no longer be ignored in favour of rapid technological and market opportunities. Even though many data protection laws – including in Hong Kong – were drafted in the days of filing cabinets, cutting edge technologies in today’s digital world must operate within the existing compliance frameworks.

Hong Kong’s Privacy Commissioner for Personal Data (“PCPD“) is the latest privacy authority – and one of the first in the Asia Pacific region – to study and make recommendations on privacy protections amid rapid developments in the Internet of Things (“IoT“). A local study last year by the PCPD highlighted IoT device manufacturers and associated app designers in the local market were not adequately notifying device users of data privacy and security rights and measures.

The new, non-binding but persuasive guidance in particular recommends:

• Improved and accessible data protection notices: a reader-friendly privacy policy should be provided and easily located, containing all information required to be provided under Hong Kong’s data protection laws. Clearly the task of making a data privacy notice readily available in the context of machines talking to each other is more challenging, but cannot simply be ignored.
• Adopting “privacy by design” from the outset, including as regards data collection (not being excessive) and data security (incorporating appropriate safeguards when transmitting and storing personal data). While this is recommended for all new projects across all industries, many data protection authorities consider this a “must” for new technologies such as IoT and will – if a complaint were made – question why privacy was not taken into account during the initial design phase.
• Adopting “privacy by default”, namely adopting default settings which are least privacy intrusive. This includes not being excessive in data collection. For example, a IoT manufacturer should offer opt-out choices if its supporting mobile app would access data in the user’s smartphones that is not directly relevant or necessary; or, preferably, engineer the system from the outset so that only directly relevant or necessary data is collected.
• Allowing data subjects to exercise their rights, including providing clear instructions to allow users to delete data, as well as contact details to allow access/correction of personal data etc. Again, this can be more challenging in the IoT environment but, just because a system involves limited human interaction, the PCPD has made clear that an individual’s right to enquire about how their personal data is handled must be recognised and acted upon.