(15 April 2016) The Office of the Privacy Commissioner for Personal Data, Hong Kong ("PCPD") has joined the Global Privacy Enforcement Network ("GPEN") to conduct a "Privacy Sweep" ("Sweep") from 11 April 2016, examining how the fitness bands collect and use personal data and how the device users are kept informed.1
Nowadays, consumers are gradually adopting the concept of connected devices and smart technology. These devices may gather and store information that could be personally identifiable, putting the spotlight on personal data privacy. The 2016 Sweep exercise seeks to look at the issue of data privacy relating to the Internet of Things (“IoT”) devices like smart electricity meters, internet-connected thermostats, wearables etc., to consider how well the privacy matters have been communicated to users. Each of the privacy enforcement authorities in the Sweep exercise has chosen a type of device most appropriate for their jurisdiction and the PCPD has chosen fitness bands produced in Hong Kong in view of their availability and ease of follow-up.
Mr Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong ("Commissioner") said, “It is the fourth consecutive year that our Office has participated in this global exercise. The ‘Internet of Things’ certainly wins plenty of headlines in recent years. It offers exciting experience in life and generates business opportunities. At the same time, it helps compile an unprecedented volume and variety of personal data. Many IoT devices increasingly include functions such as tracking fitness and health, which means more personal data elements are being collected and shared across apps and other devices without the knowledge or consent of the consumers.”
The Commissioner continued, “It is important for companies engaged in these activities to make known to the consumers their personal data policies and practices, types of personal data they hold and how the data is used. Organisational data users, who can demonstrate their respect for personal data privacy would eventually earn reputation and trust from their customers. The Sweep exercise is expected to provide some findings on the challenges and impact of privacy and data protection on IoT devices in general, and more specifically on fitness bands.”
The results of the 2016 Sweep will be made public in the third quarter of this year. Concerns identified during the Sweep may result in follow-up work, such as public education and promotion, outreach to organisations and/or enforcement actions.
- End -
1 The GPEN was established to foster cross-border cooperation among privacy enforcement authorities. This year, 29 privacy enforcement authorities from around the world (full list at Appendix), including the PCPD, participated in the Sweep to broaden public and business awareness of data privacy rights and responsibilities, identify data privacy concerns which need to be addressed, and encourage compliance with data protection legislation. Similar exercises had been conducted since 2013 that looked at data privacy issues associated with online services for children, website privacy policies and mobile phone apps.
Appendix – List of Participants in the 2016 Sweep
|
Country/Region |
Name of the Privacy Enforcement Authority |
|---|---|
| Albania | Albanian Information and Data Protection Commissioner |
| Australia | Office of the Australian Information Commissioner |
| Victoria, Australia | Office of the Commissioner for Privacy and Data Protection, Victoria, Australia |
| Belgium | Belgian Data Protection Authority |
| Nova Scotia, Canada | Office for the Information and Privacy Commissioner for Nova Scotia |
| Canada | Office of the Privacy Commissioner of Canada |
| Alberta, Canada | Information and Privacy Commissioner, Alberta |
| British Columbia, Canada | Office of the Information and Privacy Commissioner for British Columbia |
| Colombia | Superintendence of Industry and Commerce of Colombia |
| Estonia | Estonian Data Protection Inspectorate |
| France | Commission Nationale de l'Informatique et des Libertés |
| Germany | Federal Commissioner for Data Protection and Freedom of Information |
| Bavaria, Germany | Bavarian Data Protection Authority |
| Berlin, Germany | Berlin Commissioner for Data Protection and Freedom of Information |
| Hessen, Germany | Data Protection Commissioner of Hessen |
| Gibraltar | Gibraltar Regulatory Authority |
| Ireland | Irish Data Protection Commissioner's Office |
| Israel | Israeli Law, Information and Technology Authority |
| Italy | Garante per la protezione dei dati personali (Italian Data Protection Authority) |
| Netherlands | Dutch Data Protection Authority |
| Norway | Norwegian Data Protection Authority |
| New Zealand | Office of the Privacy Commissioner |
| Singapore | Singapore Personal Data Protection Commission |
| Spain | Agencia Española de Protección de Datos |
| South Korea | Korea Internet & Security Agency |
| United States | Federal Communications Commission |
| United States | Federal Trade Commission |
| Hong Kong SAR, PRC | Office of the Privacy Commissioner for Personal Data, Hong Kong |
| Macao SAR. PRC | Office for Personal Data Protection |