Media Statements

Date: 24 January 2017

Privacy Commissioner Urges IoT Manufacturers to
Enhance the Transparency of Their Privacy Protection Measures

(24 January 2017) Manufactures of fitness bands, and by inference, Internet of Things ("IoT") devices, need to improve their communications to consumers in terms of their privacy and security protection measures, according to a study conducted by the Office of the Privacy Commissioner for Personal Data, Hong Kong ("PCPD").

"We note that fitness bands and similar IoT devices are increasingly popular in Hong Kong. It is expected that more businesses, including start-ups, may enter the market in future. By conducting this study, the PCPD aims to explore the privacy challenges and implications brought by the fitness bands so as to raise the privacy awareness of the device manufacturers. We also want to educate the users of these devices on how to protect their personal data," said Mr Stephen Kai-yi WONG, Privacy Commissioner for Personal Data, Hong Kong ("Privacy Commissioner").

The study was also part of the Sweep exercise of the Global Privacy Enforcement Network ("GPEN"). Similar to the global findings, the results of the Hong Kong's study showed a general lack of awareness amongst IoT device manufacturers of communicating privacy and security protection measures to consumers. The Privacy Commissioner therefore urged manufacturers engaged in the development of IoT devices to improve their privacy communications so that consumers can assess the privacy impact and take necessary steps to protect their personal data. "While the IoT devices can enhance the quality of people's daily lives, they also trigger privacy concerns in this Big Data era as they have the ability to collect, generate and analyse data about their users. The manufacturers therefore should adopt "Privacy by Design" and "Privacy by Default" when they proceed to develop the devices and the associated mobile applications ("apps") with a view to protecting and respecting consumers' personal data. The trust and business reputation amongst consumers would then be built and enhanced, generating more business opportunities in return," Mr Wong said.

The Findings of the Study

The study was carried out during April to June 2016. The PCPD examined five locally manufactured fitness bands and their apps. Key findings were as follows:

1. Only two out of the five devices examined (40%) were supplied with a privacy policy explaining how personal data was handled by the manufacturers. This figure was similar to the global figure of 41%.
2. None of the five device manufacturers informed consumers where they would store the collected personal data and whether they would use third-party vendor to store the data. Globally 32% of the devices examined provided the information.
3. Only one out of five device manufacturers (20%) committed to consumers in its privacy policy that it would safeguard the collected personal data. This figure is much lower than the global figure of 51%.
4. Also only one out of five device manufacturers (20%) provided information to consumers on how they may delete personal data collected in the fitness band and by the manufacturer. Globally 28% of the devices examined provided the information.
5. Only two out of five devices (40%) were supplied with information for consumers to contact the manufacturers for privacy-related matters. This figure is much lower than the global figure of 62%.

PCPD's Recommendations

Based on the findings of this Sweep exercise, the Privacy Commissioner issues a new Infographic entitled "Protect, Respect Personal Data – Smart Use of Internet of Things" that provides the following six tips for users of IoT devices on how to control their own personal data privacy when using IoT devices:

1. Read the Privacy Policy – Before making purchase of IoT devices, read the privacy policy carefully to understand what information will be collected, why the collection is necessary and how the information will be used, disclosed and / or shared;
2. Use Separate User Accounts – Use a separate email address to register for separate accounts of IoT, and avoid linking your IoT device accounts with other private ones (such as your social media account);
3. Examine the Privacy Settings – Examine and understand the privacy implications of default settings in IoT devices. If in doubt, start with not sharing or uploading information and change appropriate settings;
4. Set Strong Password – Never use default username and password for your IoT devices. Instead, you should set a complex password which is difficult to guess (e.g., do not use your name or date of birth as password);
5. Update Firmwares and Install Security Patches Timely – Update and patch the firmware of your IoT devices regularly. Make sure firmwares and security patches are downloaded from trusted websites (such as the official product website); and
6. Purge the Personal Data Before Disposal or Resale – Before you dispose of or resell your IoT devices, delete the user account information and other personal data stored in the devices.

The PCPD also recommends manufacturers of IoT devices to:

1. provide privacy policy to consumers by using simple language, and help them locate important information easily;
2. state clearly in the privacy communications the types of personal data to be collected, the purposes of collection, the potential transferees of the personal data, and the security measures adopted to safeguard the personal data;
3. adopt "Privacy by Design" and minimise data collection;
4. adopt the least privacy intrusive default settings (i.e. "Privacy by Default") for the IoT devices and the associated app;
5. incorporate sufficient security safeguards to protect the personal data in transmission and in storage;
6. offer opt-out choice to users if the related apps would access data that is not directly relevant to the core functions of the IoT devices (e.g., location data, phone book, etc.);
7. provide clear instructions to users for erasing their personal data stored in the IoT devices, the related app and in storage elsewhere (e.g., the backend servers of the manufacturers); and
8. provide contact information (e.g., contact person, telephone number, email address, office address) for users to pursue privacy-related matters, and provide timely responses to them.

To download the study report, please click here:
www.pcpd.org.hk/english/resources_centre/publications/surveys/files/sweep2016_e.pdf