In Hong Kong, the HKSAR Govt (the “Govt”) introduced plans to habits pilot research of creating a Sensible Town with the Web of Issues (IoT) and fifth-generation (5G) cellular networks as early as 2015 The speculation at the back of the Govt’s Sensible Town Blueprint is that 5G cellular networks would play a pivotal position for its sensible town construction by means of facilitating ultra-high-speed, ultra-reliable and coffee latency communications, and by means of provisioning community capacities for largescale device-to-device verbal exchange that may in the long run permit scalable implementation of IoT gadgets and services and products around the town.
While the Govt has said that their Sensible Town Blueprint is people-centric with its core missions closely fascinated by the upper high quality of residing, the prosperity of commercial and eco-friendliness, it failed to deal with rising considerations with cybersecurity and private knowledge coverage that go along with the adoption of IoT.
Issues with IoT
It’s regularly stated that the era at this degree is at risk of hacking as they open channels for undesirable surveillance. Such arguments will have to now not be unexpectedly brushed aside as they have got not too long ago discovered cast flooring with those considerations having been echoed and said by means of the United States Division of Fatherland Safety (DHS) which seen IoT as a significant subject of nationwide safety.
Taking into consideration IoT because the cornerstone of the Govt’s ‘Sensible Town Blueprint’ and it’s been 5 years because the challenge was once conceived, with Hong Kong paving its manner for mass implementation of IoT packages, there seems to be an oversight or a loss of attention given to the prospective cybersecurity and knowledge possibility effects of standard IoT utilization at its present shape.
One primary impediment to attaining cybersecurity and knowledge coverage utopia is that those gadgets had been by no means evolved with the protection or safety of information on the core in their designs. Present business practices dictate that IoT gadgets are to be designed to have the naked minimal computational energy this is wanted for his or her duties and due to this fact by means of their nature, most often lack the wanted computational energy to run cybersecurity instrument. On the other hand, with shoppers rising and bettering their working out of cybersecurity and private knowledge dangers that include the adoption and utilization of IoT there’ll come a time when present business practices and IoT requirements now not fulfill the calls for of the marketplace.
Safety Via Law and Licensing
To extend the inducement to switch business practices and reinforce the practicality of integrated cybersecurity features in IoT merchandise, primary adjustments are required to control the business relating to design, production, and intake.
Previous these 12 months, the United Kingdom Govt unveiled a conceivable new regulatory regime geared toward mitigating safety dangers related to IoT by means of converting the way in which those merchandises are produced, retailed, and supported all through their lifetime. If effectively legislated, IoT producers must abide by means of the next necessities:
- IoT gadgets will have to each and every have their very own distinctive passwords that can not be reset to common manufacturing facility surroundings;
- IoT producers will have to arrange a public level of touch for shoppers to record flaws in their bought merchandise; and
- IoT producers will have to explicitly state the minimal duration of time gadget will proceed to obtain safety updates on the level of sale.
Separate to the above, not obligatory regulation below the proposed regulatory plan invokes a compulsory labeling gadget that calls for IoT producers to self-assess and put in force a safety label on their person IoT merchandise.
The tendencies in the UK are definitely thrilling, but, will have to Hong Kong enact an identical regulatory regime as to acclimatize to the most recent IoT panorama?
Present IoT Law in Hong Kong
Nowadays, there’s no explicit regulation on IoT in Hong Kong. Lots of the problems in terms of IoT are handled by means of current legislation.
As an example, in the case of knowledge coverage, the Private Knowledge (Privateness) Ordinance (Cap. 486) (“PDPO”) applies to IoT builders who acquire non-public knowledge from its customers. Underneath the present Knowledge Coverage Theory (Four) (“DPP4”), all practicable steps might be taken to make sure that non-public knowledge held by means of a knowledge consumer are safe towards unauthorized or unintended get entry to, processing, erasure, loss or use having specific regard to, among different issues, any security features integrated into any apparatus wherein the knowledge is saved.
As well as, if the IoT developer engages a knowledge processor (whether or not inside of or out of doors Hong Kong) to procedure the knowledge at the knowledge consumer’s behalf, the IoT developer (as a knowledge consumer) will have to undertake contractual or different manner to forestall unauthorized or unintended get entry to, processing, erasure, loss or use of the knowledge transferred to the knowledge processor for processing (DPP4 (2) of PDPO).
It is a very important word that contraventions of the DPPs don’t represent an offense itself, however, the Privateness Commissioner for Private Knowledge (PCPD) might serve enforcement to understand at the IoT developer (as a knowledge consumer) inquiring for it to rectify or treatment any knowledge similar problems. If the IoT developer contravenes enforcement understand, the IoT developer will dedicate an offense and is answerable for HK$50,000 and to imprisonment for two years, or for 2d or next conviction, a nice at HK$100,000 and to imprisonment for two years (s.50A(1) of the PDPO).
Code of Follow at the Operation and Control of IoT Gadgets
Even though there’s no explicit IoT regulation in Hong Kong, the Communications Authority (CA) in Hong Kong introduced on 1st December 2017 to create a brand new licensing regime for the availability of IoT platforms and repair suppliers offering wi-fi connections for his or her consumers to glue IoT gadgets to the general public telecommunications networks the use of the shared frequency band of 920-925 MHz in order to underpin the preparation of Hong Kong for embracing the brand new technology of IoT and the 5G cellular services and products, in addition to more than a few sensible town packages. So far, there are three IoT licenses issue.
Moreover, the CA has additionally issued a Code of Follow at the Operation and Control of IoT Gadgets (“CoP”) to supply sensible steerage to WIoT licensees regarding the provision of adequate carrier and the security and promotion of the pursuits of shoppers of telecommunications items and services and products.
The CoP is evolved for the operation and control of IoT gadgets hooked up to public telecommunications networks to:
- be certain the availability of adequate carrier by means of IoT carrier suppliers;
- fortify person coverage;
- reinforce consumer self-belief in the use of IoT gadgets connecting to public telecommunication networks; and
- function a reference for non-telecommunications licensees (equivalent to gadget producers, distributors, utility builders) in formulating necessities and practices in regards to the operation and control of IoT gadgets/services and products.
It is a very important word that the CoP is simply a ‘highest observe’ information for IoT carrier suppliers to look at on a voluntary foundation. For non-telecommunications licensees equivalent to gadget producers, distributors, and alertness builders who might provide and deploy IoT gadgets within the telecommunications and different industry sectors (e.g. non-public, recreational, family, shipping, scientific or monetary sectors), the CoP simplest serves as a connection with help in formulating appropriate necessities and practices in regards to the operation and control of IoT gadgets/services and products (para. three of the CoP).
Out of the CoP’s ten advisable highest practices, the next is value highlighting (para. five of the CoP):
- advice for distinctive usernames and powerful passwords to be followed for IoT gadgets;
- customers will have to be supplied with some degree of touch to record safety problems;
- the instrument of the IoT gadgets will have to be up to date in a well-timed approach and will have to now not affect at the purposes of the gadgets;
- delicate knowledge will have to be saved securely within the IoT gadgets to forestall unauthorized get entry to and amendment; and
- non-public knowledge will have to be safe in response to the PDPO.
The CoP additionally recommends that IoT carrier suppliers will have to incessantly habits exams on doable dangers related to their day-to-day operation and control of IoT gadgets (para. 6 of the CoP).
The suggestions are most commonly aligned with the United Kingdom’s proposed regulatory regime, and the CA has additionally taken reference from the United Kingdom’s Code of Follow for Shopper IoT Safety when designing the CoP. On the other hand, we will have to the rigidity that because the CoP is simply a ‘highest observe’ reference for IoT gadget producers, the CoP has no felony binding.
Additionally, the CA’s IoT licensing regime simplest applies to wi-fi IoT carrier suppliers and does now not follow to IoT gadget producers, this can be too slender in the case of scope and prone to be insufficient in addressing the particular problems regarding IoT as highlighted above.
Govt’s Overview of Telecommunications Regulatory Framework
With the exception of the CA’s IoT licensing regime and the CoP, the Govt’s Trade and Financial Construction Bureau (“CEDB”) has finished a public session at the Overview of Telecommunications Regulatory Community (RTRN) in February 2019.
The RTRN goals to check the telecommunications regulatory framework below the Telecommunications Ordinance (Cap. 106) (“TO”) to make sure that it’s in keeping with the development of telecommunications applied sciences equivalent to 5G and IoT.
The CEDB has put ahead 4 suggestions, particularly:
- to control telecommunications purposes of gadgets within the 5G and IoT technology via TO and CA;
- to give protection to underground telecommunications infrastructure by means of introducing prison liabilities for negligent harm;
- to streamline mechanism for issuing non-carrier licenses; and
- to enlarge the scope of the CA’s choices made below the TO which may be handled by means of the proposed attraction mechanism.
Even though the RTRN supplies higher regulatory course in creating the technological infrastructure in Hong Kong, it’s however disillusioned to notice that the RTRN has now not adequately handled the particular problems regarding safety and knowledge privateness problems in the case of IoT gadgets.
Concluding Remarks
May the solution for a long run of protected IoT-enabled Sensible Town be safeguarded via a complete licensing regime? Or may it’s achieved via an extra product-centric legal responsibility evidence scheme? Those are one of the ‘tips of the iceberg’ problems that stakeholders in Hong Kong will have to get started enthusiastic about.
Lawmakers in Hong Kong will have to additionally get started enthusiastic about how the particular problems in the case of IoT’s safety and knowledge coverage will also be addressed. As an example, via an extremely enforceable powerful framework or a government-backed licensing regime.
Must Hong Kong enact an identical regulation to the United Kingdom regulatory regime? It can be conceivable for lawmakers to introduce an identical law that acclimatizes to the present tech panorama in Hong Kong. But, as many IoT producers are situated in PRC with Hong Kong simply contributing as an IoT retail and repair hub, it’s tricky to evaluate whether or not this sort of regulatory regime could be efficient.