Skip to content

Media Statements

Media Statement

Date: 15 April 2016

PCPD Joins a Global Sweep Exercise to
Examine the Privacy Transparency of Fitness Bands

(15 April 2016) The Office of the Privacy Commissioner for Personal Data, Hong Kong ("PCPD") has joined the Global Privacy Enforcement Network ("GPEN") to conduct a "Privacy Sweep" ("Sweep") from 11 April 2016, examining how the fitness bands collect and use personal data and how the device users are kept informed.1

Nowadays, consumers are gradually adopting the concept of connected devices and smart technology. These devices may gather and store information that could be personally identifiable, putting the spotlight on personal data privacy. The 2016 Sweep exercise seeks to look at the issue of data privacy relating to the Internet of Things (“IoT”) devices like smart electricity meters, internet-connected thermostats, wearables etc., to consider how well the privacy matters have been communicated to users. Each of the privacy enforcement authorities in the Sweep exercise has chosen a type of device most appropriate for their jurisdiction and the PCPD has chosen fitness bands produced in Hong Kong in view of their availability and ease of follow-up.

Mr Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong ("Commissioner") said, “It is the fourth consecutive year that our Office has participated in this global exercise. The ‘Internet of Things’ certainly wins plenty of headlines in recent years. It offers exciting experience in life and generates business opportunities. At the same time, it helps compile an unprecedented volume and variety of personal data. Many IoT devices increasingly include functions such as tracking fitness and health, which means more personal data elements are being collected and shared across apps and other devices without the knowledge or consent of the consumers.”

The Commissioner continued, “It is important for companies engaged in these activities to make known to the consumers their personal data policies and practices, types of personal data they hold and how the data is used. Organisational data users, who can demonstrate their respect for personal data privacy would eventually earn reputation and trust from their customers. The Sweep exercise is expected to provide some findings on the challenges and impact of privacy and data protection on IoT devices in general, and more specifically on fitness bands.”

The results of the 2016 Sweep will be made public in the third quarter of this year. Concerns identified during the Sweep may result in follow-up work, such as public education and promotion, outreach to organisations and/or enforcement actions.

- End -

1 The GPEN was established to foster cross-border cooperation among privacy enforcement authorities. This year, 29 privacy enforcement authorities from around the world (full list at Appendix), including the PCPD, participated in the Sweep to broaden public and business awareness of data privacy rights and responsibilities, identify data privacy concerns which need to be addressed, and encourage compliance with data protection legislation. Similar exercises had been conducted since 2013 that looked at data privacy issues associated with online services for children, website privacy policies and mobile phone apps.

Appendix – List of Participants in the 2016 Sweep

Country/Region

Name of the Privacy Enforcement Authority

Albania Albanian Information and Data Protection Commissioner
Australia Office of the Australian Information Commissioner
Victoria, Australia Office of the Commissioner for Privacy and Data Protection, Victoria, Australia
Belgium Belgian Data Protection Authority
Nova Scotia, Canada Office for the Information and Privacy Commissioner for Nova Scotia
Canada Office of the Privacy Commissioner of Canada
Alberta, Canada Information and Privacy Commissioner, Alberta
British Columbia, Canada Office of the Information and Privacy Commissioner for British Columbia
Colombia Superintendence of Industry and Commerce of Colombia
Estonia Estonian Data Protection Inspectorate
France Commission Nationale de l'Informatique et des Libertés
Germany Federal Commissioner for Data Protection and Freedom of Information
Bavaria, Germany Bavarian Data Protection Authority
Berlin, Germany Berlin Commissioner for Data Protection and Freedom of Information
Hessen, Germany Data Protection Commissioner of Hessen
Gibraltar Gibraltar Regulatory Authority
Ireland Irish Data Protection Commissioner's Office
Israel Israeli Law, Information and Technology Authority
Italy Garante per la protezione dei dati personali (Italian Data Protection Authority)
Netherlands Dutch Data Protection Authority
Norway Norwegian Data Protection Authority
New Zealand Office of the Privacy Commissioner
Singapore Singapore Personal Data Protection Commission
Spain Agencia Española de Protección de Datos
South Korea Korea Internet & Security Agency
United States Federal Communications Commission
United States Federal Trade Commission
Hong Kong SAR, PRC Office of the Privacy Commissioner for Personal Data, Hong Kong
Macao SAR. PRC Office for Personal Data Protection