Seven Major Data Compliance Challenges in IoT Edge Computing

Source: On August 6, 2022, the Global Edge Computing Conference in Shenzhen, organized by the Edge Computing Community, concluded successfully. At the conference, Wang Jie, Executive Director of Kenting (Guangzhou) Law Firm, was invited to give a speech titled “Edge Computing – Seven Major Data Compliance Challenges in IoT Scenarios.”

Speaker: Wang Jie, Executive Director of Kenting (Guangzhou) Law Firm

Edited by: Xiamen University Volunteer Mutual Aid Group

Produced by: Edge Computing Community

Wang Jie: I am honored to share legal-related content with you today at the Global Edge Computing Conference. I am fortunate to have worked at a large internet platform early in my career, and currently, my law firm is also fully focused on internet law services, which has allowed me to pay continuous attention to internet-related issues throughout my career.

Seven Major Data Compliance Challenges in IoT Edge Computing

Today, I will share the topic of Edge Computing & IoT in Personal Information and Privacy Data Protection, which consists of three main parts.

1►

Privacy Issues in Edge Computing and IoT

Many may find the law to be a rather obscure subject. I believe that all legal texts are written for ordinary people and serve every individual. The key is to identify specific legal relationships during the application of technology and to break down the risks involved. First, let’s look at the privacy-related issues in edge computing and IoT.

The left image is from “Privacy Issues in Edge Computing”

First, one of the largest application scenarios for edge computing is IoT. Many smart homes and smart mobile devices utilize edge computing technology. We know that cloud servers are usually located in data centers far away from many end users, while edge servers are closer to the terminal devices, aiming to ensure high bandwidth and low latency. Here, terminal devices usually communicate with these edge servers to obtain quick responses, and privacy-related issues often occur at this point. What privacy-related issues can arise?

We need to distinguish between two concepts: privacy and personal information are different. Privacy emphasizes the right of every individual to live in peace, free from interference in their private life. On the legal level, personal information focuses more on which personal information fields have been collected and whether the rights of the individual can be effectively protected. After an operator collects my information, how do they process, use, and store my information? How do they share and provide my personal information to third parties? Can my personal information be better protected?

In the field of edge computing, there are three major privacy issues to note.

First is the data privacy issue. Data transmission between terminal devices and edge servers is relatively difficult to control compared to data centers, as edge servers are not subject to many strict requirements, making it easy to cause privacy breaches.

Second is the location privacy issue, which refers to the user’s location privacy concerning edge servers. Edge devices usually connect to the geographically closest edge servers to complete offloading tasks, etc. This can easily lead to others inferring the user’s geographical information, and geographical location information is considered sensitive personal information, making user behavior information prone to leaks.

Third is the identity privacy issue. When we connect to edge servers, users submit their personal information, which is ultimately linked to their identity. For example, when I use a terminal device and make a payment, my personal information such as my real-name authentication information will be recorded, which can easily lead to personal information leakage.

Edge computing can greatly empower IoT. How do legal professionals perceive IoT?

IoT is the interconnection of all things. We can further understand it by breaking down the concept into five key points: connection carrier, connection medium, connection object, connection behavior, and connection purpose. By linking them together, it’s easy to understand that IoT connects various physical objects through various information devices using the internet, enabling automatic information exchange for the positioning, tracking, monitoring, and management of different objects.

The image above is a screenshot from the national standard guide “Information Security Technology Network Security Level Protection Basic Requirements,” showing how legal professionals view IoT, mainly divided into three layers: perception layer, network transmission layer, and application layer, each of which may encounter data security issues.

In the perception layer, we interact with physical devices, which may involve collecting personal information. When devices collect users’ personal information, user consent must be obtained, and information cannot be collected arbitrarily. However, in IoT scenarios like smart homes, it is often difficult to have an interactive interface to obtain user consent. What can be done? This is a problem that needs to be explored and resolved. The network transmission layer involves the storage, querying, analysis, and access of sensing data, which relates to data security and network security.

Finally, in the application layer, data collected through the perception layer undergoes intelligent processing, mining, analysis, and utilization. This data becomes “oil,” which is very valuable. What rules must be followed during the processing? This is also a concern of the law. Our country has introduced many standard guidelines that detail requirements in the level protection of the network transmission layer, application layer, and perception layer.

2►

Seven Major Data Compliance Challenges in IoT Scenarios

Today, we will mainly discuss data issues, summarizing several major compliance challenges worth noting in IoT scenarios.

First is the issue of subject consent. This point is relatively easy to understand. For example, if we ask someone for something, we need to respect their will and see if they allow us to collect it. Secondly, you need to know who I am. Our country’s laws clearly state that when collecting personal information from users, a privacy policy must be present, clearly stating who you are, i.e., which company is the personal information processor. If there are multiple personal information processors, each identity must be clarified in the privacy policy.

Many companies cleverly collect information through blanket consent. However, the law is also smart and clearly specifies how to obtain valid consent, such as not allowing implied consent, requiring active selection of consent, and ensuring that the consent given by users is explicit, informed, and voluntary, without coercion. Users should not be forced to agree to certain additional features that affect the use of other basic functions.

Another important point to note is that many times, our products are updated rapidly, and functions may change. At this point, the scenarios and methods of personal information collection may also change, requiring renewed user consent. Why emphasize the issue of consent? Because the state is very concerned about the rights of each data subject. As data subjects, we have rights to access, view, delete, modify, and obtain copies of our data. When I do not want devices to collect my information, I can withdraw my consent, and I can also request operators to delete or even destroy my information. This process emphasizes the exercise of personal rights.

The second major issue is the frequent occurrence of over-collection. Over-collection refers to collecting any personal information without regard to relevance to the function’s purpose. For example, does it make sense for an English learning app to collect your geographical location? Whether it is reasonable depends on the context. If the main function of the English learning app is to learn English, it does not need to collect my geographical location. However, if I create a scenario where this is an English service app that helps me find nearby English learning institutions or match me with teachers, then collecting my geographical location based on this reason can be considered reasonable from a contextual perspective.

Therefore, when collecting personal information, it is important to ensure that the collection is closely related to the realization of the product and service functions and that there is a necessary and direct relationship to meet the country’s principles of minimum necessity and purpose realization.

Another point to consider is the frequency of information collection, whether it is high-frequency or low-frequency, and how often can it be collected again. The law has clear regulations requiring that the frequency of personal information collection should be the lowest possible. However, how to define the lowest frequency is indeed a point of discussion. We believe that efforts should be made to minimize the frequency of prompts asking for user consent, and there should be a certain time interval before requesting consent again. Regarding the minimum quantity, it means that only enough personal information should be collected to achieve the product’s functional purpose, without excessive collection. Excessive collection may lead to redundant information that may not have significant value or use, potentially creating issues for oneself; more data is not necessarily better.

When collecting information, the law distinguishes between general personal information and sensitive personal information. If sensitive personal information is involved, for example, facial recognition or fingerprint information collected by sensing devices, the law clearly states that separate consent is required. What does separate consent mean? It distinguishes between separate consent and bundled consent. For example, if a product suddenly needs to collect my facial information, according to existing compliance requirements, a pop-up window must be presented to obtain my separate authorization. For instance, when using Alipay for payment, the facial payment verification function will provide a separate pop-up prompt rather than obtaining blanket consent through a privacy policy when entering the product.

It is difficult to obtain user consent at the perception level. What can be done? A pop-up window or a separate page notice. For example, in the case of Mijia, there is a clear interface requiring users to actively select the privacy policy, with text explaining why information is collected and what information is collected. It will also explain each permission trigger. For instance, when I need to enable camera permissions, it clearly states why camera permissions are needed, to allow for scanning. If I no longer want to authorize it, it also provides a clear path to cancel authorization and explains how the company ensures data security, detailing the data security measures taken by the company. This way, as users, we can feel more secure when using devices or products.

Image: From Lian Stone Network

When discussing data processing, we cannot avoid discussing data localization and cross-border transmission. Localization is one of the clear requirements set by our country. First, let’s briefly introduce the laws related to personal information protection in our country. The laws related to personal information protection are among the fastest legislative fields in our country. You can clearly feel that the Cybersecurity Law, National Security Law, Personal Information Protection Law, and Data Security Law have been closely introduced in recent years, each accompanied by many guidelines. I once compiled a legal compilation on personal information and data security compliance that spanned over 2000 pages. We often joke that being a lawyer is tough, and being a data compliance lawyer is even tougher because we often end up losing a lot of hair (If you need relevant legal compilation documents, please contact me for a copy, my WeChat is at the end).

Our country clearly requires three situations where personal information must only exist within mainland China, such as when national organs process personal information or when key information infrastructure operators do so. If you are neither a national organ nor a CIIO but reach a certain specified number, you also need to store information domestically. We need to determine whether we fall within the scope of subjects that must carry out localized storage, assess whether there is indeed a necessity to provide information abroad, and if so, further determine whether a personal information protection impact assessment has been conducted and whether a national security assessment has been passed. Currently, we have several localized storage solutions. I will introduce a few from a legal perspective. The first is real-time data localization, for example, I have two ports; when collecting data, part is stored domestically while I have an overseas port where this data is simultaneously stored on overseas servers. Is this permissible? The second is delayed data localization, meaning data is initially stored abroad and then synchronized domestically after a period of time, achieving domestic storage requirements. Is this permissible? Both methods have their issues. The first method, relative to turning on the tap without dividing it, does not classify this information, making it impossible to distinguish between the types of entities that must store data domestically. Delayed localization storage also presents regulatory issues, as it becomes a matter of sending data out first and then bringing it back, failing to achieve the legislative goal of protecting the rights of the subjects involved. For important data related to public interests such as water resources and energy, it is essential to determine whether data can be sent out before deciding to allow it to leave.

Distinguishing regulatory data localization is a relatively compliant approach, i.e., when data is sent out, a switch is designed to determine whether the information falls within the previously mentioned categories. If it does, the legal requirements for assessment and processing must be followed; if it does not, other compliant paths for data outbound must be considered. When data is transmitted abroad, it must also comply with relevant legal requirements regarding data outbound. The issue of data outbound is currently a hot topic of discussion in the legal community. I recently wrote a compilation of 100 questions regarding data outbound compliance, summarizing various issues that need to be considered. If you are interested, please follow the Overseas Internet Legal Observation WeChat account for updates.

When discussing data outbound, I want to emphasize two points. First, how to understand the issue of outbound. This “outbound” is not only the process of crossing physical boundaries but also involves crossing judicial jurisdiction areas. For instance, if information is transmitted from mainland China to Hong Kong, does this count as outbound? Since Hong Kong is an independent jurisdiction, transmitting data to Hong Kong is also considered outbound. Another example is if overseas employees access domestic servers, does this count as outbound? It does count. Internal transmissions within multinational groups also count as outbound. The law provides detailed regulations on this, which I won’t elaborate on today due to time constraints.

The Data Security Assessment Measures will be implemented on September 1 this year, bringing a lot of work to many corporate legal departments or external consultants. First, we need to determine whether we fall within the scope of those required to conduct security assessments. Secondly, we need to pay attention to when to conduct assessments, how to report them, and what materials to submit.

A key goal is to protect personal information and privacy security, making data protection impact assessments extremely important. Under what circumstances is a data impact assessment necessary? Our Personal Information Protection Law clearly states that processing sensitive information, automated decision-making information, and using algorithmic mechanisms requires assessments. For example, when we commission a third party to analyze and process information, this is also a situation that requires an impact assessment. Additionally, situations involving sensitive information and personal information processing activities that have a significant impact on individual rights also require assessments.

Lastly, information leakage is a concern throughout this process. We are all security experts here, and I want to express that information leakage can occur at any stage. We need to focus on which links require compliance or what legal requirements must be observed. For example, in the usage phase, there should be separate consent. Can you achieve separate consent? Can you meet the minimum legal compliance standards? For instance, during storage and transmission, many national standards clearly require encryption and desensitization. There are also accompanying national guidelines specifying the level of encryption required to meet industry standards. Additionally, regulations exist regarding how long to store, when to delete, how to delete, and to what extent it should be deleted. Beyond deletion, additional destruction actions are also required. For example, how should paper documents be disposed of? Should they be burned, and how should the process be documented? Who should supervise? These details are all specified in detail.

Taking smart home devices as an example, we can review several stages we just encountered. Many smart home devices find it challenging to obtain user consent. In households with children, children’s information is also critical. The state has specifically introduced laws to protect minors’ personal information, particularly children’s. For instance, determining who the guardian of a child is can be a challenge. There is also the risk of covertly collecting personal information, which can lead to leaks and attacks. For example, cameras installed in homes may collect children’s facial information, and if the device malfunctions, corresponding sensitive personal information may be leaked, posing significant risks.

3►

How to Achieve Data Compliance in IoT

Finally, I would like to share how to achieve data compliance in IoT. This topic is extensive, and when we train clients, we discuss it in detail. However, due to time constraints today, I will summarize three points, mainly three steps: first, create a compliance checklist; second, estimate and analyze risks; third, conduct comprehensive testing and build a management system. Creating a compliance checklist helps the company better organize internal information without adding a burden; rather, it facilitates faster business operations. For instance, we previously mentioned that if important data and personal information fall into areas impacting military security, water resources, culture, and society, compliance requirements become very high.

Additionally, personal information is divided into general personal information and sensitive personal information. Legal documents regarding personal information security standards clearly define this in appendices, such as the table defining what constitutes sensitive personal information. Of course, devices collecting this information must be particularly cautious. The second point is to conduct a risk estimation and analysis. For example, smart vehicles can be seen as super apps, connecting numerous devices and involving various information, including in-vehicle driving information, passenger information, and external camera footage of pedestrians. In such a complex interactive environment, it is easy to identify data risks, primarily through risk estimation and proactive avoidance. How to conduct risk estimation and proactive avoidance is related to the establishment of a testing system.

Note: The above images contain some content referenced from publicly available online resources, previously published laws, regulations, and appendices.

(PPT) On the left and right sides are the protection rules. One side is the basic rules for personal information protection determined by the law, which is for legal professionals to address. The key on the right side is the basic principles of privacy design, which we must pay attention to during the product development and design process. From the beginning of development, it is crucial to consider whether this information can be collected and what scenarios it can achieve. If planning is not done in advance and the product is designed first, then the legal and security teams must communicate later to make changes, which can be quite painful.

(PPT) Above are the established compliance goals for enterprises, and below is the need for organizational environmental support, with the entire enterprise needing to strongly support data protection. We can adopt the PDCA approach. Apple’s user privacy protection is its biggest selling point, with very clear compliance goals and high compliance requirements. In contrast, for startups, the focus may be on development, allowing for slightly lower security goals. At this stage, corresponding compliance measures will also be adjusted. These companies do not need to spend enormous costs but must achieve at least minimum compliance. This means that throughout the development process, legal points of concern must be monitored to better identify whether the product meets relevant legal requirements, thereby avoiding higher compliance costs.

Taking the vehicle networking security system as an example, many aspects are involved. As I mentioned, the lifecycle of a vehicle development process will encompass various parts, and we should embed our personal information collection lifecycle into the product lifecycle, from personal information collection, use, processing, external provision, disclosure, and public access to subsequent deletion and destruction.

Comprehensive testing and system building are essential. After a data breach, how do you respond? Establish response protocols and an overall data compliance policy for the company. Conduct thorough risk assessments, which may require collaboration between legal personnel and internal data security staff. Importantly, the rights of data subjects must be addressed, with corresponding mechanisms in place for timely responses. If a user requests data deletion or access, or wishes to transfer their data, these present practical issues for enterprises that require attention.

For a company to thrive, it must strive towards compliance to go further. Thank you all!

Related posts

Leave a Comment Cancel reply