º¬Ðß²ÝÉçÇø

The rapid development of internet of things (IoT) technology has led to the widespread application of smart devices in daily life and social production, covering areas such as clothing, food, housing and transportation. With the enactment of China¡¯s Personal Information Protection Law (PIPL) and the gradual implementation of related regulations, standards and supporting measures, IoT enterprises face challenges in managing personal information processing activities. This article explores the key challenges IoT companies face in personal information protection compliance and their solutions.

Personal information collection

Under China¡¯s personal information protection regulations, IoT enterprises must follow the principles of legality, legitimacy, explicit purpose and data minimisation when collecting personal information. Excessive collection or acquisition of users¡¯ personal data is prohibited. Most IoT devices rely on mobile internet applications to obtain users¡¯ informed consent through privacy policies, written consent statements or user registration agreements.

IoT enterprises must also comply with relevant regulations, such as the Practice Guidelines for Cybersecurity Standards ¨C Self-assessment Guidelines for Collecting Personal Information in Mobile Internet Applications. These include providing users with options to consent or refuse, offering mechanisms to withdraw consent, and obtaining renewed consent if the purpose, method or scope of personal information use changes.

When user consent or authorisation cannot be obtained, IoT enterprises should, within the bounds of applicable laws and regulations, adopt technical measures to collect de-identified non-personal information. This ensures that users¡¯ normal usage and unrelated business functions are not affected, thereby maintaining the quality of service.

Data storage and transmission

Under the PIPL and the Measures for Security Assessment of Cross-border Data, critical information infrastructure operators and personal information processors handling quantities of personal data, as specified by the national cyberspace authority, must store such data within China.

IoT enterprises must consider several factors when determining data storage locations, including whether their business involves critical national infrastructure or state secrets, the volume of personal information processed, user rights protection requirements, data transmission costs, the necessity of cross-border transfers, and whether applicable regulations mandate data localisation.

For cross-border transfers of personal information, enterprises must undergo security assessments organised by the national cyberspace authority. Violating these measures, such as transferring personal information abroad without proper security assessments, will result in legal liabilities and penalties, including fines, suspension or revocation of business licences. Enterprises must also ensure that overseas recipients comply with the PIPL when processing personal information.

IoT enterprises should also be mindful of personal information storage durations. While the PIPL does not specify exact storage periods, it requires data to be retained only for the shortest time necessary for processing. Unless otherwise stipulated by laws or administrative regulations, enterprises must promptly delete personal information when services are discontinued, or the data is no longer needed.

Handling sensitive information

In recent years, several smart home appliance brands have experienced security breaches, such as an incident involving smart robotic vacuum cleaners that raised concerns about surveillance, highlighting the urgent need for improved information security in IoT devices. Identifying and handling sensitive personal information is a critical priority for IoT enterprises, as the leakage or misuse of such data can severely compromise users¡¯ safety, property security and even dignity.

In September 2024, the National Information Security Standardisation Technical Committee issued cybersecurity guidelines, providing practical guidance for article 28(1) of the PIPL. The guidelines serve as a key reference for enterprises in identifying, processing and protecting sensitive personal information. Special attention must be given to biometric information, including data obtained through the technical processing of an individual¡¯s physical, biological or behavioural characteristics such as facial features, voiceprints, fingerprints and palm prints.

This information, which can identify individuals alone or in combination with other data, is widely used in IoT devices like smart locks and smart speakers for functions like unlocking doors, voice control and computer access.

When collecting and processing such information, IoT enterprises must ensure the accuracy and integrity of users¡¯ personal data. They should also implement measures such as de-identification, encryption or isolation through technical means to achieve data desensitisation and classification.

Remedial measures

Many IoT enterprises are gradually establishing data compliance management systems to standardise processes for data collection, usage, processing and transmission. When building such systems, enterprises must focus on remedial measures and user recourse in cases where personal information is leaked, damaged or lost due to cybersecurity incidents or unforeseen events during data collection, usage or transmission.

IoT enterprises should implement internal emergency response plans. In the event of an incident, they must promptly notify or alert affected users through multiple channels, such as phone calls, emails, text messages or public announcements, enabling users to take necessary precautions. Enterprises should also take steps to mitigate or prevent further losses and report the incident to relevant government regulatory authorities in a timely manner, ensuring risks are contained within a limited scope.

Wang Kun is a partner and Han Xiangli is an associate at Blossom & Credit Law Firm