In recent months, a series of U.S. government reports have documented U.S. policymakers’ growing concerns over Chinese government policies and programs designed to advance China’s competitive edge in a range of technologies and industries. In turn, the findings of these reports are shaping U.S. economic and national security laws and policies, as illustrated by the recent Section 301 tariff actions, national security reviews of investment by Chinese firms under the Committee on Foreign Investment in the United States (CFIUS) process, and provisions of the recently-passed John McCain National Defense Authorization Act that restrict exports of “emerging and foundational technologies” and U.S. government use of certain Chinese-made telecommunications equipment. Against this background, a report released on October 26, 2018, is likely to further increase U.S. government scrutiny of China-manufactured devices with internet connectivity features – so-called “Internet of Things” or “IoT” devices.
The report, entitled China’s Internet of Things, was prepared at the direction of the U.S.-China Economic and Security Review Commission. The Commission was established by Congress to identify and analyze tensions and issues in the U.S.-China relationship, and its reports and studies are widely read by U.S. government officials and policymakers. For example, past findings of the Commission on China’s trade and industrial policies have formed part of the basis for U.S. trade actions against China, including the Section 301 tariffs that were recently imposed on nearly $267 billion in imports from China.
The latest report to the U.S.-China Economic and Security Review Commission emphasizes that while IoT devices and IoT technologies offer tremendous benefits to industries and consumers, they also pose significant security threats. According to the report, these threats are heightened by China’s growing dominance of the IoT industry. Specifically, through its promotion of IoT manufacturing and development under various government policies and industry programs, China is now on the cusp of being in a position to dictate the direction of the global IoT industry and IoT technical standards. As a result, China could “wield an outsize impact on the security of IoT devices against unauthorized access,” and gain largely unfettered access to U.S. consumer and industry data generated through the use of such devices.
To prevent such access and growing market dominance from posing a risk to U.S. industries, consumers, and national security, the report recommends that the U.S. government:
- Enact a tiered disclosure regime for IoT products broad enough to cover multiple aspects of authorized IoT data collection;
- Mandate data expiration and de-identification of data where appropriate according to existing principles of data minimization, especially for information resellers;
- Codify existing U.S. data regulations and others in a single, comprehensive federal law governing data privacy;
- Require foreign IoT products to disclose affiliation with foreign entities that may pose a significant risk of harmful but authorized access to U.S. data;
- Refer corporate-level attempts to transfer U.S. data to foreign entities to CFIUS for approval; and
- Expedite passage of a unified federal data privacy statute applicable to both foreign and domestic IoT companies.
It is likely that the report’s findings and recommendations will soon inform additional steps by the Trump Administration and Congress to address these concerns. Companies and industry groups with an interest in IoT technology and security should closely monitor these developments and be prepared to make their own voices heard as such legislative and policy initiatives move forward.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.