5.1 Introduction

As smart cities complete the build-up of information technology (IT) infrastructure and as more smart devices are connected, data flows will become more important—not just intra-city flows but also external flows. To remain relevant and competitive, a smart city must rely on external data not only for short-term commercial needs, such as international payment transactions, but also for support and updates for smart devices and vehicles, long-term innovation, content creation, product development, and business viability. This requirement concurrently involves legal issues connected with privacy, trade, e-commerce, finance and cybersecurity, and intellectual property, which, in turn, is further complicated by the need to protect data, enforce laws, and access tools for the creation of new content or innovations.

Data today is so ubiquitous, and systems are so interconnected, parties’ actions in one digital domain can derail initiatives in another area. For instance, Facebook’s cryptocurrency Libra largely failed because of distrust of Facebook’s social media activities, notably with regards to its lack of protection of users’ privacy (Mendoza 2020). What is now clear is that actions in one area can result in unintended consequences elsewhere—and while a holistic approach to managing data and data flows sounds desirable, it remains to be seen whether such an approach is achievable.

This chapter will examine the conflicting legal and other issues smart cities face, including how to provide access to tools and data to enable creation of apps, content, or products and adapt products for local and global needs; how to encourage use and deployment of data-dependent systems such as artificial intelligence (AI); and how to allow companies to fulfil obligations to provide customer support, enable commercial transactions, or the flow of digital currencies. Finally, this chapter explores how a seemingly minor exemption in copyright law could have large commercial implications for companies employing AI.

The chapter locates its analysis with a case study of Hong Kong, a city that depends on trade flows for its continued growth and development. Hong Kong also aims to be a leading smart city, but to date has only introduced regulations concerning data and external data flows on an uncoordinated and piecemeal basis. The chapter begins with a short historical overview of Hong Kong’s quest to be a smart city and measures its progress against an objective. The chapter will then evaluate the potential downsides of Hong Kong’s laissez-faire approach to regulation and advocate for the establishment of a coordinated framework and policy for managing cross-border data flows.

5.2 Hong Kong’s Desire to Be a Smart City

Hong Kong has been formulating plans to become a leading global smart city and a leading innovation center for well over half a decade (Legislative Council 2016). For instance, in its ambitious Hong Kong Smart City Blueprint document released in December 2017, the Hong Kong government set out 76 initiatives under six smart areas—“Smart Mobility,” “Smart Living,” “Smart Environment,” “Smart People,” “Smart Government,” and “Smart Economy” (Information and Technology Bureau 2017). A 2020 update to the 2017 Smart City Blueprint presented impressive statistics and accomplishments, including various infrastructure projects and other major initiatives that had been implemented in the past three years. Such measures included the Faster Payment System, free public Wi-Fi hotspots, and an “iAM Smart” one-stop personalized digital services platform (Information and Technology Bureau 2020). The government also announced investments in skills training such as science, technology, engineering, and mathematics (STEM) education and training on the application of technology for civil servants (Smart People Infographic, nd).

But a closer, detailed inspection of these documents reveals three omissions. First, neither Smart City Blueprint document includes a definition of “smart city.” Second, aside from two mentions of the Law Tech fund and online dispute resolution, the two Blueprint documents pay scant attention to legal matters. (Information and Technology Bureau 2020) This lack of attention is a potentially serious future oversight given that the resolution of certain important questions of legal protection for data and databases are critical to the operation and development of AI systems. In fact, in its 2016 briefing to Hong Kong’s legislature, the government only noted that the consultancy firm it hired for the smart city implementation (PricewaterhouseCoopers Advisory Services Limited 2017) would study the legal framework and experiences in other cities/countries and relevant overseas experiences “conducive to the implementation of smart city initiatives, and identify legislative proposals, if needed, for underpinning smart city development” (Legislative Council 2016, p. 5). Finally, despite their obvious importance to the ongoing operation of many of the initiatives mentioned in the two documents—in particular items under the umbrella of a “Smart Economy”—there is no mention of a coherent policy regarding cross-border data flows.

Given the release of aspirational documents lacking detail and follow-up, how does Hong Kong rate as a “smart city”?

5.3 What Is a Smart City—And Is Hong Kong a Smart City?

The answer to this question is more difficult than one would imagine, as there is a lack of consistent definition for the term “smart city.” Even leading tech companies define a smart city in differing ways, although the underlying reliance on data is clear, even if it is not expressly stated. For example, while Nvidia uses the definition of a smart city as “a place applying advanced technology to improve the quality of life for people who live in it” (Merritt 2020, para 7), Cisco defines a smart city as one that “uses digital technology to connect, protect, and enhance the lives of citizens. Internet of Things (IoT) sensors, video cameras, social media, and other inputs act as a nervous system, providing the city operator and citizens with constant feedback so they can make informed decisions” (Cisco, nd). Meanwhile, Technopedia states that a smart city is “one in which sensor-driven data collection and powerful analytics are used to automate and orchestrate a wide range of services in the interests of better performance, lower costs and lessened environmental impact” (Kottayil 2021).

While neither of Hong Kong’s Smart City Blueprints defines a “smart city,” a 2016 planning document entitled Hong Kong 2030+, A Smart, Green and Resilient City Strategy offers a definition adapted around the “Smart City Wheel” concept mentioned in a 2014 Boyd Cohen article, Fast Company, that mentions several pioneering smart cities such as Barcelona, Copenhagen, Vancouver, and Singapore—but not Hong Kong (Cohen 2014). The planning document states that “[c]onventionally, a ‘smart city’ refers to a city that utilises ICT to make its components, infrastructure, utilities and services more efficient and interactive with the people” (Planning Department 2016).

Cohen’s exclusion of Hong Kong was perhaps unfair as when measured against that and the other criteria, Hong Kong qualifies as a smart city:

  • 5G coverage now exceeds 90% (Government of Hong Kong 2021–22 budget 2021);

  • Hong Kong has a smart airport with self-bag drops and smart check-in kiosks;

  • Over 95% of its population use contactless Octopus smart cards to make payments;

  • Mobile subscriber and household broadband penetration rates are nearly 284 and 94% respectively; and

  • The data.gov.hk website boasts over 4180 unique data sets (Information and Technology Bureau 2020).

Moreover, in September 2018, Hong Kong’s Monetary Authority launched the Faster Payment System to enable users of banks and stored value facilities to make instant cross-bank/e-wallet payments easily by entering the mobile phone number or the email address of the recipient (Office of the Government Chief Information Officer Innovation and Technology Bureau 2019) and the government is presently developing two InnoHK research clusters at the Hong Kong Science Park, one focusing on healthcare technologies and the other on artificial intelligence and robotics technologies, as well as a data technology hub and the Hong Kong-Shenzhen Innovation and Technology Park (Government of Hong Kong 2020–21 Budget Speech 2020).

Hong Kong has also embraced the notion that the concept of a smart city must extend beyond hardware and has accordingly invested in skills training and has a vibrant start-up community [with over 3360 start-ups employing 10,688 employees across 116 co-work spaces, incubators, and accelerators (StartmeupHK 2020)] In this regard, the planning document noted:

A wider definition of “Smart city” extends from a purely technocentric concept to a concept that underpins urban performance in economic and social development…. a city is smart “when investments in human and social capital and traditional and modern communication infrastructure fuel sustainable economic growth and a high quality life, with wise management of natural resources; through participatory governance. (Planning Department 2016)

However, Hong Kong’s implementation of smart city infrastructure has been uneven with some areas still struggling with subpar internet and mobile services (Newbery 2021). Small cracks in a city’s framework are commonplace, however, and cannot solely be used to judge a smart city.

5.4 Can Hong Kong Remain a Smart City?

If we concede that Hong Kong is currently a smart city, the next question to ask is whether it can retain this status. Two interrelated concerns quickly spring to mind: a lack of a coordinated policy on cross-border data flows and potential legal shortcomings. Both are addressed in turn.

5.4.1 Hong Kong’s Lack of a Coordinated Data Policy

Could Hong Kong’s current lack of a coordinated data policy hinder its future growth prospects given the ubiquity of data and the dependence of modern, highly interconnected systems on data? If anything, Hong Kong’s reliance on international data flows for international commerce and financial transactions, product development, and innovation will only increase. There are many reasons for this conclusion, including the continued growth of transactions conducted using central bank digital currencies and the introduction of new technological innovations such as non-fungible tokens (NFTs)–which raise several potential concerns including intellectual property (IP), securities, anti-money laundering, contractual, and criminal concerns as well as data flow issues.

For instance, a person buying NFT art buys a token and the work of art linked to it, thus the linked art, the associated block chain ledger, and payment systems are necessary components of the NFT, all of which require data access to the token and the growing reliance on AI (West and Allen 2018). In addition, Hong Kong’s Monetary Authority is currently in discussions with the Digital Currency Institute, a research unit of the People’s Bank of China (PBOC), to pilot test China’s CBDC, the Digital Currency Electronic Payment (DCEP), which is part of the PBOC’s ambitious project to develop a digital currency. The DCEP is important to Hong Kong because if implemented successfully and quickly, it would cement Hong Kong’s position as the premiere Asian financial hub. Thus, it would be in Hong Kong’s interest to ensure the smooth implementation of DCEP without any data flow related issues (Le 2020).

The interconnectedness of contemporary digital systems means that actions in one area may have unintended consequences elsewhere. For instance, in 2018 the UK’s plans to impose a 2.5% tax on sales in social media platforms were promptly met with threats of American retaliation and dimmed prospects for a US–UK trade deal (Sherman 2018). Likewise, when Australia announced in early 2021 its intention to introduce laws forcing tech companies to pay for Australian news content (Mishra 2021), Google and Facebook immediately pushed back, with the former threatening to remove its search engine from Australia (Clayton 2021), the latter threatening to forbid Facebook and Instagram users from sharing local and international news (Meade 2020), though a resolution was eventually reached (Diaz and Bond 2021; Samios 2021). Meanwhile, European efforts to regulate the obligations of digital services that act as intermediaries in their role of connecting consumers with goods, services, and content and introduce rules for platforms that act as “gatekeepers” in the digital sector were met with resistance and accusations of being protectionist and discriminatory (Curi 2020). The above situation would tend to support the government’s need to formulate a coordinating policy after consulting with multiple stakeholders if for no other reason to mitigate the risk of unintended consequences similar to what recently happened to other jurisdictions.

5.4.2 Legal Shortcomings

Unlike some other jurisdictions, Hong Kong does not have laws specifically addressing smart cities. Hong Kong does, however, have laws addressing relevant aspects of a smart city, including privacy in the form of the Personal Data (Privacy) Ordinance, Cap. 486 (PDPO), e-commerce with the Electronic Transactions Ordinance, Cap 553 and electronic surveillance with the Interception of Communications and Surveillance Ordinance, Cap. 589. However, parts of Hong Kong’s laws may become problematic in the future, particularly for the development and deployment of AI given that much of contemporary AI is a combination of software and data—including (i) the input training, testing and operational datasets; (ii) that input data as processed by the computer; (iii) the output data from those processing operations; and (iv) insights and data derived from the output data that distinguish such systems from most other conventional applications (Kemp 2020) and present subtle but potentially significant legal, trade, and business implications. To understand this, we need to consider AI’s relationship with data.

5.4.2.1 The Relationship Between AI and Data

Most modern AI relies on large amounts of input data, and thus data flows are a critical concern not just for training data purposes, but also to update or adapt products for local market conditions as well as conduct remote (and cross-border) technical meetings and other collaborative activities. AI developers may also need access to infrastructure and tools such as Facebook’s PyTorch, Google’s Tensorflow, Salesforce’s Einstein, or other cloud-based tools while creators, marketers, and others involved in sales and marketing of AI and AI-powered products would need access to tools to create brochures and other sales material as well as social media sites to promote their products.

5.4.2.2 Why Data Curation Is Important

In creating the data sets to train AI systems, considerable resources may be spent finding suitable training data, collecting the data, correcting training errors, or ensuring the data has not been corrupted (for example, by a cyberattack). The effort spent in data curation, defined as the active and ongoing management of data through its lifecycle of interest and usefulness (Horowitz 2019), and building up the relevant databases and data sets, can be significant. To create data sets, AI developers can

  • Use data in the public domain (though this option has risks of bias and data unsuitability) (Calo 2017);

  • Purchase data;

  • Attempt to use technology to build AI less reliant on large data sets—for example one-shot learning (Sucholutsky and Schonlau 2020) or data set distillation (Sucholutsky and Schonlau 2019), though these technologies are neither proven nor mature; or

  • Generate the data themselves, for example, using a text and data mining (TDM) system; data mining is the process of finding styles and extracting useful statistics from large data sets. Text mining is an AI technology that entails processing facts from numerous textual content files (Tariq 2020).

5.4.3 The Importance of Clarifying the Legal Protections for Data

The important legal question is whether a Hong Kong company creating a data set can protect its data under Hong Kong law, notably the Copyright Ordinance (Cap. 528), particularly if it is using a TDM system. Internet protocol (IP) protections for data are limited in Hong Kong, privacy protections under Hong Kong’s PDPO notwithstanding. While it is tempting to think that any collections of data used in AI as databases could be protected as literary works, this is not necessarily the case. As per s.4(1)(a) of Hong Kong’s Copyright Ordinance, a literary work includes “a compilation of data or other material, in any form, which by reason of the selection or arrangement of its contents constitutes an intellectual creation, including but not limiting to a table.” Whether such protection is available to any such data set is not entirely clear.

5.4.3.1 Is It a Database?

If, for example, a user employs a TDM that scrapes data from the web and copies this into an organized collection of structured information or data, that is, a “database” (Oracle 2021), it could receive protection under the Copyright Ordinance. But what if the TDM mechanically copies that data into an unstructured file? It is debatable whether such an action would qualify as an “intellectual creation” eligible for legal protection as a literary work.

As Hong Kong statutory and case law lacks a more precise definition of what “a compilation that, by reason of the selection or arrangement of its contents, constitutes an intellectual creation” means, it is not clear to what minimum standard of “intellectual creation” a collection of data requires for protection. It is also unclear whether such a collection might somehow qualify as a “database” given that the Copyright Ordinance lacks this definition.

In comparison, other jurisdictions provide a clearer framework. For example, the relevant laws in the UK contain provisions for databases, which is defined in s3A(1) CDPA as collections of independent works, data, or other materials, which are arranged in a systematic or methodical way and are individually accessible by electronic or other means. Similarly, Europe grants copyright protection to databases, which, as such, by reason of the selection or arrangement of their contents, constitute the “author’s own intellectual creation.” In parallel to the copyright protection on the structure of the database, European Union (EU) Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases offers additional sui generis protection to databases to reward the substantial investment of the database maker in creating the database and prevent freeriding on somebody else’s investment in creating the database. (Debussche and César 2019). Meanwhile, the US protects databases under copyright law (17 U.S.C. §101) as compilations that are defined as a “collection and assembling of pre-existing materials or of data that are selected in such a way that the resulting work as a whole constitutes an original work of authorship.” The compilation of facts is copyrightable only if the selection or arrangement “possesses at least some minimal degree of creativity (see Feist Publications, Inc. v. Rural Telephone Service Co., 499 U.S. 340 [1991]).

5.4.3.2 What About Copyright in the Embedded Items?

Even if such a collection could qualify for legal protection under the Copyright Ordinance, there is the question of whether the individual items contained in the data collection individually retain copyright rights. For instance, a database of songs may contain pictures of artists, songs, or videos that each individually hold IP rights.

There is a real risk that the use of TDM systems may infringe on such rights (Rubinfeld and Gal 2016) and at the IP right holders could create barriers, thereby affecting, inter alia, the use of such data. This effect could impact new system development, business models, etc. as the protection of the database as a collection, or in the case of Hong Kong, a compilation that constitutes an intellectual creation, does not extend to the underlying data. This point was echoed in Article 10(2) of the World Trade Organization’s Agreement on Trade Related-Aspects of Intellectual Property (TRIPS Agreement), which reads:

Compilations of data or other material, whether in machine-readable or other form, which by reason of the selection or arrangement of their contents constitute intellectual creations shall be protected as such. Such protection, which shall not extend to the data or material itself shall be without prejudice to any copyright subsisting in the data or material.

Hong Kong’s Copyright Ordinance lacks an explicit exemption for TDM, which could limit the utility of the data set for AI training, as only TDM tools that involve minimal copying of a few words or crawling through data and processing each item separately could be operated without potentially encountering a liability (Geiger et al. 2018) The only exception could perhaps be if TDM were involved in a statutory inquiry (s. 55) and incidental inclusion for incidental inclusion of copyright material in an artistic work, sound recording, film, broadcast, or cable programme (though not in a literary work) under s. 40(1) of that ordinance.

This situation is again unlike the UK, EU, and US, which provide a TDM exemption in the form of a right to make a copy of a work “for computational analysis of anything recorded in the work” under s.29A of the UK’s CDPA, which permits copying for non-commercial research, as long as the copy is accompanied by a sufficient acknowledgement (unless this would be impossible for reasons of practicality or otherwise) but requires authorization from the copyright holder for other uses (Okediji 2016). There is also an exemption in the EU under Art. 3.1 Directive (EU) 2019/790 on copyright in the Digital Single Market which provides an exception for TDM for scientific research and applies a liberal regime of fair use, with courts having held that the use of large volumes of copyrighted literary work for machine mining falls within the fair use exception based on the fact that the data use did not provide an alternative version of the copyrighted literary work to the public, but only snippets of it (O’Malley 2020).

5.4.4 Should Hong Kong Introduce an Exemption?

Should Hong Kong amend its Copyright Ordinance to define databases and provide explicit TDM exemptions? Would doing this attract more tech investment or spur more innovation? Thus far, the lack of a TDM exemption has not become an issue, and overseas experience has not unequivocally demonstrated that modifications of laws result in changes to investments in innovation. For example, while some have claimed that the US’s more permissive software patenting regime is a primary reason more software development took place in the US than the EU, when the US Supreme Court’s decision in Alice Corp. v. CLS Bank International (573 U.S. 208 [2014]) made it harder to get patents for software, the US did not see an outflow of investment, innovation, or talent. Similarly, the European Commission’s evaluation of the Database Directive noted that the enactment of the Directive did not result in any significant new flows of technological investment into the EU (European Commission 2018).

5.5 Options for Hong Kong?

Hong Kong could continue its present laissez-faire policy, though, as noted earlier, this (non-)strategy has risks. Hong Kong could also make some minor changes to the way it operates, for example, amending the Copyright Ordinance. But in this specific case, Hong Kong may not feel any need to rush updates to its Copyright Ordinance given that both the Berne Convention and the Trade-Related Aspects of Intellectual Property Rights (TRIPS) Agreement (to which Hong Kong as a member of the World Trade Organization [WTO] is a party) provide for exceptions to copyright infringement depending on the purposes of the use of an otherwise protected work. More specifically, Article 9(2) of the Berne Convention establishes three conditions for exceptions and limitations to the right of reproduction: (i) only in certain special cases; (ii) only if there is no conflict with a normal exploitation of works; and (iii) only if there is no unreasonable prejudice to the legitimate interests of authors. Article 13 of the TRIPS Agreement provides similar criteria.

A third option would be for Hong Kong to adopt a wait-and-see approach, relying on developments in international bodies such as World Intellectual Property Organization (WIPO) or the WTO before amending its laws. But such an approach could take a long time, as reform in these institutions is inevitably slow and uncertain. For instance, WIPO initiated a process on IP and AI in 2019, when it held multiple “Conversation on IP and AI” conference events, a public consultation in which it received over 250 submissions, a draft paper, (WIPO 2019) and an event on “Copyright in the Age of Artificial Intelligence,” (Copyright.gov 2020) yet still has not reached any global consensus on TDM exemptions or other AI-related IP issues. Moreover, even when WIPO members can reach a consensus, a new treaty can take years to ratify. For instance, while the Marrakesh Treaty to Facilitate Access to Published Works by Visually Impaired Persons and Persons with Print Disabilities was signed on June 28, 2013, it only came into force on September 30, 2016 (WIPO Marrakesh Treaty).

Likewise, the WTO will not provide Hong Kong or any other jurisdiction with a legal framework to facilitate the transfer of data, outline the contours of AI, or resolve associated IP controversies. The WTO framework was created long before technological breakthroughs on AI—even before the advent of global e-commerce and the WTO’s attempts to grapple with the challenge posed by socio-technological change have largely failed. In this regard, the Electronic Commerce Work Programme and potentially a plurilateral agreement on e-commerce remain under discussion and unresolved (Liu and Lin 2020). Moreover, while the TRIPS Agreement is comprehensive in scope and provides substantive obligations, it is in many respects a minimum standards agreement which provides scope for members to tailor their laws to meet their needs and priorities. Thus, all approaches outlined in this chapter are compliant with the TRIPS Agreement.

Certain WTO members have advanced the agenda by entering bilateral and regional trade agreements to deal with, inter alia, provisions on cross-border data flows and/or data localization. For example, the Comprehensive and Progressive Agreement for Trans-Pacific Partnership.

  • Includes provisions requiring “the cross-border transfer of information” subject only to restrictive measures being taken for a “legitimate public policy purpose” so long as the restrictions are not discriminatory or disguised trade barriers;

  • Mandates strong copyright protection and enforcement;

  • Provides for non-discriminatory treatment of digital products;

  • Prohibits localization requirements for computing facilities, with a public policy exception similar to the one for cross-border data flows and personal information protection;

  • Bars the mandated transfer or access to source code of software owned by a person of another party “as a condition for the import, distribution, sale or use of such software, or of products containing such software, in its territory” as well forced technology transfers; and

  • Prohibits customs duties on digital trade.

Following the negotiation of the CPTPP, similar hard rules on data flows were incorporated in numerous subsequent trade agreements, notably Singapore’s bilateral trade agreements with provisions on cross-border data flows, such as the upgraded New Zealand–Singapore Closer Economic Partnership, the Australia–Singapore Digital Economy Agreement that entered into force in December 2020, and Sri Lanka–Singapore Free Trade Agreement 2018. Other examples include trade agreements between Chile–Uruguay (2016), Argentina–Chile (2017), Australia–Peru (2018) and Australia–Indonesia (2019) as well as the United States Mexico Canada Agreement, UK–Japan Comprehensive Economic Partnership Agreement and EU–UK Trade and Cooperation Agreement.

Here, Hong Kong has not let the lack of a coordinated policy framework stop it from negotiating provisions on cross-border data in its free trade agreements (FTAs). The most recent and comprehensive example of which is the Australia–Hong Kong Free Trade Agreement (AUHKFTA), which entered into force in January 2020. Chapter 11 of the AUHKFTA on e-commerce covers cross-border data and includes a dedicated e-commerce chapter, which is in line with the trends in modern FTAs. The chapter includes dedicated provisions on

  • electronic signatures and electronic authentication;

  • a legal framework governing electronic transactions consistent with the principles of the UNCITRAL Model Law on Electronic Commerce 1996 or the UN Convention on the Use of Electronic Communications in International Contracts 2005;

  • consumer protection;

  • prohibition of customs duties on electronic transmissions, including content transmitted electronically;

  • freedom of movement of information, including financial services;

  • ban on localization of computing facilities, including financial services;

  • protection of personal information;

  • paperless trading;

  • unsolicited commercial electronic messages;

  • prohibition on requiring transfer or access to source code; and

  • cooperation on development, enforcement, and by other means.

Whether these provisions become codified in domestic law or form the basis of a coordinated and coherent policy framework remains undetermined.

What is clear is that while Hong Kong can attribute much of its present success to its laissez-faire business policy, given the complex interdependencies of cross-border data flows its continued adherence to a laissez-faire cross-border data flow policy is likely not sustainable in the light of new digital realities. To ensure its various internal departments better appreciate the importance of data flows in their respective areas of responsibility and oversight, interdepartmental discussions are needed, and these discussions should lead to some internal consensus or position on how Hong Kong can ensure it remains a smart city. The Hong Kong government should then provide for a broad consultation focusing on whether Hong Kong should have a policy on data flows given how important data is to a smart city. Given that such a policy could have profound cross-industry implications, and with the 2014 Digital 21 consultation (launched on September 18, 2013 and ending on November 30, 2013) as a guide, the government should grant adequate time to solicit views (Hong Kong Government Press Release 2013). As part of the consultation, the government should map out how it might want to introduce new initiatives that could impact data flows, such as imposing charges for local news content on search engines. The consultation should also consider assessment criteria, that is, how Hong Kong should assess the success of new programs or policies or how and how quickly it should withdraw failed or problematic initiatives. It is only through a comprehensive and holistic consultation and review that the government can best formulate policy and advance the agenda of ensuring Hong Kong can remain a smart city.