Date: 9 April 2020
Response to media enquiry on the uses of Zoom and TikTok
Thank you very much for your enquiry about the uses of Zoom and TikTok. The response from the office of the Privacy Commissioner for Personal Data (PCPD) from personal data privacy perspective is as follows:
Cross-border data transfer in relation to Zoom
-
We note that Zoom said in its public announcement on 3 April 2020 that it had mistakenly added their two Chinese data centres to a whitelist of backup bridges and it had immediately taken the mainland China data centres off the whitelist of secondary backup bridges for users outside of mainland China.
-
Merely based on the relevant news reports and Zoom’s statement, we have no information on whether this mistaken routing transferred any personal data of individuals in Hong Kong across the boundary. Even if it did, the PCPD has no jurisdiction over Zoom because the Persona Data (Privacy) Ordinance has no extra-territorial effect and Zoom does not control its users’ data in or from Hong Kong. [1]
Complaint figures relating to TikTok
-
From 1 February 2020 until 8 April 2020 5:00pm, the PCPD did not receive any complaint in relation to Douyin, the Chinese version of TikTok.
PCPD’s follow-up action on TikTok
-
Under the Personal Data (Privacy) Ordinance (PDPO), any individuals or organisations using online platforms or applications to control, collect, hold, process or use (including disclosure and transfer) the platform users’ personal data in or from Hong Kong must comply with the provisions of the PDPO, including the Data Protection Principles.
-
As mentioned above, the PCPD has not received any complaint about Douyin, the Chinese version of TikTok.
-
The PCPD will continue to monitor the situation. If a child’s personal data privacy has been violated or abused, he or she should seek assistance from parents or teachers. If parents find that their children’s personal data has been used improperly and can provide prima facie evidence, they may complain to the PCPD.
PCPD’s collaboration with overseas data privacy authorities
-
The PCPD agrees that collaboration among data protection authorities is important in times when the use and transfer of personal data have become cross-jurisdictional and personal data protection issues are increasingly of a global nature and relevance.
-
The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner), Mr. Stephen Kai-yi WONG advocates cross-jurisdictional cooperation among data protection authorities. In his capacity as a member of the Working Group on International Enforcement Cooperation of Global Privacy Assembly (GPA, formerly known as International Conference of Data Protection and Privacy Commissioners (ICDPPC)), the Privacy Commissioner helps drive cross-jurisdictional enforcement collaboration. In addition, as a co-chair of GPA’s Permanent Working Group on Ethics and Data Protection in AI, the Privacy Commissioner has been advocating data ethical stewardship based on respect, mutual benefits and fairness to enterprises and organisations.
-
Since the outbreak of the Zoom data security incident, the PCPD has attached great importance to giving timely guidance to users of Zoom and video-conferencing in general, as well as schools and parents. Such guidance has been disseminated through the following channels:
-
The PCPD also shared its latest advice and guidance on personal data protection and COVID-19 with other data protection authorities via the GPA webpage “Data protection and Coronavirus (COVID-19) resources”: https://globalprivacyassembly.org/covid19/ .
[1] Zoom is headquarted in San Jose, California and listed in Nasdaq. It has offices in the Unites States, the United Kingdom, France, Netherland, Australia and Japan, but not in Hong Kong.