Response to Media Enquiry or Report

Privacy Commissioner Responses to Media Enquiry on the Personal Data Privacy Issues of the Augmented Reality Game Pokémon Go

Given the reported popularity of the smartphone game Pokemon Go in Hong Kong, the Privacy Commissioner for Personal Data, Hong Kong (the “Commissioner”), Mr Stephen Kai-yi WONG, issued a media statement on 25 July 2016 (Chinese version only) to remind app players to stay smart as “Data Protection is in Your Hands”. 

The Commissioner considers it appropriate to provide the following practical tips to the game players on protecting their own personal data:

1. Check the full name of the game before downloading from the official market place and avoid downloading fake/malware from any other places;
2. Decide whether you want to use an existing Google account (and allow the corresponding email address to be accessed) or to create a new account with date of birth and new email address to play the game;
3. Understand what information is being collected by the game and decide if you are willing to provide the information for the benefit of playing the game;
4. During the creation of an account, decide if you wish to receive marketing email messages from Pokémon GO. Remember, you have the right to opt-out from links provided in them and still play the game by unticking the default box;
5. When supported by the operating system, examine and disable the  information the game can access in the smartphone, bearing also in mind that denying access to some information (such as location) may render the game inoperable;
6. When joining related promotional activities that may involve providing information (such as liking/tagging a Facebook page, uploading game screens), consider the privacy impact of providing such information, particularly if it involves your photos or usernames of others;
7. Understand the risk and impact of installing third-party ‘guides’, ‘cheats’ or ‘hacks’ as they may contain malware;
8. You have the right to refuse further collection, use and/or disclosure of information collected by writing to pokemongo-privacy@nianticlabs.com, although exercising this right of refusal may mean that you no longer can play the game. You also have the right to request deletion or correction of information collected by writing to pokemongo-privacy@nianticlabs.com.

According to the Ordinance, the Commissioner has the power to conduct a compliance check or initiate an investigation into data users, which are able to control, in or from Hong Kong, the collection, holding, processing or use of the personal data concerned, if he has reasonable grounds for believing that they have violated the Ordinance.  The Privacy Commissioner for Personal Data, Hong Kong will keep an eye on the smartphone game app and will give timely smart tips to users in Hong Kong.        

For those game app manufacturers or developers (as data users) that control the collection, holding, processing or use of the personal data, they shall comply with the requirements under the Ordinance, including the six Data Protection Principles (DPPs), in particular:  

DPP1 (Data Collection Principle):

o Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user.
o Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred.
o Data collected should be necessary but not excessive.

DPP2(2) (Retention Principle)

o Personal data should not be kept for a period longer than is necessary to fulfil the purpose for which it is used.

DPP3 (Data Use Principle):

o Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.

DPP4 (Data Security Principle):

o A data user needs to take practical steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use.

The Commissioner issued the “Protect Privacy by Smart Use of Smartphones” leaflet that helps the smartphone users avoid personal data privacy pitfalls of using smartphones. Members of the public can also visit our thematic website to get more practical tips on protecting personal data: https://www.pcpd.org.hk/besmartonline.

The Commissioner also issued the “Best Practice Guide for Mobile App Development” that aims to provide comprehensive step-by-step practical guidance to those who are in the mobile applications development business.  It outlines the key areas of concern when developing apps in order to earn trust from customers through respecting their personal data privacy. The “Guidance for Data Users on the Collection and Use of Personal Data through the Internet” was issued to assist data users in complying with the Ordinance while engaging in the collection, display or transmission of personal data through the Internet.