Our responses are as follows:
A) Whilst it would not be appropriate for us to express our views on individual cases or a specific practice without the details of the facts and specific circumstances, the Privacy Commissioner for Personal Data, Mr Stephen Kai-yi Wong, has the following initial observations to make in relation to the updated privacy policy of WhatsApp:
1. Allowing information on a WhatsApp account to be shared with Facebook– Though no third-party banner ads are assured, the new policy appears to allow information on a WhatsApp account to be shared with products associated with Facebook, thus enabling Facebook to access data about the preferences of the app users and provide a channel for more personalised advertisements.
2. Introducing commercial messaging – Commercial messaging allows businesses to set up special pages which WhatsApp users can subscribe to receive relevant ads or product/service information, or can even place orders. Users should note that they have the option to unsubscribe at any time.
3. End-to-end encryption feature applying to all WhatsApp communications – End-to-end encryption means communications are encrypted from the device of the message sender to the device of the recipient. As a result, WhatsApp is unable to intercept the contents of the communications, or disclose such contents to third parties.
4. If you do not agree –If you do not agree to accept the updated privacy policy, you need to stop using WhatsApp. If you agree, the sharing of information with your Facebook account would not be effective for 30 days, and during this cooling-off period, you may still opt out by deleting your WhatsApp account. Alternatively, you may delete your Facebook account.
In view of the popular usage of WhatsApp in Hong Kong, the Privacy Commissioner reminds the app users to pay special attention to the changes regarding information sharing and take steps to control their own personal data. Mr Wong would also like to encourage Facebook to consider offering simple and user-friendly ways to allow those WhatsApp users who do not wish their account information to be shared with Facebook to continue to use both social media platforms.
As of today (26 August 2016), the Privacy Commissioner has not yet received any public complaints on this issue, although isolated enquiries have been received.
B) The Privacy Commissioner expresses concern regarding the vulnerabilities in Apple’s iOS software, which could allow attackers execute arbitrary code and obtain elevated privileges on the target system. Given the popularity of iOS devices in Hong Kong, the Privacy Commissioner urges the users to update the iOS software on their devices to the latest version as soon as possible in order to fix the loophole (The latest version of iOS is iOS9.3.5. Please visit the software manufacturer’s website for more information: https://support.apple.com/en-us/HT204204). In fact, users should always download the latest version of software to protect themselves against potential security risks. As one way to exploit the vulnerability is via a web link, users are recommended not to click any link in SMS messages received or to visit unfamiliar sites before they have updated their iOS.
C) We also note that both Facebook (the parent company of WhatsApp) and Apple Inc. are corporations registered outside Hong Kong, and the Personal Data (Privacy) Ordinance has no extraterritorial jurisdiction, their operations cannot be sanctioned under the Ordinance. Nevertheless, in view of the large number of users in Hong Kong, the Privacy Commissioner will continue to keep track of the development and where appropriate, consider referring cases to overseas data protection authorities for follow-up actions pursuant to established international cooperation arrangements.
The Privacy Commissioner issued the “Protect Privacy by Smart Use of Smartphones” leaflet that helps the smartphoneusers avoid personal data privacy pitfalls of using smartphones. Members of the public can also visit our thematic website to get more practical tips on protecting personal data: https://www.pcpd.org.hk/besmartonline. The Privacy Commissioner also issued the“Best Practice Guide for Mobile App Development” that aims to provide comprehensive step-by-step practical guidance to those who are in the mobile applications development business. It outlines the key areas of concern when developing apps in order to earn trust from customers through respecting their personal data privacy. The “Guidance for Data Users on the Collection and Use of Personal Data through the Internet” was issued to assist data users in complying with the Ordinance while engaging in the collection, display or transmission of personal data through the Internet.