Date: 20 November 2016
(Translation)
Privacy Commissioner’s Response to Privacy Concerns
Over the Collection and Integration of User’s Personal Data by
Three Mobile Apps with “Call-Blocking” Function
The Office of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”) notes the public concerns over personal data privacy protection after the collection and integration of users’ phone books by three mobile apps with “call-blocking” function that appeared in the media today. Mr Stephen Kai-yi WONG, the Privacy Commissioner for Personal Data, Hong Kong (“Privacy Commissioner”), expresses deep concern about the incident where the three mobile apps were based overseas and two billion people were reportedly affected, in particular, a large volume of Hong Kong residents’ personal data were involved. He would keep track of the latest development and liaise with overseas personal data protection authorities for follow-up actions pursuant to established international cooperation arrangements. He also advises members of the public to immediately adopt the opt-out procedures provided by the apps or request the apps developers / operators to remove the relevant data.
An investigation of FactWire News Agency reported that the three mobile apps with “call-blocking” function, namely Sync.ME, Truecaller and CM Security (associated another app, WhatsCall) were suspected of collecting users’ phone books to compile databases open to anyone to trace the identities of phone number holders and even their social network accounts. The followings are the preliminary observations of the PCPD:
-
The three app developers / operators are corporations registered outside Hong Kong (in Israel, Sweden and the Mainland)
-
By inputting a phone number into the databases, the apps can provide a user with the name of the holder of the phone number, and other relevant data of that holder;
-
Truecaller claims that its app could perform search by name or by phone number, but it also claimed that its users’ phone books would not be uploaded or disclosed publicly. If a user requests for another person’s data, the app will seek the consent of that other person before disclosing his data to the requestor, and that person will be notified and asked if he consents to the disclosure of his data to the requester. Truecaller also provides an opt-out channel for users to unlist their phone numbers and names from its phone list and search engine;
-
Sync.ME provides channels for users to remove their personal data and phone book data.
To prevent recurrence of similar incident, members of the public should take notice of the following:
-
If a user does not permit the apps to retain or use his personal data , he should check if the apps have offered any channels to opt out or delete his personal data so that he can initiate such requests to the app developers / operators (Please refer to the Privacy Policy of Sync.ME and Technical Support Questions of Truecaller);
-
Before downloading any apps or providing personal data through the apps, members of the public should clearly understand the purpose of data collection and read the Privacy Policy and Personal Information Collection Statement to ascertain what data in their smartphones (e.g. phone books, messages, etc.) is to be accessed, uploaded or shared by the apps so as to judge if the collection is necessary or excessive and if it is worth exchanging their personal data for the use of the apps;
-
When downloading, if an app requests its users to give consent to the provision of other individuals’ personal data (e.g. access to the user’s phone book), the user should seek the prior consent of those individuals;
-
Some apps may provide value-added service (e.g. name search), which require a user’s consent to the provision of other individuals’ personal data held in his smartphones (e.g. phone book). The user should carefully consider if he will use such service, and seek the prior consent of those individuals in the phone books before confirming his acceptance of the service;
-
After installation, a user should review the privacy settings of the apps from time to time, e.g. to restrict the app from accessing unnecessary data, such as photos, phone book, etc.;
-
If in doubt, a user should remove dubious apps to minimise the risk of data leakage.
If members of the public find that their personal data are used improperly, they may consider making enquiries to and negotiating with the relevant individuals / organisations. If they are not satisfied with the responses, they may lodge a complaint with the PCPD. Upon receipt of the complaint, the PCPD will contact the complainant and the party complained against to decide if investigation is warranted. If the case involves criminal conduct, it will be referred to the Police for criminal investigation.
The PCPD has published the information leaflet “
Protect Privacy by Smart Use of Smartphones”. For tips on personal data protection, please visit the thematic website, Be SMART Online (
www.pcpd.org.hk/besmartonline). Moreover, the PCPD has published the “
Best Practice Guide for Mobile App Development” to assist mobile app developers in building privacy-friendly apps. It provides an easy-to-understand overview of the legal requirements and the Privacy by Design approach in developing products and services.
- END -