Privacy Complaints Appear to Start to Stabilise Generally
Despite a Significant Increase in Direct Marketing Related Cases
The PCPD will intensify educating both individuals and organisations with a view to developing a culture of “Protect and Respect Personal Data” in Hong Kong
(24 January 2017) The number of complaints received on direct marketing and cases referred to the Police for criminal investigation by the Privacy Commissioner for Personal Data ("PCPD") had substantially increased in 2016. Complaints relating to Information and Communications Technology (“ICT”) remained high during the year.
2. In the media tea gathering held today (24 January 2017), Mr Stephen Kai-yi Wong, the Privacy Commissioner, briefed on the office’s work in 2016, “The surge in the number of privacy complaints relating to direct marketing reflected not only the extent of nuisance resulting from the activities, but also the increasing awareness of the members of the public in protecting their own personal data. With the advancement in internet technology, mobile apps and social media platforms have already become part and parcel of our daily lives. The number of enquiries and complaints relating to ICT remained high as a result. Meanwhile, CCTVs, webcams and drones are gaining popularity, concerns about privacy also rose last year. That said, the number of complaints appears to stabilise generally. With the usage of big data, as well as Internet of Things and Artificial Intelligence taking shape, if not already gathering pace, we expect further challenges in our attempt to seek the right balance between the free flow of information and personal data privacy protection.”
3. The first day of Chinese New Year, which will be on 28 January 2017, is also the internationally proclaimed “Data Protection Day”. The Privacy Commissioner took this opportunity to remind members of the public as well as organisations the importance of developing a culture of “Protect and Respect Personal Data”, “for members of the public, the key is to safeguard own personal data and keep it in their good hands, especially with the ever-evolving ICT applications. We should read the privacy terms carefully and review privacy setting from time to time. It is also crucial for us to respect others’ privacy by asking the relevant persons before uploading or sharing their personal information. For organisations, we appeal to them for ‘self-regulation’ by providing user-friendly privacy statements and meaningful options to their clients, as well as establishing best practices in accordance with laws and guidance on protecting customers’ personal data in order to continue to win the reputation and trust from their clients. With ‘protection’ and ‘self-regulation’ in mind, we look forward to embracing the challenges and grasping the opportunities brought by the innovative technologies and smart city development in the new year.”
The highlights of the PCPD's performance in 2016 are outlined as follows:
Enquiries
4. In 2016, the PCPD received a total of 16,180 enquiries
[1], dropped by 12.3% as compared with 18,456 enquiries in 2015. They were mainly concerned with collection and use of personal data (e.g. Hong Kong identity card numbers and copies) (14.2% and 13.9% respectively), employment (11.2%) and use of personal data in direct marketing (7.5%).
5. There was an increase of 21.9% in internet related enquiries, from 726 cases in 2015 to 885 cases in 2016, mainly relating to cyber-profiling, mobile apps and cyber-bullying.
Complaints
6. During the same year, the PCPD received 1,838 complaints, which represented a 7% decrease as compared with 1,971 complaints in 2015.
7. Of the complaints received, 73% were made against the private sector (1,335 cases), 9% against the public sector / government departments (171 cases) and 18% against individuals (332 cases).
8. Among the private sector organisations, the financial sector received the most complaints (389 cases), followed by property management (264 cases) and telecommunications (71 cases).
9. Regarding the nature of the complaints, 45% related to the use of personal data without the consent of data subjects (819 cases), 37% to the purpose and manner of data collection (677 cases), 10% to data security (188 cases) and 7% to data access/correction requests (129 cases).
Use of Information and Communications Technology ("ICT")
10. The PCPD received 229 ICT-related privacy complaints last year, representing a slight decrease of 5%, as compared with 241 cases in 2015.
11. Common privacy disputes arose from the use of mobile apps and social networking websites (147 cases), the disclosure or leakage of personal data on the Internet (91 cases) and cyber-bullying (26 cases).
Electioneering
12. A total of 73 electioneering-related complaints were received, the majority (51 cases) of which related to the 2016 Legislative Council General Election. Most of the complainants objected to their personal data having been used in electioneering activities without their consent.
13. In July 2016, the PCPD issued an infographics on the
Electioneering Activities Guidance that included previous complaint cases to facilitating better understanding of the compliance with the requirements of the Personal Data (Privacy) Ordinance (“Ordinance”).
Compliance Checks and Self-initiated Investigations
14. A total of 89 data breach incidents affecting 104,000 Hong Kong individuals were reported to the PCPD in 2016, representing a drop of 9% as compared with 98 incidents involving 871,000 individuals in 2015. These incidents involved the loss of documents or USBs, inadvertent disclosure of personal data by email or post, hacking, and system failure etc.
15. The PCPD completed 290 compliance checks and 13 self-initiated investigations in 2016, as compared with 284 checks and 76 investigations in 2015.
Inspection
16. During the year, the PCPD conducted an inspection of an estate agency in view of the vast amount of clients’ personal data it collected and retained. The purpose of the inspection was to assist the Privacy Commissioner in making recommendations to the estate agency industry with a view to promoting compliance with the provisions of the Ordinance.
Enforcement Action
17. In 2016, the PCPD issued 36 warnings and six enforcement notices to organisations as compared with 17 warnings and 67 enforcement notices in 2015.
Prosecution
18. During the same period, 112 cases were referred to Police for criminal investigation and prosecution (30 in 2015), of which 109 cases related to contraventions involving the use of personal data in direct marketing (28 in 2015).
19. The total number of prosecutions in 2016 was five (six in 2015). During the year, a case relating to contraventions involving the use of personal data in direct marketing was still under trial, and the determination was made in January this year.
Direct Marketing
20. In 2016, the PCPD received a total of 1,809 direct marketing related enquiries (2,201 in 2015). On the other hand, 393 direct marketing related complaints were received last year, which represented an increase of 22% as compared with 322 cases in 2015.
21. Since the new direct marketing regulatory regime took effect on 1 April 2013 under the Personal Data (Privacy) (Amendment) Ordinance 2012, as of 31 December 2016, a total of seven cases that were referred to the Police for criminal investigation had resulted in convictions. There were three convictions in 2016:
April 2016
|
An insurance agent used the personal data of a data subject in direct marketing without taking specified actions and obtaining his consent, and failed to inform the data subject, when using his personal data in direct marketing for the first time, of his right to request not to use his personal data in direct marketing without charge. |
A Community Service Order of 80 hours was imposed in respect of each charge, to be served concurrently |
May 2016
|
A marketing company used the personal data of a data subject in direct marketing without taking specified actions and obtaining his consent, and failed to comply with the requirement from the data subject to cease to use his personal data in direct marketing. |
Fined HK$8,000 in respect of each charge; HK$16,000 in total |
December 2016
|
A watch company used the personal data of a data subject in direct marketing without taking specified actions and obtaining his consent, and failed to inform the data subject, when using his personal data in direct marketing for the first time, of his right to request not to use his personal data in direct marketing without charge. |
Fined HK$8,000 in respect of each charge; HK$16,000 in total |
Legal Assistance Scheme
22. The Legal Assistance Scheme commenced on 1 April 2013. Under the scheme, the PCPD may provide assistance to a person who intends to institute proceedings to seek compensation from the relevant data user for the damage suffered by reason of a contravention under the Ordinance. The PCPD received nine new applications for legal assistance in 2016. Together with the six applications brought forward from 2015, the PCPD handled 15 applications in 2016. Of these applications, four were granted legal assistance, four were refused, one was withdrawn by the applicant and six were being considered. The main reasons for refusing applications included the failure to provide evidence to substantiate any damage suffered and the absence of prima facie evidence of contravention of the Ordinance.
Appeals Lodged with the Administrative Appeals Board (“AAB”)
23. Of the 38 appeal cases received in the year, 35 of which appealed against the Privacy Commissioner’s decision not to carry out a formal investigation or to terminate an investigation. One appeal was against the decision not to accept the relevant case as a “complaint” under section 37 of the Ordinance. One was against the Privacy Commissioner’s decision not to serve an enforcement notice after the investigation. The remaining appeal was against the decision to serve an enforcement notice after the investigation.
24. A total of 34 appeals were concluded in 2016, 19 of which were dismissed by the AAB and 13 were withdrawn by the appellants. Two appeals were partly allowed. Over 90% of the appeals were eventually dismissed by the AAB or withdrawn by the appellants.
External Connection
25. As in the past, the PCPD actively participated in various international conferences last year to enhance communications, networking and cooperation with other privacy enforcement authorities. The Privacy Commissioner also took a leading role in the major international personal data protection associations. For example, he has become the executive committee member of the Global Privacy Enforcement Network (GPEN) and the International Conference of Data Protection Commissioners (ICDPPC) since 2016. Through these international associations and conferences, mutual trust has been built and solid foundation for cooperation has been laid between the PCPD and the other overseas authorities. When cross-boundary incidents happen, the PCPD can promptly get in touch with the relevant counterparts for follow-up actions pursuant to international cooperation conventions, and vice-versa.
Media
26. In 2016, the PCPD issued 31 media statements and responded to 171 media enquiries. The Privacy Commissioner and his team members gave 51 media interviews, of which nearly 40% were ICT-related, with timely topics included CCTV surveillance, mobile applications, data breach incidents and direct marketing.
Promotion and Public Education
27. During the year, a total of 18 large-scale promotional and education activities were organised to cater for the needs of the individuals and organisations, reaching over 190,000 participants. A total of 255 professional workshops, seminars and talks were conducted. These events engaged a broad range of stakeholders, with a total of 25,800 participants (increased by 38% from 2015) from over 420 organisations. The PCPD also published and revised 21 publications in 2016, including codes of practice / guidelines, information leaflets and infographics.
28. One of the strategic objectives in 2016 was to promote the culture of "protecting and respecting personal data” through various channels to raise the awareness of personal data protection among organisations and enterprises. The office has been proactive in advocating the implementation of Privacy Management Programmes (PMPs) in organisations and enterprises to ensure compliance and good practices. In March last year, a new PMP professional workshop was launched for organisations to learn the basic principles and essential modules of the PMP, as well as learning how to continuously maintain and enhance the programme. The PCPD also encouraged organisations to embrace personal data privacy protection as part of their corporate governance responsibilities, and implement it using a top-down approach, marking a shift from compliance to accountability.
29. The emergence of big data and the evolving ICT are generating efficiency and opportunities to the community at large, trade and commerce included, but at the same time bringing challenges to personal data privacy protection as well. The PCPD held the “Mobile App Development Forum on Privacy and Security” in April 2016 to explore how to develop mobile apps with data protection in mind and manage security risks. The Forum attracted over 200 attendants. In addition, the office and the School of Law of the City University of Hong Kong jointly organised the Symposium on “Data Protection Law Development in the Information Age” in September 2016 to provide a platform for privacy advocates, academics, policy makers, government and business leaders in the region to exchange views and share experience on the development of data protection regulatory frameworks and how to better handle changes ahead, attracting over 100 participants. Throughout the year, the Privacy Commissioner and the office’s senior management staff were invited to speak and share views on how to strike the right balance between personal data protection and the free flow of information at more than 20 presentation occasions, seminars and talks.
30. The PCPD also met with the representatives of various chambers, trade associations, professional bodies (including banking, insurance, communications and ICT sectors), leading corporations and government-related organisations to understand the new agenda on personal data privacy that they were facing with the changing business environment. It was also a more efficient way to make use of their networks and membership to promote the importance of privacy protection. The office partnered with the Trade and Industry Department, "SME One" of the Hong Kong Productivity Council, the SME Centre of Hong Kong Trade Development Council, etc. in organising talks to assist the small-and-medium enterprises (“SMEs”) to understand the provisions and applications of the Ordinance.
31. The PCPD is also connected and attuned to the markets. Last year, the Privacy Commissioner issued three new publications, namely the “
Guidance on the Proper Handling of Customers' Personal Data for the Beauty Industry”, “
Personal Data (Privacy) Ordinance and Electronic Health Record Sharing System (Points to Note for Healthcare Providers and Healthcare Professionals)” information leaflet and “
Bring Your Own Device (BYOD)” information leaflet. Code of practices / guidance notes and information leaflets were also revised for the property management sector, mobile service operators and the human resources profession. Three new infographics that provided concise summary were issued for the beauty companies, mobile service operators, and for enterprises to manage data breach notifications. All these publications were aimed to assist the enterprises and specific industries to understand and comply with the Ordinance, and to implement the best practices.
32. The PCPD produced a series of four educational videos in March 2016, featuring a fictional character “Privacy Detective” who explained the importance of respecting personal data privacy of others and the privacy risks associated with digital footprints in a humorous and lively way.
33. The PCPD also launched a large scale TV production entitled “Privacy Beyond Price II” in partnership with RTHK. The six-episode TV docu-drama series, featuring privacy issues such as CCTV surveillance, direct marketing, cyber-bullying that based on real cases, was aired from July to September 2016. The docu-drama had given the audience an insight into the Ordinance and the culture of "protecting and respecting personal data”.
34. The Student Ambassador for Privacy Protection Programme was revamped last year by adopting a brand new scheme called the “School Partners Recognition Scheme”. Under the Scheme, the office offered “school partner” awards to commend and publicly recognised the achievements of secondary schools that demonstrated good practice in promoting personal data privacy protection on campuses. The office, for the first time, staged a secondary school roadshow with an exhibition vehicle shuttling over 40 secondary schools and provided personal data protection tips for the youngsters and teachers. A record-high of 125 schools joined the 2016 Programme and became our school partners.
35. Last year the PCPD extended the promotion of "protecting and respecting personal data” to the elderly and children. To help senior citizens recognise potential data privacy risks, talks were scheduled in collaboration with the Hong Kong Society for the Aged and the Mongkok Kaifong Association to share tips on personal data protection in daily life. In addition, the office’s representatives were invited to deliver talks for primary schools, teaching young students to stay alert of their digital footprints and learning how to deal with cyber-bullying.
36. The PCPD is dedicated to enhance the information provided on its main website (PCPD.org.hk) and two thematic websites, namely “Be SMART Online” and “Children Privacy”. As for the main website, it was granted the Silver Award in the “Web Accessibility Recognition Scheme” for the second consecutive year. The average monthly visits in 2016 reached over 54,000, representing year-on-year increase of 6%. The revamp of the “Be SMART Online” thematic website was completed in December, and the website received the Gold Award in the “Web Accessibility Recognition Scheme 2016”. The “Children Privacy” thematic website also won the Silver Award of the scheme.
Key Issues in 2016
CCTV Surveillance
37. CCTVs are increasingly being used in businesses and homes for surveillance, so are in public transport amenities. Relevant personal data protection issues have naturally been flagged up, discussed and debated in the community.
38. Last August, an art gallery in London staged an exhibition which featured images captured from unsecure webcams in Hong Kong. The PCPD referred the case to the Information Commissioner’s Office in the UK for follow-up actions pursuant to international cooperation arrangements. The artist then agreed to obscure or blur the faces of the people in the webcam images displayed in the gallery, and stopped selling prints of those images. The Privacy Commissioner also provided tips for the users of Internet-connected devices on protecting their own personal data.
39. Members of the public were also concerned about the installation of CCTV cameras in taxis and the intrusion of their privacy raised in the fourth quarter last year, including the trial scheme to install CCTV cameras in taxis carried out by the Association of Taxi industry Development, and an incident in which a taxi driver posted a photo of a passenger breastfeeding her baby on social media site. The PCPD also offered advice based on the guidance issued for data users on determining whether CCTV should be used in given circumstances and how to use CCTV responsibly.
Mobile Applications (“apps”)
40. Using smart devices is an integral part of life among members of the public. There are potential risks posed by the mobile applications to the privacy of users. Related key issues in 2016 included a) Pokémon Go, a location-based, augmented reality game app requiring the users to activate their location function and the device camera but this may involve personal data collection and usage. b) instant messaging app WhatsApp changed the service terms and privacy policy intending to share user information with parent company Facebook; and c) the collection and integration of users’ personal data by three mobile apps with "call-blocking" function. The Privacy Commissioner expressed concerns to these issues and had taken follow-up actions or provided tips for users on safeguarding their personal data.
Study on IoT devices
41. The study, conducted during April to June 2016, was part of the Sweep exercise of the Global Privacy Enforcement Network ("GPEN"). By conducting this study, the PCPD aims to explore the privacy challenges and implications brought by the fitness bands so as to raise the privacy awareness of the device manufacturers. The office also wanted to educate the users of these devices on how to protect their personal data.
Published the “Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance”
42. Jointly published by the PCPD and the City University of Hong Kong Press, this edition includes not only a full discussion of the data protection principles under the Ordinance, but also summaries of all the seminal cases and Administrative Appeals Board discussions in this area which assist the readers in understanding the legal framework and application of personal data protection law in Hong Kong.
Strategic Focus for 2017
43. The PCPD will continue to stanchly protect the personal data privacy right of individuals in the best interest of economic development, innovative and scientific growth, and the core values of the freedom of speech and expression, with a view to striking a proper balance between protection of this fundamental human right and the free flow of information.
44. Specific focus will be placed on:
-
Organising the 39th International Conference of Data Protection and Privacy Commissioners (“ICDPPC”):
The 39th ICDPPC will be held from 25 to 29 September 2017. It will be attended by all in the data protection community including data protection authorities, data controllers, privacy related enterprises, business entities, professionals and academia. This Conference is also accepted by the Government of the Hong Kong Special Administrative Region as one of the events celebrating the 20th anniversary of the establishment of the Hong Kong Special Administrative Region of the People’s Republic of China. The office is now working on the conference programme and topics and inviting speakers.
-
Research on the impact of the new EU regulations on Hong Kong:
The PCPD will carry out a comparative law study in view of the rapid development and advancement in ICTs as well as the implementation of the new European Union General Data Protection Regulation in 2018.
-
Enhancing public education and promotional activities:
The PCPD will launch a new TV Announcements in the Public Interest (“API”) together with a series of educational video to offer useful information to the members of the public on how to protect their personal data online or when using smart devices. This year the office will further strengthen the education and promotional efforts targeting, in particular, primary school students, the elderly and the SMEs. It will also organise tailor-made promotional activities for different stakeholders.
-
Publishing a Chinese book on personal data protection law in Hong Kong:
The PCPD will publish a book in Chinese covering the scope of personal data, the meaning of data users, the requirements of six Data Protection Principles and the major exemptions under the Ordinance. Targeting at the general publics, the book will contain real and interesting cases written in simple language.
[1] A compliant may cut across different categories
-END-
Photos:
1.
(From left to right) The Deputy Privacy Commissioner, Ms Fanny Kam-hing WONG, the Privacy Commissioner, Mr Stephen Kai-yi WONG and Chief Legal Counsel, Ms Brenda Mei-ling KWOK attended the PCPD’s media tea gathering today.
2. (
From left to right) The Privacy Commissioner, Mr Stephen Kai-yi WONG, the Deputy Privacy Commissioner, Ms Fanny Kam-hing WONG and Chief Legal Counsel, Ms Brenda Mei-ling KWOK introduced the newly issued Infographic entitled
"Protect, Respect Personal Data – Smart Use of Internet of Things" and the
“Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance” published last year to alert us “Data Protection in Your Hands”.