Media Statements

The Office of the Privacy Commissioner for Personal Data (PCPD) today published two reports, namely (1) an investigation report on the “Unauthorised Access to Credit Data in the TE Credit Reference System” and (2) a report on “Privacy Protection in the Digital Age: A Comparison of the Privacy Settings of 10 Online Shopping Platforms”, and the leaflet on “Tips for Users of Online Shopping Platforms”.

1.Investigation Report: Unauthorised Access to Credit Data in the TE Credit Reference System
 
The TE Credit Reference System was operated by Softmedia Technology Company Limited (Softmedia). Around 680 money lending companies used the TE Credit Reference System, which contained the credit data of about 180,000 borrowers. Upon completion of its investigation into the unauthorised access to credit data in the TE Credit Reference System, the PCPD published an investigation report today. The investigation arose from a complaint lodged by a complainant reporting that his credit data in the TE Credit Reference System was accessed a number of times by eight money lending companies unknown to him without his knowledge nor consent. The complainant was of the view that the TE Credit Reference System did not put in place adequate security measures to protect his personal data.
 
As a result of the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, found that there were deficiencies in the security measures taken by Softmedia to protect personal data and in the retention period of credit data in the following three aspects:

• Failure to take practicable steps to protect the personal credit data from unauthorised access, processing or use;
• Weak password management; and
• Prolonged retention of the credit records of borrowers who had completed their repayments more than five years ago.

In this case, the Privacy Commissioner found it regrettable that Softmedia failed to implement appropriate security measures to monitor and manage the access to and use of the TE Credit Reference System by money lenders, resulting in the unauthorised access, processing or use of the complainant’s personal data. In addition, despite the volume and nature of the data in question, Softmedia failed to adopt a robust password policy or set expiration dates for passwords. Such password management does not meet the basic requirements for network security and demonstrates obvious inadequacies in Softmedia’s security measures for the protection of personal data. Furthermore, Softmedia retained over 50,000 credit records of borrowers who had completed their repayments more than five years ago. This constitutes unnecessary and prolonged retention, disregarding the requirements of the Personal Data (Privacy) Ordinance (PDPO) and also exposing the personal data of the borrowers concerned to risks of data breach.
 
In the circumstances, the Privacy Commissioner is of the opinion that Softmedia has failed to take all practicable steps to protect the personal data in the TE Credit Reference System against unauthorised or accidental access, processing, or use, thereby contravening Data Protection Principle 4(1) in Schedule 1 to the PDPO relating to the security of personal data. Softmedia also failed to take all practicable steps to ensure that personal data is not kept longer than is necessary, thus contravening Data Protection Principle 2(2).
 
The Privacy Commissioner has served an enforcement notice on Softmedia, directing it to remedy the contraventions and prevent recurrence of similar contraventions. 
 
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, said, “The fact that the operation and management of the TE Credit Reference System is not regulated by any industry code or relevant laws of the financial sector is far from satisfactory. To ensure the protection of borrowers’ personal data and the data security of the credit reference database, I recommend that the operation and management of any credit reference database should be regulated or supervised through laws, regulations, guidelines, industry codes or licensing systems.”

Through the report, the Privacy Commissioner also makes the following recommendations to Softmedia and other operators of credit reference databases:

• Implement a Personal Data Privacy Management Programme, through which the protection of personal data privacy can be incorporated into the organisation’s data governance responsibilities;
• Appoint Data Protection Officer(s) to monitor compliance with the PDPO;
• Appoint an Independent Compliance Auditor to conduct regular compliance audits on the mechanism and means of providing credit reference services; and
• Increase Penalties for Contraventions to deter the recurrence of violations by money lenders.

Download the Investigation Report “Unauthorised Access to Credit Data in the TE Credit Reference System”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r23_21242_e.pdf  

2. Report on “Privacy Protection in the Digital Age: A Comparison of the Privacy Settings of 10 Online Shopping  Platforms” and Leaflet on “Tips for Users of Online Shopping Platforms”
 
With the development of the Internet and the growing maturity of online trading platforms, online shopping has become increasingly prevalent. While online shopping brings convenience and benefits to consumers, it also brings risks to personal data privacy. The PCPD therefore reviewed the privacy settings of 10 online shopping platforms commonly used in Hong Kong, including the websites and mobile applications of the relevant operators, to understand how these online shopping platforms collect and use personal data of users. The platforms are, namely, Baby Kingdom – BKmall (BKmall), Carousell, eBay, Fortress, HKTVmall, JD.COM, PlayStation App (PlayStation), Price.com.hk, Samsung and Taobao. The PCPD today released the report on “Privacy Protection in the Digital Age: A Comparison of the Privacy Settings of 10 Online Shopping Platforms” and the leaflet on “Tips for Users of Online Shopping Platforms”.
 
According to the review results, the PCPD’s overall observations on the protection of users’ privacy by the online shopping platforms reviewed are as follows:

• All online shopping platforms reviewed have formulated privacy policies, which specify that they collect between 12 to 23 types of personal data;
• BKmall, eBay, Price.com.hk and Samsung allow purchases without requiring user account registration;
• Most of the platforms have set a minimum registration age of 18. Only BKmall, Price.com.hk and Taobao have not specified any minimum registration age.
• PlayStation and Samsung collect users’ dates of birth to verify that they are over 18 years old. eBay and HKTVmall require users to confirm that they have reached the age of 18 during user registration. Although Carousell, Fortress and JD.COM have set minimum age requirements, there are no measures in place to prevent registration by persons under 18 years old;
• BKmall, Carousell, Fortress and Samsung provide options to users during the registration process to indicate whether they accept advertising or promotional messages. Although eBay, HKTVmall, PlayStation and Price.com.hk provide such options, the default setting is “agreed”. Taobao does not provide similar options during user registration but allows users to activate or deactivate “Personalised Recommendations” in the “Account Settings” section. JD.COM neither provides such an option during registration nor displays any message seeking relevant consent from users;
• All online shopping platforms reviewed track users’ activities, including location information, browsing history, transaction history and device information;
• All online shopping platforms reviewed state in their privacy policies that they transfer personal data of users to third parties, including business partners, affiliates or related companies, advertising and promotion partners, external service providers, etc.;
• Most online shopping platforms reviewed accept payment through third-party payment platforms;
• Carousell, eBay and PlayStation rank the highest in the readability of their privacy policies; and
• All online shopping platforms reviewed allow users to delete their user accounts. Carousell, eBay, JD.COM and Price.com.hk provide users with clearer means for account deletion.

The PCPD has issued the report to the operators of the online shopping platforms reviewed, and provided the following recommendations to operators of online shopping platforms:

1. Appoint a Data Protection Officer to monitor compliance with the PDPO and establish a Personal Data Privacy Management Programme;
2. Collect only necessary personal data: Online shopping platforms should allow users to shop as guests and only collect necessary personal data to process transactions;
3. Provide an option for using personal data in direct marketing: Clearly inform users that their personal data will be used for direct marketing purposes and obtain their consents. The default setting of the option should not be “agreed”;
4. Provide secure payment channels: Provide users with secure payment methods or channels, e.g. trusted third-party payment platforms;
5. Provide a clear, comprehensive and easy-to-understand privacy policy: Adopt a layered presentation or provide images, video clips or other concise and easy-to-understand methods to increase the readability of the privacy policy or related content;
6. Cautiously use third-party services: Online shopping platforms should ensure the reliability of third-party service providers regarding privacy protection and information security;
7. Increase transparency in tracking users’ activities: Clearly inform users how their activities are tracked and the purposes of tracking. Provide appropriate options for them to decide if they accept such tracking;
8. Adopt “Privacy by Default” setting: Adopt “Privacy by Design” and “Privacy by Default” when designing online shopping platforms. This includes setting all privacy-related options to protect user privacy by default;
9. Provide sufficient user control: Provide more privacy setting control options to protect user privacy, including non-registration login method, preferences for receiving various messages, user tracking options, and record deletion (such as transaction or search records), etc.; and
10. Provide a convenient option to delete accounts: Provide simple means for users to delete accounts, hence reducing the retention of data for those who no longer use the platform.

The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, stated, “Undoubtedly, online shopping brings various benefits to users and has become part of their daily lives. However, as online shopping platforms collect and use users’ personal data, they also bring risks to personal data privacy. I urge users to be vigilant and use online shopping platforms wisely to reduce the risks posed to personal data privacy. In this regard, the PCPD publishes the leaflet on “Tips for Users of Online Shopping Platforms” which provides tips to users on how to carry out online shopping safely while protecting their personal data privacy.”
 
The PCPD provides the following tips to users of online shopping platforms:
 
Protecting Personal Data Privacy

• Provide the minimum amount of personal data: Only provide the minimum amount of personal data required for registration and transactions, or consider conducting transactions as a guest;
• Pay attention to direct marketing settings and make corresponding choices based on personal needs;
• Consider using third-party payment platforms: Use a reliable third-party payment platform to settle transactions;
• Read the privacy policy to understand the platform’s purposes and means of collecting personal data;
• Adjust privacy settings: Check default privacy and security settings, delete unnecessary tracking functions or refuse requests for access to personal data;
• Delete unused accounts to avoid identity theft and reduce the risk of data leakage;

Safe Online Shopping

• Verify the authenticity of the platform and ensure that the website or application is the official one. May search for information on platform first;
• Use the platform securely: Avoid using public Wi-Fi for transactions and use strong passwords;
• “Stop and think” before clicking and avoid providing personal data arbitrarily. May consider checking Scameter (https://cyberdefender.hk/en-us/) if in doubt; and
• Regularly check online shopping accounts and report problems. If there is any suspicion of fraud, immediately report the case to the Police or contact the PCPD.

Download report on “Privacy Protection in the Digital Age: A Comparison of the Privacy Settings of 10 Online Shopping Platforms” (Chinese version only):
https://www.pcpd.org.hk/english/resources_centre/publications/files/pcpd_digitalage_pamphlet.pdf
 
Download leaflet on “Tips for Users of Online Shopping Platforms” :
https://www.pcpd.org.hk/english/resources_centre/publications/files/pcpd_digitalage_leaflet.pdf