Media Statements

The Office of the Privacy Commissioner for Personal Data (PCPD) today reported on its work in 2023 and released a report on “Privacy Concerns on Electronic Food Ordering at Restaurants”. A leaflet containing the tips on protecting privacy in electronic food ordering is also published at the same time.

1. Complaint Cases

In 2023, the PCPD received 3,582 complaints, which represented a decrease of 7% when compared to 3,848 cases in 2022. This was mainly attributable to a decrease in the number of doxxing cases handled in the past year. Of these complaint cases, nearly 92% involved complaints against private organisations or individuals (3,284 cases), while the remaining 8% were against public organisations or government departments (298 cases).

2. Enquiries

The PCPD received a total of 15,914 public enquiries in 2023. The figure increased by 7% when compared to 14,929 cases in 2022. The PCPD handled over 1,300 public enquiries on average per month. Among the public enquiries received in 2023, 32% related to the collection and use of personal data (e.g. Hong Kong Identity Card numbers and/or copies). The other main types of enquiries were about the complaint handling policy of the PCPD (8%), application of the Personal Data (Privacy) Ordinance (PDPO) (6%), and access to and correction of personal data (6%), etc.
 
In 2023, the PCPD received 793 enquiries relating to suspected personal data frauds, which represented an increase of 12% when compared to 707 similar enquiries for 2022.
 

3. Data Breach Incidents

In 2023, the PCPD received 157 data breach notifications, with 48 from the public sector and 109 from the private sector. The figure represented a significant increase of nearly 50% as compared to 105 data breach notifications in 2022. The data breach incidents involved hacking, loss of documents or portable devices, inadvertent disclosure of personal data by email, post or fax, employee misconduct and system misconfiguration, etc. The number of data breach incidents involving hacking more than doubled, showing a significant increase from 29 cases in 2022 (constituted 28% of data breach incidents in 2022) to 64 cases in 2023 (constituted 41% of data breach incidents in 2023).
 
The PCPD initiated 393 compliance checks in 2023, which is comparable to the 392 compliance checks in 2022.

4. Anti-Doxxing Regime

The provisions criminalising doxxing acts under the PDPO came into effect on 8 October 2021. The amendments empower the Privacy Commissioner for Personal Data (Privacy Commissioner) to carry out criminal investigations, institute prosecutions for doxxing-related offences and issue cessation notices to request the cessation of disclosure of doxxing messages.
 
Enforcement Actions in 2023
 
In 2023, the PCPD handled a total of 756 doxxing cases (including doxxing-related complaints received and doxxing cases uncovered by the PCPD’s proactive online patrols). The figure significantly dropped by 57% when compared to 1,764 cases in 2022. Among the aforesaid 756 doxxing cases, 525 of them were doxxing complaints received by the PCPD. The nature of disputes leading to these 525 doxxing acts were mainly monetary disputes (43%), as well as family and relationship disputes (20%).
 
In the same period, the PCPD issued a total of 378 cessation notices to 23 online platforms to request the removal of 10,682 doxxing messages, with a compliance rate of over 95%. Other than individual doxxing messages, 117 doxxing channels were also successfully removed by the cessation notices.
 
The PCPD initiated 140 criminal investigations in 2023, and 31 cases were referred to the Police for further follow-up actions. As regards arrest operations, the PCPD has mounted a total of 30 arrest operations in 2023 (including two arrests made as joint operations with the Police). A total of 31 suspects were arrested. The means used by the doxxers were mainly through social media platforms and instant messaging apps (90%), as well as posters (7%) and mail (3%).
 
Summary of Enforcement Actions under the New Anti-doxxing Regime
 
From the effective date (8 October 2021) of the relevant provisions to 31 December 2023, the PCPD handled a total of 2,884 doxxing cases (including doxxing-related complaints received and doxxing cases uncovered by the PCPD’s proactive online patrols). The PCPD also issued a total of 1,878 cessation notices to 41 online platforms to request the removal of 28,385 doxxing messages, with a compliance rate of over 95%. Other than individual doxxing messages, 192 doxxing channels were successfully removed by the cessation notices.
 
From the effective date (8 October 2021) of the relevant provisions to 31 December 2023, the PCPD initiated 254 criminal investigations, and 63 cases were referred to the Police for further follow-up actions. As regards arrest operations, the PCPD has mounted a total of 42 arrest operations in the same period (including three arrests made as joint operations with the Police). A total of 43 suspects were arrested.

5. Report on “Privacy Concerns on Electronic Food Ordering at Restaurants” and Leaflet on “Food Ordering Using Mobile Apps or QR Codes at Restaurants: Tips for Protecting Privacy”

There is an increasing number of restaurants offering electronic ordering services that allow customers to order food by using a mobile application (app) or scanning a QR code. However, the PCPD noted that restaurants may collect personal data of customers when they provide these electronic ordering services, which raises concerns in the society. As such, the PCPD paid visits to 60 local restaurants from November 2023 to January 2024 to carry out tests on the collection and use of customers’ personal data by the restaurants concerned in the provision of electronic food ordering services. The PCPD today published the findings in a report on “Privacy Concerns on Electronic Food Ordering at Restaurants” and the leaflet on “Food Ordering Using Mobile Apps or QR Codes at Restaurants: Tips for Protecting Privacy”.
 
According to the review results, the PCPD’s overall observations on the protection of customers’ privacy by the restaurants reviewed are as follows:

• All restaurants reviewed offered means for non-electronic food ordering;
• Four restaurants that offered QR code ordering services collected personal data of customers;
• Four restaurants that provided mobile apps ordering services required customers to register an account;
• Some restaurants that allowed customers to place orders through mobile apps in the capacity of guests still required customers to provide their personal data; and
• All restaurants that provided mobile apps ordering services also used customers’ personal data for user tracking and direct marketing.

The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, stated, “Given that electronic food ordering is becoming increasingly common, customers should carefully consider whether they wish to provide personal data when placing food orders through mobile apps or QR codes, and the need to download and use the relevant apps.”
 
Through this review, the PCPD would like to provide the following tips on privacy protection to citizens:
 
Food Ordering through Mobile Apps

1. Understand the information to be accessed, collected or shared by the apps before deciding whether to download and use the apps. Download the apps via official channels;
2. Consider whether to use the mobile apps and create an account solely for restaurant dining purposes;
3. When ordering as a guest using the app, consider whether the types of personal data to be collected are necessary and not excessive, and whether the order could be placed without providing such data;
4. Read the Personal Information Collection Statement carefully to understand the purpose(s) and use(s) of personal data collected by the restaurant;
5. Determine the access permission of the apps based on actual needs, and check the default security or privacy settings in order to opt for the most privacy-protecting setting; and
6. Pay attention to whether the mobile apps provide an option for customers to choose whether they accept direct marketing, and make corresponding choices based on personal needs.

Scanning QR Codes for Food Ordering

1. Stay alert before scanning QR codes. Pay attention to whether the codes have been tampered with, and do not scan any codes from unknown sources;
2. Check the authenticity of the related websites and third-party ordering platforms;
3. Check whether it is possible to place orders without providing personal data, or provide only the minimum amount of personal data required to place orders;
4. Use the built-in QR code scanner on mobile phones as far as practicable; and
5. Do not share the QR codes for food ordering on social media platforms to prevent the possibility of third parties using the QR codes to place orders and potentially causing financial losses.

The PCPD provides the following advice to the food and beverage industry regarding the use of electronic ordering services:

1. Provide food ordering means to customers which do not involve the collection of personal data;
2. Restaurants offering mobile apps for food ordering should allow customers to place orders in the capacity of guests (without registration) using the mobile apps without collecting their personal data or collect minimal amount of personal data according to need;
3. Consider the necessity of collecting customers’ personal data via QR code for food ordering. Where the collection of personal data is involved, provide a Personal Information Collection Statement to stipulate, among other things, the purpose(s) and use(s) of the personal data collected;
4. If customers’ personal data is intended to be used for direct marking purposes, inform and seek consent from customers. The setting for options should not be set as “agree” by default;
5. If a third-party service provider is to be engaged to provide the food ordering platform, ensure that the platform has adequate information security measures to safeguard the personal data collected from customers;
6. Regularly check whether the QR codes for ordering food have been maliciously tampered with; and
7. Formulate a clear data retention policy and regularly delete obsolete or unnecessary customer data so as to minimise the risk of data leakage.

Download report on “Privacy Concerns on Electronic Food Ordering at Restaurants” (Chinese only): https://www.pcpd.org.hk/english/resources_centre/publications/files/foodordering_report.pdf
 
Download leaflet on “Food Ordering Using Mobile Apps or QR Codes at Restaurants: Tips for Protecting Privacy”:
https://www.pcpd.org.hk/english/resources_centre/publications/files/foodordering_leaflet.pdf