Newspaper Column

Feature Interview with Privacy Commissioner by Biz@HKUST, the HKUST Business School Magazine

Personal Data Privacy Matters

The Office of the Privacy Commissioner for Personal Data aims to inspire citizens to be more careful about how they use their personal data online. But this involves challenges, says the Privacy Commissioner Ada CHUNG.

When it comes to developing a culture of privacy, protection and respect for personal data, Ada Chung, the Privacy Commissioner for Personal Data (Privacy Commissioner) in Hong Kong, has a massive job on her hands. As an independent watchdog, the Office of the Privacy Commissioner for Personal Data (PCPD) is designed to monitor, supervise, promote and enforce compliance in relation to the Personal Data (Privacy) Ordinance (PDPO), which came into effect in 1996.

Aside from supervising and enforcing protection of personal data privacy, the PCPD provides guidance, public education and best practice notes on the lawful and responsible use of personal data. In today’s digital world, this is no easy task. The rise of technology and the growing use of social media and apps are driving a proliferation of data, and online activities have increased dramatically, especially during the pandemic. Consequently, the PCPD has its hands full putting out fires while trying its best to educate the public and businesses about respecting and safeguarding personal data.

According to the results of a survey released by the PCPD in January 2021, over 85 per cent of Hong Kong citizens are active users of social media, and share personal information online, Chung says. This information often includes their date of birth, residential address, and health information.

Ominously, most online users are unaware that they are sharing these details. “This is dangerous,” Chung says. “If personal data is leaked, it can be misused, and that can lead to the perpetration of crimes or fraud. In Hong Kong, in the past two years, doxxing has become rampant, which has caused serious and long-lasting effects on its victims.”

Doxxing is the act of disclosing the personal data of a data subject without the relevant consent of the data subject, and the discloser is being reckless or has an intent to cause harm to the data subject or any family member of the data subject. There has been a notable rise in doxxing in Hong Kong in recent years. The privacy watchdog noted that over 5,800 doxxing cases were handled between June 2019 and June 2021.

Data breaches are also becoming more frequent worldwide. The number of high-profile data breaches which have affected a huge number of individuals has been increasing. One recent example occurred in April 2021, when networking data associated with 500 million LinkedIn users was posted on a forum on the Dark Web. Hong Kong citizens were certainly among those affected. “In the past few years, the scale of this has been unprecedented,” Chung says, noting that things may get worse.

Fundamental Human Rights

For this reason, the PCPD plays an increasingly important role when it comes to protection of personal data privacy. Hong Kong recently made amendments to its privacy laws which gave significant powers to the Privacy Commissioner to remove doxxing messages. This legislation also carries extra-territorial powers, so the Privacy Commissioner can serve cessation notice to internet service providers having a place of business in Hong Kong, or operators of overseas social media platforms which are outside of Hong Kong, to take down any information that is deemed to be doxxing, within a designated timeframe.

“Privacy is a fundamental human right. Protection of personal data is indispensable in protecting individuals’ privacy,” Chung says. “Protection of personal data is particularly important in a digital era where anyone’s personal data can be widely shared in a split second.”

Given the boundless nature of the internet, and the global increase in digitalization, the PCPD will not be able to achieve its mission alone. Chung says that everyone must play a part to protect personal data privacy. This is the key message that the PCPD has been promoting to the public.

Chung emphasizes that the development of mobile applications and data-driven technology mean that businesses and individuals who are data users have an equal responsibility to meet the legal requirements that are set out in the PDPO. They are required to comply with the six Data Protection Principles when collecting, holding, processing and using personal data, Chung says.

Part of the PCPD’s job is to ensure that everyone is familiar with the PDPO and knows how to apply them. That includes both organizations and individuals. Promotion and publicity work have to take place in order to raise the awareness of how to protect personal data, especially for the more vulnerable segments of society such as the youth and the elderly.  “A lot of people are simply not aware of these issues,” says Chung in an urgent tone. “They need to be aware that their personal data is a valuable asset and that they shouldn’t be giving it away too easily, and in arbitrary manner,” she says. The watchdog has also been visiting schools to educate students about personal data protection, and to increase the general awareness of scams and fraud. Chung also wants to teach students to be wary of online communications from unknown sources.

Regulations Set to Increase

As technology such as artificial intelligence (AI) becomes more commonplace, the PCPD will continue to have a greater role to play in safeguarding personal data. So looking to the future, Chung says that regulations will likely become more common, and there will be a greater focus on automated technology like AI.

The PCPD recognizes that AI is developing rapidly, and is aware of the many privacy concerns and risks to fundamental human values that could arise. That’s why the PCPD has been working hard to create ethical frameworks. In August this year, the PCPD issued the “Guidance on the Ethical Development and Use of Artificial Intelligence” to help organisations understand and comply with the relevant requirements of the PDPO when they develop or use AI. “The next ten years will be the era of AI, and it will bring fundamental changes to the way people behave, and to our daily lives,” Chung says. “The effect of AI on human beings will be tremendous.” It is for these reasons that Chung thinks frameworks and guidelines must be put in place to regulate how data is being used.

“I believe that in the years to come, there will be more emphasis on accountability and what businesses should do to comply with the law,” Chung says. Such developments will include the development and implementation of Personal Data Privacy Management Programme (PMP) by organizations, to gain trust from customers and other stakeholders, as well as the appointment of Data Protection Officers to oversee organisations’ compliance with the PDPO. Cybersecurity will also become a hot issue in the boardroom in the coming years.


The Ethics of AI

The PCPD proposes seven ethical principles for the ethical development and use of AI

• Accountability - Organisations should be responsible for what they do, and provide justification for their actions.
• Transparency & Interpretability - Organisations should disclose how they use AI, and the relevant policies, to stakeholders while improving the interpretability of automated AI decisions.
• Fairness - Bias and discrimination should be avoided.
• Reliability, Robustness & Security - AI systems should operate reliably, be free of errors, and be protected against attacks.
• Human Oversight - The level of human involvement should be proportionate to the risks and impact of using AI.
• Data Privacy - Effective data governance should be put in place to protect an individual’s personal data privacy during both the development and use of AI.
• Beneficial AI - The use of AI should provide benefits and minimise harm to stakeholders.