In recent years, navigation across different social media and online shopping platforms has been experiencing a meteoric rise. According to a study of an international fintech company, around 76% of the population in Hong Kong shopped online last year, and it was estimated that the percentage of Hongkongers who shop online would rise to 83.8% by 2025.
The unprecedented surge of digital advancements means it only takes the touch of a finger for you to shop or communicate online. However, almost every transaction or a mere ‘swipe’ involve giving away your personal data, such as your browsing history, location information or even credit card details.
My office’s recent report, “Privacy Protection in the Digital Age: A Comparison of the Privacy Settings of 10 Online Shopping Platforms” revealed that all online shopping platforms reviewed tracked users’ activities, including their location, browsing history, transaction history and device information. It may come as a surprise that all of them also transferred users’ personal data to third parties, including not only advertising and promotion partners but also external service providers.
Similarly, in another review conducted by us on the privacy settings of ten most commonly used social media platforms, it was found that all social media platforms reviewed collected users’ location data (including both their precise and coarse locations), and most kept users’ credit card details.
The above reports reveal that social media and online shopping platforms collect a considerable amount of personal data from their users. What users might not be aware of is that those data are exposed to the risks of data scraping (which involves the extraction of data, including personal data, from the internet using automated processes) or data breaches. Fraudsters may also rely on such data to profile or track their targets, or worse still, for doxxing.
In a nutshell, the more data you provide to these platforms, the greater the risk to your personal data privacy.
Strengthening Data Security to Meet Tomorrow’s Threats
In Hong Kong, the Personal Data (Privacy) Ordinance imposes a positive duty on data users, be it online shopping platforms or social media platforms, to, inter alia, safeguard the security of personal data. Data Protection Principle 4(1) in particular requires a data user to take all practicable steps to ensure that any personal data held by the data user is protected against unauthorised or accidental access, processing, erasure, loss or use.
Apart from local regulation, the ever growing complexity of the digital landscape and the borderless nature of the online world call for a collaborative approach among regulatory authorities to safeguard data security.
As the co-chair of the International Enforcement Cooperation Working Group of the Global Privacy Assembly, my office has been advocating closer co-operation and collaboration among regulatory authorities worldwide to address issues common to us.
In August this year, my office joined hands with 11 other data or privacy protection authorities around the globe, including the privacy or data protection authorities from Australia, Canada and the United Kingdom, to issue a joint statement to social media platforms and other websites that host publicly accessible personal data about global expectations and principles on privacy protection, with a view to highlighting the key privacy risks associated with data scraping, and reminding social media platforms and other websites of their responsibilities to protect personal data from unlawful data scraping.
The signatories recommend that social media platforms and websites should implement multi-layered technical and procedural controls to mitigate the privacy risks of data scraping. On the other hand, before sharing their personal data online, users should beware of the risk that their personal data could be within the reach of potential scrapers who could use it for harmful purposes. Users are also advised on the measures they can take to mitigate the risk of data leakage.
Other than regulation, it appears that the key to creating a safe and beneficial digital environment is the heightened awareness and continuous commitment by all towards strengthening data security.