Privacy Commissioner’s Office Publishes Investigation Findings on
the Data Breach Incident of South China Athletic Association and
Launches “Data Security” Package for Schools, NGOs and SMEs

Privacy Commissioner Ms Ada CHUNG Lai-ling (left) and PCPD's Chief Personal Data Officer (Compliance and Enquiries) Mr Brad KWOK Ching-hei (right) introduced the investigation findings of the data breach incident of the SCAA.

On completion of its investigation into the data breach incident of the South China Athletic Association (SCAA), the PCPD published its findings on 22 October 2024.
 
The investigation arose from a data breach notification submitted by the SCAA to the PCPD on 18 March 2024, reporting that its servers had been attacked by ransomware and maliciously encrypted (the Incident).
 
The investigation revealed that in January 2022 a hacker installed malware on one of the SCAA’s servers which was connected to the internet, but there was no evidence of further malicious activities at that time. In March 2024, the hacker compromised the SCAA’s network through the malware created on the aforesaid server and installed remote control software. The hacker subsequently launched brute force attacks on the computer systems of the SCAA through remote access and carried out other malicious activities, including network reconnaissance, defence evasion, disabling anti-virus and anti-malware software, installation of credential harvesting tools and lateral movement, and eventually encrypted files containing the personal data of members through ransomware. The ransomware concerned was a variant of Trigona. In the Incident, a total of eight servers, one data storage device and 18 computers of the SCAA were attacked and encrypted by ransomware. The hacker demanded a ransom from the SCAA to unlock the encrypted files.
 
The Incident affected the personal data of 72,315 members of the SCAA. The personal data involved included names, Hong Kong Identity Card numbers, passport numbers, photos, dates of birth, addresses, email addresses, telephone numbers, and the names and telephone numbers of emergency contact persons.
 
The SCAA has notified all affected members and implemented a series of improvement measures to enhance system security after the Incident, which included restricting the connection of intranet services to the Internet, enabling multi-factor authentication for administrator accounts, formulating guidelines on the use of passwords, conducting regular scans to identify security vulnerabilities of its network and fully implementing offline backup of data.
 
The PCPD thanked the SCAA for its cooperation and the provision of the information and documents requested in the investigation. Having considered the circumstances of the Incident and the information obtained during the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling found that the following deficiencies of the SCAA were the contributing factors of the occurrence of the Incident:

1. Accidental exposure of the relevant server to the Internet, which significantly increased the risk of cyberattacks to the computer systems of the SCAA. As a result, the hacker used the server concerned as a stepping stone to infiltrate its network and launch ransomware attacks;
2. Lack of effective detection measures in the information systems to identify the malicious activities of the hacker conducted in January 2022, which allowed the hacker to intrude into the network of the SCAA in March 2024 through the malware created on the compromised server, remotely control the affected computers, create accounts with administrative rights, and disable the anti-virus and anti-malware software on the server concerned. Between 15 and 16 March 2024, the hacker conducted brute force attacks and made over 43,400 login attempts on another administrator account of the compromised server, with more than 20,000 attempts recorded within a four-hour period. Because the SCAA had not enabled the intruder lockout function for failed login attempts at the material time, the hacker was able to continue the brute force attacks without interruption;
3. Failure to enable multi-factor authentication for administrator accounts, which allowed the hacker to access the operating system of the compromised server without any additional identity verification process, and to carry out various malicious activities and encrypt the personal data of members;
4. Lack of policies and guidelines on information security, which resulted in the failure to provide comprehensive and concrete security review requirements and procedures on information systems for staff members to follow. The SCAA also failed to formulate a written password policy to set out password complexity requirements, and failed to implement intruder lockout function and password expiration periods to safeguard the security of user accounts;
5. Absence of regular risk assessments and security audits to review the effectiveness of security measures, resulting in the failure to take improvement measures to protect the systems which contained the personal data of members from cyberattacks; and
6. Lack of offline data backup solutions, hence the backup data of members were encrypted by the hacker in the Incident and this increased the difficulty of data recovery.

Based on the above, Privacy Commissioner Ms Ada CHUNG Lai-ling considered that the SCAA’s awareness of the need to protect the personal data of its members was weak. As a long-established sports organisation holding a significant amount of personal data, the Privacy Commissioner was very disappointed that the SCAA failed to implement effective information system security measures to safeguard members’ personal data prior to the Incident. The Privacy Commissioner was of the view that if the SCAA had adopted appropriate and adequate organisational and technical security measures before the Incident, the Incident could likely have been avoided. In this regard, the Privacy Commissioner found that the SCAA had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance (PDPO) concerning the security of personal data.
 
The Privacy Commissioner has served an Enforcement Notice on the SCAA, directing it to take measures to remedy the contravention and prevent recurrence of similar contravention in future.
 
Rising Trend of Data Breach Incidents Relating to Schools and Non-profit-making Organisations (NGOs) in Recent Years
 
The PCPD observed a clear upward trend in data breach incidents involving schools and NGOs in recent years. In 2023, among the 157 data breach notifications received by the PCPD, 61 cases involved schools and NGOs (accounting for approximately 39% of the total), which represented an increase of nearly 1.5 times (140%) when compared to 25 cases (about 24% of the total) in 2022. In the first three quarters of 2024, the PCPD received a total of 51 data breach notifications from schools and NGOs, accounting for about 33% of the total number of notifications received, and this is comparable to the percentage of such notifications received year-on-year. Therefore, the Privacy Commissioner is of the view that schools and NGOs should be vigilant and devote sufficient resources to enhance their data security measures so as to reduce the risks of cyberattacks on their personal data systems.

Statistics on data breach notifications involving schools and NGOs received by the PCPD from 2022 to 2024 (up to September) are set out below:

The PCPD Launches “Data Security” Package
 
In addition, the PCPD warmly welcomes the policy objective of strengthening cybersecurity set out in the Chief Executive’s 2024 Policy Address. To strengthen the capabilities of schools, NGOs and small and medium enterprises (SMEs) in safeguarding data security and cybersecurity, the PCPD has launched the “Data Security” Package on 22 October 2024. Participating organisations will receive five free quotas to join professional workshops and seminars organised by the PCPD upon completion of an assessment by the “Data Security Scanner”, which will assess the adequacy of their data security measures. In addition, the PCPD has launched the thematic webpage on data security and the “Data Security Hotline” 2110 1155 to provide relevant information and assistance in this regard. Interested schools, NGOs and SMEs are welcome to obtain further information by emailing training@pcpd.org.hk.  
 
The PCPD would collaborate with the education sector and NGOs respectively to host two seminars on data security in December 2024 to share some important tips on how to enhance data security and implement effective security measures. The PCPD has also been organising in-house seminars tailored to the needs of individual organisations, with the protection of data security included as part of the content of the seminars. In the first nine months of 2024, the PCPD organised in-house seminars for a total of 92 organisations.

Interested schools, NGOs and SMEs are welcome to obtain further information by emailing training@pcpd.org.hk. 

PRIVACY 101

Plan Ahead - Develop Your Organisation’s Data Breach Response Plan

In today’s digital landscape, where data breach incidents are alarmingly on the rise both globally and in Hong Kong, a proactive preparation for data breach handling is of paramount importance. A data breach is generally regarded as a suspected or actual breach of the security of personal data held by an organisation (a data user), which exposes the personal data of data subject(s) to the risk of unauthorised or accidental access, processing, erasure, loss or use. It can lead to devastating consequences, not only compromising sensitive personal data, but also eroding customer trust and damaging brand reputation. Therefore, developing a robust data breach response plan is not merely a precaution; it is also an indispensable aspect of effective data governance for organisations.

A data breach response plan outlines how an organisation will respond in the event of a data breach. A comprehensive data breach response plan ensures a swift response to and an effective management of a data breach, which may substantially minimise its impacts.

Here are some essential elements of a data breach response plan:

• Description of what constitutes a data breach;
• Internal incident notification procedure to alert the senior management, the data protection officer and/or the data breach response team;
• Designation of the roles and responsibilities of the data breach response team members;
• Contact details of all data breach response team members;
• Risk assessment workflow to assess the likelihood and severity of the harm caused to the affected data subjects;
• Containment strategy for containing and remedying the breach;
• Communication plan to determine whether and how the affected data subjects, regulatory authorities and/or other relevant parties should be notified;
• Investigation procedure for investigating the breach and reporting to the senior management;
• Record-keeping policy to properly document the incident;
• Post-incident review mechanism for identifying areas that require improvement to prevent future recurrence; and
• Training or drill plan to ensure all relevant staff can follow the procedures properly when dealing with a data breach.

Please read the PCPD’s publication to learn more about the data breach response plan:

Guidance on Data Breach Handling and Data Breach Notifications

PRIVACY COMMISSIONER’S FINDINGS

An Insurance Company Issues a Letter to an Invalid Address Reported by a Customer

The Complaint 

The complainant was a customer of an insurance company. He was dissatisfied that after he had made a change of address request to the company, the insurance company still issued a letter to his invalid address to confirm the said request.

Outcome

The insurance company stated that it was its usual practice to confirm customers’ change of address requests by sending letters to both the new and former addresses. Such practice was designed for fraud prevention, and avoiding change of address requests being made by third parties without the knowledge of the customers.

After the PCPD’s intervention, the insurance company revised its practice. Whenever it received address update requests, instead of using the former addresses, the insurance company would contact the customers by other means, such as SMS to confirm the requests. Besides, the insurance company undertook not to issue letter to the complainant’s former address.

Lessons Learnt

To protect customers’ personal data, the insurance company took steps to confirm address update requests. The initiative was well intended. However, sending letters containing personal data to invalid addresses entailed certain security risks. The act also fell short of the customers’ privacy expectation.

Nowadays, it is common for customers to provide mobile numbers and email addresses for contact purpose. Sending letters to former addresses is no longer the only means by which insurance companies can confirm address update requests with customers. If insurance companies simply follow the past practices, and fail to adapt to change of times by adopting technology to facilitate data protection, it would be difficult for them to gain customer trust.

Data users should regularly review their personal data protection measures. When handling personal data, organisations should take into account the perspectives of themselves and the customers, explore alternative measures that can better protect personal data as well as comply with the requirements under the PDPO, so as to develop data protection mechanisms that cater to today’s needs.

TECH TALK

Be Smart Online - Dos and Don’ts when Handling Personal Emails

In the digital age, personal emails serve more than just a tool for communications. It has evolved into a critical medium of our online identity. It plays essential roles in a variety of important functions, such as identity verification, transaction confirmation, and official correspondence, etc. Given that personal emails often contain personal data of email users, it is vital to enhance email security by implementing protective measures for your email accounts and understanding how to identify safe emails. This is crucial for safeguarding personal data against cybersecurity threats, including phishing emails, spams and malwares. 

What are the recommended practices when handling personal emails? Check out some dos and don’ts below:

Dos

• Scan all email attachments for malwares before opening them, especially those files with extensions .exe, .com, .doc;
• Disable automatic processing of email attachments in your Internet email software;
• Consider controlling spam by using email filtering software that allows users to block or screen out spam; and
• Use separate email addresses for different purposes whenever feasible.

Don’ts

• Don’t open or forward emails and email attachments from unknown sources;
• Don’t mail-bomb, forward or reply to junk emails or hoax messages. This may result in more incoming junk emails than before;
• Don’t respond to emails from unknown senders;
• Don’t expose your email address on public websites such as search engines, contact directories, membership directories, newsgroup postings or chat rooms;
• Don’t use an email address that contains any potential dictionary entries or common names; and
• Don’t forward chain email messages.

WHAT’S ON

Discharging Social Responsibility – Privacy Commissioner Attends the Premiere of a Micro-film Launched under the Strive and Rise Programme

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the premiere of the micro-film《信》launched under the Strive and Rise Programme (Programme) on 27 October. The film is an inspirational story about a Programme mentee Siu Ling (played by Phoebe CHENG), who, under the guidance of her mentor Jeanie (played by Fish LIEW), transformed from someone lacking self-esteem to someone possessing a positive outlook on life and clear goals for her future.

The PCPD is one of the supporting organisations of the Programme. The PCPD had organised an education talk for participants of the Programme earlier this month, which covered doxxing offences and the importance of protecting and respecting personal data privacy online.

Reaching Out to the IT Sector – Privacy Commissioner Attends the Hong Kong Computer Society 54^th Anniversary Gala Dinner

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Hong Kong Computer Society (HKCS) 54^th Anniversary Gala Dinner on 25 October. Over 500 executives and professionals from the information technology sector joined the gathering.

The PCPD has been collaborating with the HKCS to promote the innovative development of information technology.

Promoting AI Security – Privacy Commissioner and PCPD Representative Speak at the Cyber Security Summit Hong Kong 2024

Privacy Commissioner Ms Ada CHUNG Lai-ling and Assistant Privacy Commissioner for Personal Data (Complaints and Criminal Investigation) Ms Rebecca HO spoke at the Cyber Security Summit Hong Kong 2024 on 24 October. The Summit was organised by the Hong Kong Productivity Council and the PCPD is a supporting organisation of the event.
 
During the Summit, the Privacy Commissioner delivered a keynote speech titled “AI and Personal Data Protection: Challenges and Recommendations on Governance”, in which she discussed the privacy risks AI poses to organisations, and the national and global developments in regulating AI. She also introduced the “Artificial Intelligence: Model Personal Data Protection Framework” published by the PCPD in June.
 
The Assistant Privacy Commissioner participated in a panel discussion titled “Achieving Work-Life Harmony: Strategies for Cybersecurity Professionals” and shared her views on the unique stressors faced by cybersecurity professionals. She also shared with the audience her personal experiences in coping with stress and maintaining a healthy work-life balance.
 
Please click here for the Privacy Commissioner’s presentation deck (English only).

Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain the Investigation Findings on a Data Breach Incident

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK News’ “Hong Kong Today” and RTHK Radio 3’s “Hong Kong Today” on 22 October to explain the investigation findings on the data breach incident of the South China Athletic Association (SCAA) published by the PCPD.  
 
The Privacy Commissioner pointed out that deficiencies contributing to the occurrence of the incident included the accidental exposure of the relevant server to the internet, which significantly increased the risk of cyberattacks to the computer systems of the SCAA, and the lack of effective detection measures in its information systems. The Privacy Commissioner has served an Enforcement Notice on the SCAA, directing it to take measures to remedy the contravention and prevent recurrence of similar contravention in future.
 
To implement the policy objective of strengthening cybersecurity set out in the Chief Executive’s 2024 Policy Address, the Privacy Commissioner said that the PCPD has launched the “Data Security” Package to strengthen the capabilities of schools, NGOs and small and medium enterprises in safeguarding data security and cybersecurity.
 
Chief Personal Data Officer (Compliance and Enquiries) of the PCPD Mr Brad KWOK Ching-hei was also interviewed by RTHK Radio 1’s “HK2000” on 24 October. He pointed that there was a clear upward trend in data breach incidents involving schools and NGOs in recent years. He urged organisations to stay vigilant and adopt appropriate data security measures to protect the personal data in their possession.
 
Please click here to listen to the interview by RTHK News’ “Hong Kong Today” (54:31-59:27) (Chinese only).
Please click here to listen to the interview by RTHK Radio 3’s “Hong Kong Today” (38:50-43:38).
Please click here to listen to the interview by RTHK Radio 1’s “HK2000” (Chinese only).

Reporting to Legislative Council – Secretary for Constitutional and Mainland Affairs and Privacy Commissioner Attend Meeting of the Legislative Council Panel on Constitutional Affairs

The Secretary for Constitutional and Mainland Affairs (SCMA) Mr Erick TSANG Kwok-wai, GBS, IDSM, JP attended the Policy Briefing meeting of the Legislative Council (LegCo) Panel on Constitutional Affairs on 21 October to brief Panel members on the Chief Executive’s 2024 Policy Address. Privacy Commissioner Ms Ada CHUNG Lai-ling also attended the meeting to answer questions raised by members on the protection of personal data privacy and the work of the PCPD.

In responding to a question about the PCPD’s work on data security, the Privacy Commissioner pointed out that in terms of enforcement, the PCPD handles an average of over 230 self-initiated compliance checks and over 100 data breach incidents each year. The PCPD also proactively inspects the personal data systems of organisations to ensure data security. In terms of publicity and education, the PCPD has not only published guidelines and information leaflets on data security but has also been organising sharing sessions and in-house seminars for organisations. The PCPD will continue to strengthen its efforts to enhance the awareness and capability of the public and organisations in safeguarding data security.

Please click here for the paper provided by the Constitutional and Mainland Affairs Bureau to the LegCo Panel on Constitutional Affairs.

Please click here for the opening remarks of the SCMA (Chinese only).

Reaching Out to Legal Professionals – Privacy Commissioner Speaks at the Law Lectures for Practitioners 2024 

Privacy Commissioner Ms Ada CHUNG Lai-ling spoke at “Law Lectures for Practitioners 2024” organised by the Faculty of Law of the University of Hong Kong on 17 October, which attracted more than 70 participants from the legal sector.  
 
The Privacy Commissioner delivered a presentation titled “Data Security, Cybersecurity and AI Security: the Privacy Commissioner’s Perspective”. She discussed the rising trend of cyberattacks globally and introduced the initiatives launched by the PCPD in promoting and enhancing data security and cybersecurity. She also elaborated on the privacy risks posed by artificial intelligence and introduced the “Artificial Intelligence: Model Personal Data Protection Framework” published by the PCPD in June.
 
Please click here for the Privacy Commissioner’s presentation deck.

Promoting Anti-fraud Messages in Education Sector – Privacy Commissioner Gives Keynote Speech at the “Launch Ceremony of Anti-deception Alliance (Education) 2024”

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the “Launch Ceremony of Anti-deception Alliance (Education) 2024” as the Guest of Honour and gave a keynote speech on 12 October. The event was co-organised by the Hong Kong Police Force, Hong Kong University of Science and Technology and Institute of Global Metagovernors.

In her speech, the Privacy Commissioner pointed out that the PCPD received 864 enquiries and 38 complaints in relation to the use of personal data for fraudulent purposes in the first three quarters of 2024. The number of enquiries increased by 67% when compared to the same period last year. The Privacy Commissioner also discussed how organisations could enhance data security as well as raise staff awareness to avoid scams. She also introduced the promotion and education work of the PCPD on safeguarding data security and combatting fraud.

Please click here for the Privacy Commissioner’s speech (Chinese only).

Promoting AI Security – Privacy Commissioner Publishes an Article on OneTrust DataGuidance 

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article on OneTrust DataGuidance titled “Hong Kong, China: PCPD’s Model Framework helps organisations using AI ensure compliance”.

In the article, the Privacy Commissioner highlighted that organisations, both global or local, recognise the personal data privacy risks associated with AI. However, many have yet to take proactive actions to mitigate the risks involved. To address the gap, she introduced the “Artificial Intelligence: Model Personal Data Protection Framework” (the Model Framework) published by the PCPD in June, including the recommendations and best practices set out in the Model Framework.

Please click here to read the article.

Reaching Out to Governance Professionals – Privacy Commissioner Attends Cocktail Reception in Celebration of HKCGI’s 75^th Anniversary 

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the cocktail reception in celebration of the 75^th Anniversary of the Hong Kong Chartered Governance Institute (HKCGI) on 4 October.

 
The HKCGI is the qualifier of the Chartered Secretary and Chartered Governance Professional qualifications in the Mainland and Hong Kong. The Privacy Commissioner has earlier spoken at the Biennial Corporate Governance Conference organised by the HKCGI on the privacy risks brought by artificial intelligence to enterprises.

Enhancing Data Security – the PCPD Collaborates with HKIRC to Launch Promotional Videos 

To assist organisations in raising employees’ awareness of cyber security and personal data protection, the PCPD and the Hong Kong Internet Registration Corporation Limited (HKIRC) have jointly launched a series of promotional videos to provide relevant guidance and tips to organisations in a lively manner.

The first episode “Protect Personal Data” is now available at the PCPD’s website, YouTube channel and other social media platforms, as well as HKIRC’s “Cybersec Training Hub”.

Please click here for the first episode of the promotional videos.

Implementing the Spirit of Third Plenary Session –  Privacy Commissioner Publishes an Article Titled “Implementing the Spirit of Third Plenary Session, Upholding Fundamental Principles and Breaking New Ground at Work” 

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article titled “Implementing the Spirit of Third Plenary Session, Upholding Fundamental Principles and Breaking New Ground at Work”.

The Privacy Commissioner pointed out that the “Resolution of the Central Committee of the Communist Party of China on Further Deepening Reform Comprehensively to Advance Chinese Modernization” (Resolution) considered and adopted at the Third Plenary Session of 20^th Central Committee of the Communist Party of China highlighted the strategic positioning of Hong Kong and established the roadmap for Hong Kong’s future development. The Privacy Commissioner discussed the relevant sections of the Resolution from three perspectives, namely protecting online privacy, promoting the development of digital economy and facilitating AI security. She elaborated on how the Spirit of Third Plenary Session can be implemented into the relevant work of the PCPD.

The Privacy Commissioner stated that she and the staff of the PCPD will continue to uphold fundamental principles and break new ground at work, resolutely perform their duties under the PDPO, protect personal data privacy, safeguard data security, and support Hong Kong and the Greater Bay Area in their roles as the driving force for the high-quality development of the country.

The article was published in Ta Kung Pao and Sing Tao Daily on 30 September.

Please click here to read the article (Chinese only).

Reaching Out to University – PCPD’s Representative Speaks on Privacy and Data Security at The Chinese University of Hong Kong

Acting Senior Legal Counsel of the PCPD Ms Joyce LIU gave a guest lecture entitled “Privacy and Data Security in Digital Healthcare Environment” to biomedical engineering students at The Chinese University of Hong Kong on 24 October.
 
During the lecture, Ms LIU discussed the trends in digital healthcare as well as the relevant data security risks. She also gave an overview of the six DPPs under the PDPO and introduced the PCPD’s guidance materials on artificial intelligence.
 
Please click here to download Ms LIU’s presentation deck.

Reaching Out to the Property Management Sector – PCPD’s Representative Speaks at the Webinar on “iAM Smart” Sandbox Programme 

Legal Counsel of the PCPD Ms Stephanie CHAU spoke at the webinar on “iAM Smart” Sandbox Programme organised by the Digital Policy Office for the property management sector on 22 October.

During the webinar, Ms CHAU provided the participants with an overview of the six DPPs under the PDPO and elaborated on matters which the property management sector should pay heed to when collecting the Hong Kong Identity Card numbers and copies from residents and visitors, with reference to the latest “Code of Practice on the Identity Card Number and other Personal Identifiers: Compliance Guide for Data Users” and the “Protection of Personal Data Privacy – Guidance for Property Management Sector” published by the PCPD.

Please click here for the presentation deck.

Discharging Social Responsibility – the PCPD Fully Supports the “Strive and Rise Programme”

The PCPD organised an education talk on 12 October for over 30 participants of the Second Cohort of the “Strive and Rise Programme” (Programme). The talk covered doxxing offences and the importance of protecting and respecting personal data privacy online, while reminding students to say “No” to cyberbullying and doxxing.

The PCPD is one of the supporting organisations of the Programme, which aims to help secondary school students from underprivileged families with a view to broadening their horizons, reinforcing their self-confidence, developing a positive outlook on life and setting goals for their future. The Programme is led by the Government and seeks to achieve its goals through tripartite collaboration between the Government, the business sector and the community.

PCPD Publishes 2023-24 Annual Report

The 2023-24 Annual Report of the PCPD was tabled in the Legislative Council on 30 October.

The PCPD's 2023-24 Annual Report, themed “Ensuring Data Security to Promote a Digital Economy”, presents the immense breadth and scale of actions undertaken by the PCPD over the reporting year to safeguard personal data privacy in the ever-evolving digital landscape, with the aim of promoting a digital economy.

Recognising the paramount importance of artificial intelligence (AI) security, the PCPD has collaborated with its international counterparts to tackle the thorniest privacy risks associated with AI during the reporting year. On the enforcement front, the PCPD’s actions have continued to expand and grow, leading to a record-breaking surge in compliance actions, criminal investigations and arrests. Within the Greater Bay Area, the PCPD has actively facilitated cross-boundary flow of personal data, contributing to the continuous growth of the digital economy in the Mainland.
 

Additionally, the PCPD instigated 152 criminal investigations in relation to doxxing offences in 2023-24, nearly doubling the number of the previous year. The PCPD also conducted 26 arrest operations, resulting in the arrest of 27 individuals. A total of 9,227 doxxing messages were removed after the PCPD had served cessation notices on operators of online platforms, achieving a high removal rate of over 95%.

Please click here to download the Annual Report.

MEDIA STATEMENT

Data Scraping on Social Media Raises Concerns; the PCPD, together with 15 Privacy Protection Authorities, Issues a Global Joint Statement to Social Media Platforms

On 29 October, the PCPD, together with 15 privacy or data protection authorities worldwide, issued a global joint statement (Joint Statement) on data scraping and the protection of privacy to social media platforms. The signatories include privacy or data protection authorities from Argentina, Australia, Canada, Colombia, Guernsey, Israel, Jersey, Mexico, Monaco, Morocco, New Zealand, Norway, Spain, Switzerland and the United Kingdom.

 
Data scraping, which generally involves extraction of data, including the collection of data for training AI systems, from the web by automated processes, raises significant privacy concerns. It can result in personal data being sold in the dark web without the knowledge and consent of the data subject, leading to exploitation of personal data for targeted cyberattacks, identity fraud, and unwanted direct marketing or spam messages.

To provide guidance to the industry, the Joint Statement sets out the global privacy protection expectations of the signatories as follows:

• Organisations should deploy a combination of safeguarding measures, which should be regularly reviewed and updated to keep pace with advances in scraping techniques and technologies;
• Organisations should consider using AI technologies to enhance protections against unlawful scraping;
• Organisations should ensure that where data scraping is permitted, such as for commercial or socially beneficial purposes, it is conducted lawfully and in compliance with contractual terms;
• When granting lawful permission for third parties to collect publicly accessible personal data from their platforms, organisations should consider providing such access via an Application Programming Interface (API) , as it can allow the organisations greater control over the data, and facilitate the detection and mitigation of unauthorised scraping; and
• Organisations should comply with data protection and privacy laws as well as applicable guidance materials when using personal data, including those from their own platforms, to develop AI models. In this regard, organisations in Hong Kong should, in particular, take note of the “Guidance on the Ethical Development and Use of AI” and  “AI: Model Personal Data Protection Framework” issued by the PCPD in August 2021 and June 2024 respectively, and relevant industry guidelines.

The Joint Statement can be downloaded here.

Background
In August 2023, the PCPD, together with 11 privacy or data protection authorities from Argentina, Australia, Canada, Colombia, Jersey, Mexico, Morocco, New Zealand, Norway, Switzerland and the United Kingdom, issued an initial joint statement to social media platforms and other websites that host publicly accessible personal data about global expectations on privacy protection.

 
The initial joint statement was sent to various companies running major social media platforms, including Alphabet Inc. (YouTube), Meta Platforms, Inc. (Instagram, Facebook and Threads), Microsoft Corporation (LinkedIn) and X Corp. (X) etc.

 
Subsequently, the signatories had discussions with the aforementioned companies that operate social media platforms as well as with industry representatives on the global expectations on privacy protection promulgated in the initial joint statement. During the process, social media companies indicated to the signatories that they had implemented many of the measures that were identified in the initial statement, as well as further measures that could form part of a dynamic multi-layered approach to better protecting against unlawful data scraping. On 29 October, the signatories issued the concluding report to provide further guidance to social media platforms and other websites that host publicly accessible personal data.

The PCPD Welcomes the Chief Executive’s 2024 Policy Address

The PCPD welcomes the array of policy initiatives on protecting cybersecurity and promoting data flow set out in the Chief Executive’s Policy Address.
 
The Policy Address states that the Government will require critical infrastructure operators to undertake obligations to protect their computer systems, so as to reinforce their resilience against cybersecurity challenges. A bill will be introduced later this year. The PCPD supports the Government in enhancing the security of computer systems of critical infrastructure and will strengthen its promotional and educational efforts on data security, including the provision of support services on data security to businesses and organisations, such as the one-stop thematic webpage on data security, the “Data Security Scanner” for businesses and organisations to assess the adequacy of their data security measures, setting up the “Data Security Hotline” (2110 1155), publishing guidance materials on data security, organising talks and in-house seminars for businesses, etc., so as to assist stakeholders in complying with the relevant requirements under the PDPO and enhancing data security and cybersecurity.
 
Separately, Privacy Commissioner Ms Ada CHUNG Lai-ling, being a member of the Hong Kong Expert Group on Cross-boundary Data Collaboration, warmly welcomes the Government’s initiative to extend the facilitation measures of the Standard Contract (Mainland, Hong Kong) for the Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (GBA), currently piloted in the banking, credit referencing and healthcare sectors, to all sectors in Hong Kong. This will be beneficial to different businesses and organisations and further promote the cross-boundary flow of personal data within the GBA, thereby building a “Digital GBA”.

The PCPD Welcomes LinkedIn’s Pause of Using Hong Kong Users’ Personal Data for
Training Generative AI Models

On 3 October, the PCPD expressed concern regarding the employment-oriented social media platform LinkedIn’s default opt-in setting for using Hong Kong users’ personal data and content on the platform to train its generative AI models for content creation, and wrote to LinkedIn to enquire into the matter. The PCPD received a response from LinkedIn on 14 October confirming that it has paused any use of Hong Kong users’ personal data for such purposes as of 11 October while the PCPD’s concerns are being addressed.

Privacy Commissioner Ms Ada CHUNG Lai-ling welcomes LinkedIn’s decision to pause any use of Hong Kong users’ personal data for training generative AI models for content creation. The PCPD will continue to follow up and monitor the situation to ensure that the personal data privacy of Hong Kong users is safeguarded.

Transfer of Customers’ Personal Data by Physical; the PCPD Proactively Contacts perFIT to Provide Assistance

The PCPD noted that a new investor had recently announced the takeover of part of the operations of the chain of fitness and beauty group “Physical”, and would operate under the new brand “perFIT”. In view of the concerns of some existing customers of Physical about the new investor’s access to their personal data, further to commencing a compliance check into Physical earlier, the PCPD has proactively reached out to the new investor on 7 October to understand their arrangements for the transfer of customers’ personal data and to request relevant documents, in order to provide appropriate assistance to the new investor to ensure that the relevant requirements under the PDPO are complied with.

 
Generally speaking, with regard to the collection of personal data, DPP 1(3) of the PDPO requires data users to take all practical steps to notify the data subjects of the purpose of data collection, the classes of persons to whom the data may be transferred, whether it is obligatory or voluntary for the data subject to supply the data, and the consequences arising if the data subject fails to supply the data, etc. With regard to the use of personal data, DPP 3 provides that personal data shall not, without the voluntary and explicit consent of the data subject, be used (including the disclosure or transfer of relevant data) for a new purpose other than the purpose for which the data was to be used at the time of the collection of the data or a directly related purpose.

 
The PCPD appeals to the affected customers to make enquiries with the new investor or the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk) or lodge complaints with the PCPD (telephone: 2827 2827 or email: complaints@pcpd.org.hk) if they are concerned about the transfer of their personal data.

The PCPD Reminds Users of LinkedIn to Beware of the Use of their Personal Data for Training of Generative AI Models

The PCPD noted that employment-oriented social media platform LinkedIn has recently updated its privacy policy to allow LinkedIn to use the personal data and content created by its users on LinkedIn to train its generative AI models for content creation, with the relevant setting for consent to such use enabled by default.

 
LinkedIn’s privacy policy update has aroused concerns of data protection authorities in other jurisdictions. The PCPD is also concerned about whether LinkedIn’s default opt-in setting for using users’ personal data to train generative AI models correctly reflects users’ choices. The PCPD has therefore written to LinkedIn to enquire into the matter.

Privacy Commissioner Ms Ada CHUNG Lai-ling reminds that LinkedIn users should beware of the updates in LinkedIn’s privacy policy and understand the relevant policy in order to decide if they agree to allow LinkedIn to use their personal data for training AI models. If users of LinkedIn are unwilling to authorise LinkedIn to use their personal data for training generative AI models, they can revoke the permission by following the steps

(https://www.linkedin.com/mypreferences/d/categories/privacy) outlined below to change the default settings:

1. Go to the “Data privacy” section in users’ account settings, then select “Data for Generative AI Improvement” to find the toggle switch; and
   
2. Turn off the “Use my data for training content creation AI models” option to revoke permission.

MAINLAND CORNER

Highlights of the “Regulations on Network Data Security Management”

《網絡數據安全管理條例》的重點

Following the release of the Draft Regulations on Network Data Security Management (the Draft Regulations) by the Cyberspace Administration of China in November 2021, the State Council officially passed the Regulations on Network Data Security Management (the Regulations) on 30 August 2024, which will come into effect on 1 January 2025. The Regulations, which is based on the Personal Information Protection Law, Cybersecurity Law and Data Security Law, is the first set of administrative regulations on network data security. The Regulations further specifies the obligations of network data processors with regard to personal information protection, important data and cross-boundary data flow mechanism, among others. The Regulations also sets out the obligations of internet platform service provides. This article provides an overview of the Regulations.

2021年11月14日，國家互聯網信息辦公室（網信辦）發布《網絡數據安全管理條例（徵求意見稿）》（《條例草案》）¹。事隔近三年，國務院在2024年8月30日正式通過《網絡數據安全管理條例》（《條例》）²，《條例》亦將於2025年1月1日實施。《條例》建基於《網絡安全法》、《數據安全法》及《個人信息保護法》等法律，是網絡數據安全領域首部行政法規。《條例》共有九章六十四條，就網絡數據處理者在個人信息保護、重要數據以及數據跨境流動機制等方面的義務，提出了更為細緻的規範，亦明確規定網絡平台服務提供者的義務。《條例》的重點如下： 

「網絡數據」與「網絡數據處理者」的定義

「網絡數據」是指通過網絡處理和產生的各種電子數據，而「網絡數據處理者」是指在網絡數據處理活動中自主決定處理目的和處理方式的個人、組織³。

網絡數據安全管理的一般規定

《條例》規定，網絡數據處理者應建立健全網絡數據安全管理制度；採取訪問控制、安全認證等技術措施；建立健全網絡數據安全事件應急預案；處置網絡數據安全事件，並對所處理的網絡數據的安全承擔主體責任⁴。

《條例》亦要求，若網絡數據處理者向其他網絡數據處理者提供、委託處理個人信息和重要數據的，應當通過合同等與網絡數據接收方約定處理目的、方式、範圍以及安全保護義務等；委託處理個人信息和重要數據的處理情況記錄亦應當至少保存3年⁵。

與《條例草案》相比，《條例》放寬了網絡安全事件通報方面的規定。例如《條例草案》提出，當發生對個人、組織造成危害的網絡數據安全事件，數據處理者須在三個工作日內通知利害關係人⁶。《條例》最終刪去了這些要求，以「及時通知」取代三個工作日內通知⁷。

 個人信息保護 

《條例》就《個人信息保護法》的規定，包括告知個人信息處理的規則的方式與內容、有關同意的要求以及處理個人信息轉移請求的規則補充了更多細節。

《條例》規定網絡數據處理者應當集中公開展示個人信息處理規則，其內容亦應包含處理敏感個人信息的必要性以及對個人權益的影響，以及註銷帳戶與撤回同意的方法等⁸。

此外，《個人信息保護法》雖有提及「單獨同意」⁹，但並未有對其含義提供詳細說明。《條例》則為「單獨同意」作出定義，即「個人針對其個人信息進行特定處理而專門作出具體、明確的同意」¹⁰。

《條例》同時明確要求網絡數據處理者基於個人同意處理個人信息時應遵守的規定，包括收集的個人信息為提供產品或者服務所必需，以及不得在個人明確表示不同意處理其個人信息後，頻繁徵求同意等等¹¹。

另一方面，《條例》闡明了實施個人信息轉移的條件，有助個人信息主體行使《個人信息保護法》賦予的個人信息可攜權¹²。《條例》規定，若個人信息轉移請求符合下列條件，網絡數據處理者應當為個人指定的其他網絡數據處理者訪問、獲取有關個人信息提供途徑¹³：

（一）能夠驗證請求人的真實身份；

（二）請求轉移的是本人同意提供的或者基於合同收集的個人信息；

（三）轉移個人信息具備技術可行性；及

（四）轉移個人信息不損害他人合法權益。

重要數據的處理

《條例》為「重要數據」¹⁴作出定義，即「特定領域、特定群體、特定區域或者達到一定精度和規模，一旦遭到篡改、破壞、泄露或者非法獲取、非法利用，可能直接危害國家安全、經濟運行、社會穩定、公共健康和安全的數據。」¹⁵。 

為保障重要數據安全，《條例》亦要求處理重要數據的網絡數據處理者須履行一系列義務，例如¹⁶：

• 明確網絡數據安全負責人和網絡數據安全管理機構﹔
• 制定實施網絡數據安全管理制度、操作規程和網絡數據安全事件應急預案﹔
• 定期組織開展網絡數據安全風險監測、風險評估、應急演練、宣傳教育培訓等活動﹔及
• 及時處置網絡數據安全風險和事件。

數據跨境流動機制 

《條例》同時放寬數據跨境的條件，並釐清了有關重要數據出境安全評估的要求。《條例》在《個人信息保護法》和《促進和規範數據跨境流動規定》的基礎上，在可向境外提供個人信息的條件（例如通過安全評估、進行認證、符合標準合同的規定等等）中，新增了「為履行法定職責或者法定義務」作為數據出境路徑之一¹⁷。 

《條例》就著識別重要數據以至出境，提出了更為清晰的規定。《條例》要求網絡數據處理者按照國家有關規定識別、申報重要數據，但未被相關地區、部門告知或者公開發布為重要數據的，不需要將其作為重要數據申報數據出境安全評估¹⁸。

網絡平台服務提供者的義務 

就應對網絡平台，尤其大型網絡平台帶來的濫用個人信息及算法歧視等風險，《條例》向網絡平台服務提供者提出以下規定： 

• 鼓勵網絡平台服務提供者支持用戶使用國家網絡身份認證公共服務登記、核驗真實身分信息¹⁹；
• 大型網絡平台（註冊用戶5000萬以上或者月活躍用戶1000萬以上）應當每年度發布個人信息保護社會責任報告²⁰；及
• 大型網絡平台不得利用網絡數據、算法對用戶以及平台規則等實施不合理的差別待遇等行為²¹。

人工智能訓練數據的相關要求
 

《條例》特別要求提供生成式人工智能服務的網絡數據提供者應當加強對訓練數據和訓練數據處理活動的安全管理，採取有效措施防範和處置網絡數據安全風險²²。

針對自動化收集網絡數據以用作訓練人工智能所帶來的問題，《條例》規定網絡數據處理者使用自動化工具訪問、收集網絡數據，應當評估對網絡服務帶來的影響²³。若網絡數據處理者使用自動化採集技術，採集到非必要個人信息或者未依法取得個人同意的個人信息，應當刪除個人信息或者進行匿名化處理²⁴。

總結

《條例》的發布與實施標誌著國家數據安全法規體系進一步完善，既加強網絡數據安全保護，亦鼓勵和促進網絡數據依法合理有效利用，有助促進數字經濟健康發展。

¹ 全文：https://www.cac.gov.cn/2021-11/14/c_1638501991577898.htm

² 全文：https://www.gov.cn/zhengce/content/202409/content_6977766.htm

³《條例》第六十二條。

⁴《條例》第九及十一條。

⁵《條例》第十二條。

⁶《條例草案》第十一條。

⁷《條例》第十一條。

⁸《條例》第二十一條。

⁹  舉例而言，《個人信息保護法》第二十九及三十九條分別規定個人信息處理者在處理敏感個人信息和向境外提供個人信息等情況下，須取得當事人的單獨同意。《個人信息保護法》全文：https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm

¹⁰《條例》第六十二條。

¹¹《條例》第二十二條。

¹²《個人信息保護法》第四十五條規定：「個人請求將個人信息轉移至其指定的個人信息處理者，符合國家網信部門規定條件的，個人信息處理者應當提供轉移的途徑。」

¹³《條例》第二十五條。

¹⁴ 內地現行法規、標準對「重要數據」的定義不一，例如《數據安全出境評估辦法》第十九條指出：「重要數據是指一旦遭到篡改、破壞、泄露或者非法獲取、非法利用，可能直接危害國家安全、經濟運行、社會穩定、公共健康和安全的數據。」

¹⁵《條例》第六十二條。

¹⁶《條例》第三十條。

¹⁷《條例》第三十四條。

¹⁸《條例》第三十七條。

¹⁹《條例》第四十三條。

²⁰《條例》第四十四條。

²¹《條例》第四十六條。

²²《條例》第十九條。

²³《條例》第十八條。

²⁴《條例》第二十四條。

RECOMMENDED TRAININGS

Professional Workshop on Data Protection and Data Access Request

Receiving Data Access Requests (DAR) is a frequent occurrence for many organisations. For example, employees may request employers to provide copies of their previous appraisal reports; patients may request for copies of their medical records, etc.

Handling DAR properly, effectively and in a timely manner poses a challenge to many organisations. This workshop will examine in detail the compliance requirements for handling DAR under the PDPO and offer practical guidance to participants on handling DAR. 

Date: 20 November 2024 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Face-to-face

(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Solicitors, data protection officers, administration managers, human resource officers, customer services personnel.

Practical Workshop on Data Protection Law

With the growing public awareness of and expectations for the protection of personal data privacy, it has become a norm for organisations to incorporate personal data privacy protection as part of their corporate governance responsibilities to gain customers’ trust and confidence. 

This workshop will examine the practical application of the PDPO at work by the sharing of real-life cases and providing practical advice. This workshop is particularly suitable for barristers, solicitors, in-house legal counsels, data protection officers and compliance officers.

Date: 4 December 2024 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Fee: $950/$760*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Solicitors, barristers, in-house legal counsels, data protection officers, compliance officers

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENTS

The PCPD Supports the Anti-Scam Lucky Draw

Organised by the Hong Kong Police Force, the “Anti-Scam Lucky Draw” has commenced from 1 October 2024, which aims to raise public awareness of fraud prevention by completing designated tasks and to encourage the public to download and use “Scameter+”, a cyber security app that helps identify scams and online pitfalls.

Please click here for the details of the “Anti-scam Lucky Draw”.

The PCPD Supports the 7^th Belt and Road Conference

The “7^th Belt and Road Conference” organised by The Law Society of Hong Kong is now open for enrolment. The PCPD is pleased to be one of the supporting organisations of this event.

Themed “Legal Professionals Joining Efforts in Advancing Eight Major Steps to Build High Quality Belt and Road Cooperation”, the Conference will scrutinise, from various professional perspectives, how legal professionals can pragmatically incarnate multi-dimensional connectivity and bolster cooperation among the Belt and Road nations. It provides a valuable opportunity for participants to gain insights from eminent guests and speakers from various sectors, and to exchange ideas with the counterparts along the Belt and Road.

Please click here for registration and the details of the Conference. 

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.