PCPD e-NEWSLETTER
ISSUE Apr 2022
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Apr 2022
|
|
|
|
PCPD Issued a Report on
“Comparison of Privacy Settings of Social Media”
|
As the public has become increasingly aware in recent years of the personal data privacy risks related to the use of social media, the PCPD has recently released a report on “Comparison of Privacy Settings of Social Media” (the Report) after a review of the top 10 most commonly used social media platforms in Hong Kong, including Facebook, Facebook Messenger, Instagram, LINE, LinkedIn, Skype, Twitter, WeChat, WhatsApp and YouTube (in alphabetical order). According to the review results, the performance of the 10 social media in terms of their privacy functions, privacy policies and the usability of privacy dashboards are summarised as follows:
- All the social media being reviewed have a privacy policy in place. They collect a wide variety of personal data, ranging from 12 to 19 types of personal data.
- All the social media being reviewed would collect users’ location data (including both the precise and coarse locations).
- In terms of the default privacy settings, the age and telephone number of a user are not disclosed by Skype and YouTube, while the other social media being reviewed disclose users’ personal data such as age, location, email address or telephone number by default.
- Twitter, WeChat and YouTube receive the highest scores for the readability of their privacy policies, while the others that do not score full marks mainly lack infographics, tables or short videos in illustrating their privacy policies.
- Apart from WeChat, all other instant messaging applications being reviewed, including Facebook Messenger, LINE, Skype and WhatsApp, deploy end-to-end encryption in the transmission of messages between users.
- Except for LINE, all other social media being reviewed provide two-factor authentication.
- Most of the social media being reviewed would retain users’ credit card data.
- All the privacy policies of the social media being reviewed explicitly state that users’ personal data would be transferred to their affiliated companies.
- Twitter does not provide its privacy policy in Chinese text. Users who do not read English would find it difficult to understand the social media’s policies relating to the handling of their personal data.
- Facebook, LINE, WeChat and YouTube all allow users to disseminate posts to specific individuals or groups, and modify the privacy settings of the contents after posting.
In the Report, the PCPD provided the following advice to the social media platforms:
- Operators of social media should continuously adopt "Privacy by Design" to enhance their services and provide more privacy-related functions to users so as to increase the choices available to users;
- Social media platforms should be cautious of the types of personal data collected and avoid collecting more data than is necessary for its services;
- Privacy policies for social media should be clear and easy to understand and should not be vague and general. The PCPD considers that the use of layered presentations, infographics, tables or short videos would help to improve the readability of privacy policies;
- Social media should not track locations of its users by default and should provide choices to its users according to their needs;
- Social media should provide end-to-end encryption and two-factor authentication to strengthen the protection of users’ personal data; and
- Operators of social media should also proactively tackle “doxxing”, “data scraping” or other illegal acts and limit the ways for searching users.
On the other hand, the PCPD provided the following advice to users of social media:
- Before registering an account, read the privacy policy of the social media carefully, open an email account dedicated for social media and only provide the required personal data;
- Check the default settings on security or privacy of the social media, as well as the ways through which individual users may be searched on the media, with a view to minimising the disclosure of personal data and opting for the most privacy-protecting setting;
- If you do not need the location tracking function, consider turning off the function to avoid the collection of location data by the social media;
- Pay attention to the privacy options of contents posted and select the appropriate settings before posting the contents;
- Before choosing any instant messaging application, pay attention to whether it provides end-to-end encryption forms of transmission to strengthen the confidentiality of transmitted data;
- Use strong passwords and enable two-factor authentication for social media to strengthen account security;
- Minimise the risk of credit card data leakage by avoiding transactions on social media platforms over public Wi-Fi or unsecured Wi-Fi connections; and
- Parents/guardians may consider enabling parental controls to monitor their children’s use of social media and reminding them of the consequences of excessive disclosure or sharing of personal data.
Please click here to read the Report (Chinese version only with bilingual comparison table).
|
|
|
"Why Do You Collect Those Personal Data?"
|
|
PRIVACY COMMISSIONER'S FINDINGS
|
Inadvertent Disclosure of Students’ Personal Data via Email by a University
|
|
Update Your Internet Browsers Regularly
|
|
|
The PCPD Made the Second Arrest For a Suspected Doxxing Offence
|
RECOMMENDED ONLINE TRAININGS
|
Online Professional Workshops
|
Free Online Seminar: Introduction to the PDPO
|
Arrange an In-house Seminar for Your Organisation
|
RENEWAL OF DPOC's MEMBERSHIP
|
|
Secretary for Constitutional and Mainland Affairs and Privacy Commissioner Attended Special Meeting of the Legislative Council Finance Committee
|
Privacy Commissioner Published an Article on "Work-from-home Brings New Challenges to Data Protection" at Hong Kong Lawyer
|
Privacy Commissioner Delivered the Opening Address at International Association of Privacy Professionals’ (IAPP) Hong Kong KnowledgeNet Sharing Session
|
|
Highlights of the Draft Measures for Internet Pop-up Push Services《互聯網彈窗信息推送服務管理規定(徵求意見稿)》的重點
|
EU: EDPB adopts statement on announcement of agreement in principle for new Trans-Atlantic Data Transfer Framework
|
France: CNIL Publishes GDPR Compliance Guide and Self-assessment Tool for AI Systems
|
Finland: Government Proposes Changes to Employment Data Protection Act
|
The Dutch Data Protection Authority Fines Ministry of Foreign Affairs €565,000 for Insufficiently Informing Data Subjects and Lack of Security Measures in Processing of Personal Data
|
|
|
“Why Do You Collect Those Personal Data?”
It is a question to ask yourself when you plan to collect personal data from others.
If you have to collect personal data from your clients and other individuals, you should identify the reasons and purposes for such data collection with the following questions:
- Why is the data needed for your business?
- Is the means of collection lawful and fair?
- Is it a must to collect the data or else you are not able to provide the service required or fulfil the operational needs? Are there any alternatives?
- How will the data be used?
- Will you transfer the personal data collected to others?
If you decide to collect individuals’ personal data, the data collection should be necessary and adequate but not excessive for the purpose. To observe the Data Protection Principles under the Personal Data (Privacy) Ordinance (PDPO), a Personal Information Collection Statement (PICS) will be helpful.
PICS is a statement given by a data user before or at the time he collects individuals’ personal data, with the following information:
- Purposes of data collection;
- Classes of persons to whom the data may be transferred;
- Whether it is obligatory or voluntary for the data subject to supply the data; and where it is obligatory, the consequences of failure to supply his personal data;
- Intent to use personal data for direct marketing (if applicable);
- Right of the data subject to request access to and correction of his personal data; and
- Name or job title, and address of the individuals to whom access and correction requests may be made.
Learn more about PICS from our “From Principles to Practice – SME Personal Data Protection Toolkit”
|
|
|
PRIVACY COMMISSIONER'S FINDINGS
|
Inadvertent Disclosure of Students’ Personal Data via Email by a University
A faculty staff member intended to email the faculty’s non-local students about the university’s quarantine arrangements. However, when retrieving the email addresses of the non-local students from the faculty’s master list of students, the staff member mistakenly attached the master list in the email. The master list contained names, dates of birth, nationalities, email addresses, correspondence addresses and contact numbers of about 2,500 students of the faculty. As a result, the personal data was unnecessarily disclosed to the recipients of the email concerned. The university reported the incident to the PCPD.
Remedial Measures
Upon receiving the notification from the university, the PCPD initiated a compliance check on this incident. The university imposed a new requirement for their staff - all outbound emails containing personal data must be checked by another staff member before they are sent. Besides, work files containing personal data, for example, the master list, must be encrypted.
Lesson Learnt
Universities possess a large volume of students’ personal data and should therefore take reasonably practicable measures to ensure that staff handling such data are properly trained. Staff should observe relevant personal data privacy policies and exercise due diligence in applying those policies. Universities should establish procedures to ensure staff’s compliance with those policies.
|
|
|
Update Your Internet Browsers Regularly
In late March 2022, both Google and Microsoft were releasing emergency patches to fix a severe vulnerability identified in their browsers, namely Chrome and Edge. It was reported that a malicious hacker could exploit this vulnerability to make the browser run his own unrestricted code, and potentially view, delete or change the users’ data.
To protect ourselves from cyber attacks, it is crucial for us to get into the habit of regularly checking for and installing browser updates.
Steps to update your browsers:
Google Chrome:
- Chrome checks for new updates regularly, and when an update is available, Chrome applies it automatically when you close and reopen the browser.
Microsoft Edge:
- In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window.
- Click on Help and Feedback.
- Click on About Microsoft Edge.
- To finish updating, restart Microsoft Edge.
- Enable "Download Updates over metered connections" if this is disabled to always allow automatic downloads of updates.
|
|
|
The PCPD Made the Second Arrest For a Suspected Doxxing Offence
|
The Office of the Privacy Commissioner for Personal Data (PCPD) arrested a Chinese male aged 41 in New Territories West on 26 April 2022 for suspected contravention of section 64(3A) of the Personal Data (Privacy) Ordinance (PDPO) relating to the offence of “disclosing personal data without consent”. The arrested person is suspected to have disclosed personal data of three data subjects without their consents on different social media platforms in December 2021. The PCPD seized one smartphone and one computer during the operation. The arrested person is currently under custody. The PCPD will continue its investigation into the case.
This is the second arrest made by the PCPD under the privacy law since its latest amendments came into operation in October 2021. The PCPD made the first arrest in relation to a doxxing offence under section 64(3A) in last December. The Personal Data (Privacy) (Amendment) Ordinance 2021 was enacted last year to more effectively combat doxxing acts that are intrusive to personal data privacy, and the Privacy Commissioner for Personal Data was empowered under the amendments to carry out criminal investigations and institute prosecutions.
The PCPD reminds members of the public that contravening section 64(3A) of the PDPO is a serious crime. An offender is liable on conviction to a fine up to $100,000 and imprisonment for 2 years. The PDPO applies equally to the online world. To avoid breaking the law, members of the public should think twice before publishing or re-posting any message that appears to be a doxxing message on the internet or social media.
Relevant provisions under the PDPO
Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject—
- with an intent to cause any specified harm to the data subject or any family member of the data subject; or
- being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for 2 years.
According to section 64(6) of the PDPO, specified harm in relation to a person means—
- harassment, molestation, pestering, threat or intimidation to the person;
- bodily harm or psychological harm to the person;
- harm causing the person reasonably to be concerned for the person’s safety or well-being; or
- damage to the property of the person.
|
|
|
Secretary for Constitutional and Mainland Affairs and Privacy Commissioner Attended Special Meeting of the Legislative Council Finance Committee
|
Mr Erick TSANG Kwok-wai, IDSM, JP, Secretary for Constitutional and Mainland Affairs, attended the special meeting of the Legislative Council Finance Committee to introduce the estimated expenditure for the Constitutional and Mainland Affairs Bureau for 2022-23 on 8 April 2022. Privacy Commissioner Ms Ada CHUNG Lai-ling also attended the meeting to answer questions raised by Legislative Council Members on the work of the PCPD.
In responding to a question raised by a Member on the enforcement work of the Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance), the Privacy Commissioner said that, for the period from the commencement of operation of the Amendment Ordinance in October 2021 to the end of February 2022, the PCPD had carried out criminal investigations into 43 cases related to doxxing offences. The PCPD made the first arrest for a suspected doxxing offence on 13 December 2021. During the same period, the PCPD issued a total of 466 cessation notices to 12 online platforms, requesting them to remove over 2,400 doxxing messages.
Please click here for the opening remarks of the Secretary for Constitutional and Mainland Affairs at the special meeting of the Legislative Council Finance Committee (in Chinese only).
|
Privacy Commissioner Published an Article on "Work-from-home Brings New Challenges to Data Protection" at Hong Kong Lawyer
|
Privacy Commissioner Ms Ada CHUNG Lai-ling published an article at Hong Kong Lawyer to discuss the data security risks associated with work-from-home arrangements and offer tips to safeguard personal data.
Please click here to read the article.
|
Privacy Commissioner Delivered the Opening Address at International Association of Privacy Professionals’ (IAPP) Hong Kong KnowledgeNet Sharing Session
|
Privacy Commissioner Ms Ada CHUNG Lai-ling delivered an opening address at IAPP’s Hong Kong KnowledgeNet Sharing Session themed “Privacy Challenges for Businesses When Implementing Technology and Process to Handle COVID-19 Data” on 31 March 2022.
In her speech, the Privacy Commissioner discussed some of the personal data privacy issues relating to the collection and use of health data from employees during the COVID-19 pandemic. The Privacy Commissioner also highlighted some of the privacy-protecting features of Hong Kong’s Vaccine Pass and shared with the participants the work and priorities of the PCPD in 2022.
Please click here for the Privacy Commissioner’s opening address.
|
|
|
Highlights of the Draft Measures for Internet Pop-up Push Services《互聯網彈窗信息推送服務管理規定(徵求意見稿)》的重點
|
On 2 March 2022, the Cyberspace Administration of China (CAC) published the Draft Measures for Internet Pop-up Push Services (Draft Measures). The Draft Measures seek to impose more stringent rules on the use of pop-up push services by internet service providers. This article highlights some of the proposed requirements.
國家互聯網信息辦公室於2022年3月2日發布《互聯網彈窗信息推送服務管理規定(徵求意見稿)》(《徵求意見稿》)1,徵求意見期已於2022年3月17日結束。
《徵求意見稿》規管境內的「互聯網彈窗信息推送服務」,即通過操作系統、終端設備、應用軟件、網站等,以彈出消息窗口頁面形式向互聯網用戶提供的信息推送服務2。
《徵求意見稿》要求互聯網彈窗信息推送服務提供者建立健全信息內容審核、網絡安全、數據安全、個人信息保護、未成年人保護等管理制度3,當中的措施包括須以人工審核彈窗信息內容,及透過服務協議等方式明確告知用戶彈窗信息推送服務的具體方式、內容頻次、取消渠道等4。
《徵求意見稿》亦有針對彈窗信息推送服務中常見的暗黑模式(Dark Pattern)5情況,對相關服務提供者作出相應的規定,例如︰
- 不得以任何形式干擾或影響用戶關閉彈窗6;
- 以彈窗推送廣告信息時,須顯著標明「廣告」,並確保用戶能一鍵關閉廣告彈窗7;及
- 不得以彈窗信息推送服務誘導用戶點擊8。
本欄曾於2022年2月簡介《互聯網信息服務算法推薦管理規定》(《管理規定》),《管理規定》已於2022年3月1日起實施。而《徵求意見稿》亦有對彈窗信息所使用的算法作出規定。其中,相關服務提供者9︰
- 不得設置誘導用戶沉迷、過度消費等違反法規或違背倫理道德的算法模型;
- 不得濫用個性化彈窗服務,或利用算法屏蔽信息、過度推薦等;及
- 不得濫用算法,針對未成年用戶進行個人概況彙編(Profile),或向未成年用戶推送可能影響其身心健康的信息。
順帶一提,國家互聯網信息辦公室於2022年4月8日宣佈開展「清朗 · 2022年算法綜合治理」專項行動10,由公布當日起至2022年12月初,將對使用算法的互聯網企業平台進行一系列包括實地檢查及責令整改的行動。
|
|
|
RECOMMENDED ONLINE TRAININGS
|
A new series of Professional Workshops on Data Protection (May - July 2022) is now open for enrolment!
Check out the new schedule of the Professional Workshops below:
|
Online Professional Workshop on Data Protection and Data Access Request
|
This workshop will examine in detail the compliance requirements for handling Data Access Request (DAR) under the PDPO and provide practical guidance to participants on handling DARs raised by customers or employees.
Date: 31 May 2022 (Tuesday)
Time: 2:15pm – 5:15pm
Fee: $750/$600*
(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Solicitors, Data Protection Officers, Administration Managers, Human Resource Officers, Customer Services Personnel
|
Online Professional Workshop on Data Protection in Insurance
|
This workshop will discuss the key features of “Guidance on the Proper Handling of Customers’ Personal Data for the Insurance Industry” and relevant privacy issues specific to insurance institutions and insurance practitioners. It will also examine core concepts of practical data protection compliance illustrated by specific scenarios to highlight the potential problems and their resolutions.
Date: 8 June 2022 (Wednesday)
Time: 2:15pm – 5:15pm
Fee: $750/$600*
(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Insurance Practitioners, Data Protection Officers, Compliance Officers, Solicitors, Advisers and other personnel undertaking work relating to the Insurance Industry
|
Online Free Seminar - Introduction to the PDPO Seminar
|
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. The details of the upcoming sessions are as follows:
|
Seminar Outline:
- A general introduction to the PDPO
- The six Data Protection Principles (illustrated with industry-related examples)
- Offences and compensation
- Direct marketing
- Q&A session
|
Arrange an In-house Seminar for Your Organisation
|
Teaching employees how to protect the privacy of personal data is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and protecting the privacy of personal data, you can make a request for an in-house seminar via our online form. The outline of this seminar is provided below.
Seminar Outline:
- A general introduction to the PDPO
- The six data protection principles (industry-related cases will be illustrated)
- Handling of data breach incidents
- Direct Marketing
- Offences & Compensation
- Q&A Session
Duration: 1.5 hours
|
RENEWAL OF DPOC's MEMBERSHIP
|
Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables them to receive two memberships for the price of one annual fee (HK$350).
Renew your membership now to keep up-to-date with the latest news and legal developments!
|
|
|
Contact Us
Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|