Privacy Commissioner’s Office Reports on its Work in 2022 and Publishes an Investigation Report

The PCPD reported on its work in 2022 and released an investigation report into a data breach incident relating to The Hong Kong Institute of Bankers on 9 February 2023.
 
1. Complaint Cases
 
In 2022, the PCPD received 3,848 complaints, which represented an increase of 15% when compared to 3,354 cases in 2021. This was mainly attributable to an increase in doxxing complaints following the implementation of the new anti-doxxing regime introduced by the Personal Data (Privacy) Amendment Ordinance 2021 in late 2021. Of these complaint cases, 95% involved complaints against private organisations or individuals (3,656 cases), while the remaining 5% were against public organisations or government departments.
 
2. Enquiries
 
The PCPD received a total of 14,929 public enquiries in 2022. The figure dropped by 15% when compared to 17,651 cases in 2021. On average, over 1,200 public enquiries were handled per month.
 
In view of the rising trend of scams involving personal data fraud perpetrated through telephone calls, emails or SMS messages, the PCPD set up a “Personal Data Fraud Prevention Hotline” 3423 6611 in September 2022 to handle enquiries or complaints from members of the public in relation to suspected data fraud cases, and the Hotline received 168 calls by the end of December. For 2022, the PCPD received 707 enquiries relating to personal data frauds, which represented a 26% increase when compared to 557 enquiries for 2021.
 
3. Data Breach Incidents
 
In 2022, the PCPD received 105 data breach notifications, with 41 from the public sector and 64 from the private sector. The data breach incidents involved hacking, loss of documents or portable devices, inadvertent disclosure of personal data by fax, email or post, employee misconduct and system misconfiguration, etc.
 
The PCPD initiated 392 compliance checks in 2022, representing a 4% increase as compared to 377 compliance checks in 2021.
 
4. The New Anti-Doxxing Regime under the Personal Data (Privacy) Ordinance
 
The new provisions criminalising doxxing acts under the Personal Data (Privacy) Ordinance (PDPO) came into effect on 8 October 2021. The amendments empower the PCPD to carry out criminal investigations, institute prosecutions for doxxing-related offences, and issue cessation notices to stop disclosure of doxxing messages.
 
Law Enforcement
 
From the implementation of the relevant provisions to 31 December 2022, the PCPD handled a total of 2,128 doxxing cases and initiated 114 criminal investigations. 32 cases were referred to the Police for further follow-up actions.
 
As to arrest operations, the PCPD mounted a total of 12 arrest operations by 31 December 2022, including one in 2021 and 11 in 2022 (with one arrest made as a joint operation with the Police). A total of 12 suspects were arrested. The nature of disputes leading to the doxxing acts are monetary dispute (50%), work dispute (25%) and relationship dispute (17%). The means used by the doxxers are social media platforms and instant messaging apps (92%), as well as posters (8%).
 
Cessation Notice
 
Between October 2021 (when the relevant provisions came into operation) and 31 December 2022, the PCPD issued a total of 1,500 cessation notices to 26 online platforms, requesting the removal of 17,703 doxxing messages, with a compliance rate of over 90%.
 
5. Investigation Report on The Hong Kong Institute of Bankers
 
On completion of its investigation into a data breach incident relating to The Hong Kong Institute of Bankers (HKIB), the PCPD published an investigation report on 9 February 2023. The investigation arose from a data breach notification lodged by HKIB reporting that six servers which contained personal data had been attacked by ransomware and maliciously encrypted, and that a hacker had threatened to upload the files in the servers to the internet and demanded a ransom from HKIB to unlock the encrypted files. The personal data of over 13,000 members and about 100,000 non-members had been leaked in the incident.
 
From the evidence collected in the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling found that there were deficiencies in HKIB’s awareness of data security risks and in its personal data security measures, namely:

• Inadequacies in the management of data security risk;
• Deficiencies in information system management; and
• Prolonged implementation of multi-factor authentication.

In this case, the Privacy Commissioner found that there were apparent deficiencies in the data security risk management and the personal data security measures of HKIB, which led to the ransomware attack on its servers which contained personal data. The Privacy Commissioner considered that HKIB lacked effective data security risk management mechanism and adopted a lax approach towards service providers in the maintenance of critical network infrastructure. As a result, the security measures of the information system which contained personal data were ineffective in addressing cybersecurity risks and threats. The Privacy Commissioner considered, upon conclusion of the investigation, that HKIB had not taken all practicable steps to ensure that the personal data involved was protected from unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle (DPP) 4(1) concerning the security of personal data under the PDPO. The Privacy Commissioner has served an enforcement notice on HKIB, directing it to remedy and prevent recurrence of the contravention.
 
Through the report, the Privacy Commissioner would like to make the following recommendations to organisations that handle personal data using information and communications technology:

• Stay vigilant to prevent hacker attacks by conducting regular risk assessments;
• Establish a Personal Data Privacy Management Programme to use and retain personal data in compliance with the PDPO, and to effectively manage the entire lifecycle of personal data;
• Appoint a dedicated officer as Data Protection Officer;
• Enhance information system management, including developing effective patch management procedures to patch vulnerabilities as early as possible;
• Conduct data backup conscientiously, including formulating a data backup policy and conducting regular backup for systems containing important data; and
• Monitor service providers appropriately.

Please click here to download the Investigation Report “Ransomware Attack on the Servers of The Hong Kong Institute of Bankers”. 
 
6. Leaflet on Data Security
 
In 2022, the PCPD received from organisations a total of 105 data breach notifications, more than a quarter of which involved hacking. The number of Hong Kong citizens affected by data breach incidents also soared from around 600,000 in 2021 to more than one million in 2022. In view of this, the PCPD published a leaflet to introduce the “Guidance Note on Data Security Measures for Information and Communications Technology” (Guidance) on 9 February 2023, with a view to highlighting the key points of recommended data security measures.
 
The leaflet covers the seven key areas of data security measures as recommended in the Guidance:

• Data Governance and Organisational Measures;
• Risk Assessments;
• A Recommended Series of Technical and Operational Security Measures;
• Data Processor Management;
• Remedial Actions in the Event of Data Security Incidents;
• Regularly Monitoring, Evaluating and Improving Compliance with Data Security Policies; and
• Data Security Measures for Cloud Services, “Bring Your Own Devices” and Portable Storage Devices.

Please click here to download the Guidance.
 
Please click here to download the leaflet on the Guidance.

PRIVACY 101

What is Privacy by Design?

In this digital age, the pervasive use of information and communication technologies (ICT) enables organisations to collect and use vast amounts of personal data with phenomenal ease and efficiency, which creates immense opportunities and convenience for business operations. Owing to the heightened public awareness of the protection of employees’, customers’ and clients’ personal data, proactively embracing privacy and personal data protection as part of the organisation’s corporate governance responsibilities is of paramount importance, with Privacy by Design (PbD) being one of the recommended approaches.

PbD provides a robust and comprehensive approach to safeguard privacy and addresses the ever-growing and systemic effects of ICT and large-scale networked infrastructure. It promotes embedding privacy as the default into the design, operation and management of ICT and systems, across the entire information life cycle. It also seeks to make privacy integral to organisational priorities, project objectives and work standards, which can be applied throughout an organisation, covering business practices, operational processes, product and service design, physical architectures and networked infrastructure.

There are seven important PbD principles for guiding the development of ICT systems:

1. Proactive and Preventive

Assess, identify, manage and prevent any data protection risks before data breaches occur. Risks can be minimised through good design and data management practices.

2. Data Protection as the Default
Data protection measures must be integrated into processes and features of the systems. Individuals should not have to take action for their personal data to be protected, and measures to safeguard personal data should be automatically provided as default settings.

3. End-to-end Security

Security measures must be considered in the complete software development lifecycle (SDLC). Good security features and practices can be incorporated at every stage of the SDLC, and from the point that personal data is collected until it is purged from the system.

4. Data Minimisation
Do not be tempted to adopt a “collect first and think of what to do with it later” approach when it comes to personal data. Data minimisation means to strictly collect, store and use personal data that is relevant and necessary for the intended purpose for which data is processed.

5. User-centric
Develop and implement ICT systems with individuals in mind – specifically, with the goal of protecting their personal data. Do this through default settings while giving individuals the option to customise settings with informative notices. The interface should be user-friendly, and features such as “justin-time” notification or layered notices could be applied.

6. Transparency
Take an active role in informing individuals of what personal data is collected from them and how it is being used. Also inform users of any third parties processing their personal data.

7. Risk Minimisation
Identify and mitigate data protection risk systematically. Risks can be reduced by designing and implementing the right processes and relevant ICT security measures when processing personal data.

Please view the PCPD’s publication below for further information about PbD: 

Guide to Data Protection by Design for ICT Systems

PRIVACY COMMISSIONER’S FINDINGS

Staff of a Property Management Company Disclosed the Personal Data of Residents when Using Recycled Paper

The Complaint

The Complainant was a resident of an estate managed by a property management company. One day, the Complainant found dozens of notices displaying the words “Wet Paint” posted on both sides of the pedestrian walkway in the estate. The Complainant noticed that on the back of these notices were email exchanges between residents and the company. In particular, a printout of a complaint email from the Complainant to the company was on the back of one of the notices. It clearly showed her English name, email address and the content of the complaint. The Complainant thus lodged a complaint against the company with the PCPD.

Outcome

The company said that according to its established guidelines, recycled paper was for internal use only. The incident was caused by human negligence on the part of individual staff members, who were given verbal reprimands and warnings. In the light of the incident, the company revised its guidelines on the use of recycled paper, requiring its staff to stop using documents or correspondences involving personal data as recycled paper in future, failing which they would be subject to disciplinary action.

The PCPD considered that the company had failed to take all practicable steps to ensure a degree of awareness of or sensitivity to the security risks associated with personal data among staff. The company therefore failed to properly protect the personal data held by it in contravention of DPP 4. The PCPD warned the company that it needed to formulate a comprehensive internal policy and guidelines on the destruction or disposal of documents containing personal data for its staff to follow (e.g. destroying in a timely manner the documents that contain personal data but need not be retained; and requiring staff to regularly check whether the paper in recycling bins include documents containing personal data). The company should also assign designated staff to effectively monitor and communicate with other staff to ensure that they are aware of and follow its internal policy and guidelines.

Lessons Learnt

The incident occurred despite the company’s guidelines stipulating that recycled paper was for internal use only. Moreover, neither the staff responsible for printing the “Wet Paint” notices nor the staff responsible for posting the notices had come to realise that there was personal data printed on the back of the notices, proving a lack of awareness of personal data privacy protection among staff. The company should learn from this experience that it is pivotal not only to formulate the relevant policy, but also to adopt measures to enhance the awareness of such policy and foster a strong sense of compliance among staff. The company should also provide comprehensive training to its staff to strengthen their appreciation for personal data privacy protection.

TECH TALK

Security Tips on Home Wi-Fi to Avoid Network Hackers

Home Wi-Fi offers convenience and flexibility for everyday work and entertainment. By simply connecting electronic devices, gaming systems and smart home devices to home Wi-Fi, you could access to the internet wherever it is within range of the signal strength from a Wi-Fi router. This also means that others, including hackers and cybercriminals, could be able to access your home Wi-Fi. Hence, it is essential to secure home Wi-Fi to protect the devices with your personal data stored in them. Stay alert and take the following measures to secure your home Wi-Fi to prevent unauthorised users or intruders from using your home Wi-Fi: 

• Update firmware and software of your devices, such as Wi-Fi routers and TV boxes regularly;
• Avoid using default settings in Wi-Fi routers, such as the default Service Set Identifier (SSID) and administrator password;
• Enable built-in firewall of the Wi-Fi router to protect your internal network;
• Turn off your Wi-Fi router if not in use;
• Establish a list of computers which are allowed to use your home Wi-Fi. Wireless routers are usually able to establish a list of media access control address (MAC) addresses that can use the wireless network. A MAC address is a unique serial number of the wireless LAN card installed in each computer. Computers with wireless cards that are not registered with your wireless router will not be able to use your signal;
• Use a secure password key for your Wi-Fi network so that others cannot use your Wi-Fi network without knowing the key;
• Hide the Service Set Identifier (SSID) of your home Wi-Fi from being broadcast. All devices attempting to connect to a specific wireless network must use the same SSID. Other people cannot use your home Wi-Fi without knowing the SSID name.

WHAT’S ON

Privacy Commissioner Publishes an Article Entitled “Guidance on Data Security – Heightened Importance of Data Security Amid Increased Cyberthreats”at CGj

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Guidance on Data Security – Heightened Importance of Data Security Amid Increased Cyberthreats” at the CGj, the journal of the Hong Kong Chartered Governance Institute. 

The Privacy Commissioner pointed out that data breach incidents caused by cyberattacks have been on the rise worldwide and have become one of the major concerns for most businesses. The PCPD therefore published the “Guidance Note on Data Security Measures for Information and Communications Technology”(Guidance) earlier to provide businesses with recommended data security measures to facilitate their compliance with the requirements of the PDPO. The Privacy Commissioner also hopes that the Guidance will serve as a best practice guide for governance professionals. 

Please click here to read the article.

Reporting to Legislative Council – Privacy Commissioner Attends Meeting of Legislative Council Panel on Constitutional Affairs to Brief Members on PCPD’s Work in 2022

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Legislative Council Panel on Constitutional Affairs on 20 February 2023 to brief Members on the work of the PCPD in 2022 and its strategic focus this year.
 
Among others, the Privacy Commissioner reported that from the implementation of the Personal Data (Privacy) (Amendment) Ordinance 2021 (i.e. 8 October 2021) to the end of 2022, the PCPD initiated 114 criminal investigations and made 12 arrests. Five arrestees were charged with the new doxxing offences, with three convictions secured to date and one sentenced to immediate imprisonment of eight months. The PCPD considered that the said sentence has a deterrent effect, highlighting that doxxing is a serious crime and the offender may be subject to immediate custodial sentence.
 
During the same period, the PCPD issued 1,500 cessation notices to 26 online platforms, requesting the removal of over 17,700 doxxing messages. The compliance rate on the removal of doxxing messages was over 90%.
 
Please click here for the Privacy Commissioner’s opening remarks (Chinese only).
Please click here for the paper submitted by the PCPD to the Legislative Council Panel on Constitutional Affairs.

Reporting to the Public – Privacy Commissioner Interviewed by《議視聽》Programme

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by the《議視聽》Programme on 14 February.
 
During the interview, the Privacy Commissioner reported on the work of the PCPD in 2022, highlighting the PCPD’s work on combatting doxxing offences. The Privacy Commissioner explained how the PCPD handled doxxing-related cases through criminal investigations and prosecutions, as well as how data breach incidents were handled. The Privacy Commissioner was pleased to note that there was a significant decline in doxxing cases relating to political disputes over the past year, while attributing that to a more congenial social atmosphere.

Reporting to the Public – Privacy Commissioner Interviewed by the Media

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK’s “Open Line Open View”, Metro Radio’s “Roadmap to Knowledge Economy”, RTHK Radio 1’s “HK2000” and RTHK32’s  “Hong Kong United” on 9 and 10 February.

During the interviews, the Privacy Commissioner reported on the work of the PCPD in 2022, highlighting the PCPD’s work on combatting doxxing offences over the past year. She also elaborated on the investigation report published by the PCPD on 9 February relating to a data breach incident of The Hong Kong Institute of Bankers. The Privacy Commissioner also introduced the leaflet on the “Guidance on Data Security Measures for Information and Communications Technology” published by her Office.

Privacy Commissioner Publishes an Article Entitled “Hong Kong: One-year Anniversary Review of the Implementation of the New Anti-doxxing Regime” at OneTrust DataGuidance

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Hong Kong: One-year Anniversary Review of the Implementation of the New Anti-doxxing Regime” at OneTrust DataGuidance to explain the new doxxing offences which took effect in Hong Kong in October 2021. The Privacy Commissioner also recapitulated her Office’s enforcement work and achievements in combatting doxxing over the past year.

The Privacy Commissioner highlighted that social media platform operators have a responsibility to remove illegal doxxing messages posted on their platforms promptly. She also emphasised that the implementation of the new anti-doxxing regime does not affect normal and lawful business activities in Hong Kong, nor the freedom of speech and free flow of information that Hong Kong citizens enjoy.

Please click here to read the article.

MEDIA STATEMENT

Cyberspace Administration of China Promulgated Measures on the Standard Contract for Cross-border Transfers of Personal Information to Safeguard the Safe Movement of Personal Information

The PCPD notes that the Cyberspace Administration of China promulgated the Measures on the Standard Contract for Cross-border Transfers of Personal Information (the Measures) on 24 February 2023. The Measures will come into operation on 1 June 2023.

The PCPD reminds local enterprises and organisations which conduct businesses on the Mainland, especially enterprises and organisations which transfer personal information out of the Mainland on a smaller scale, such as small- and medium-sized enterprises, that if the conditions prescribed in the Measures are met, they may need to enter into a standard contract and file the contract with the local cyberspace administration authorities at the provincial level before effecting the transfer of personal information.

Specifically, according to the Measures, personal information processors (including enterprises or organisations) which satisfy all of the following conditions may rely on the execution of standard contracts to transfer personal information out of the Mainland and shall first carry out personal information protection impact assessment:

• where the personal information processor is not an operator of critical information infrastructure;
• where the personal information processor which transfers personal information out of the Mainland processes personal information of not more than one million persons (in aggregate);
• where the personal information processor which transfers out personal information has cumulatively made outbound transfers of personal information of not more than 100,000 persons (in aggregate) since 1 January of the preceding year; and
• where the personal information processor which transfers out personal information has cumulatively made outbound transfers of sensitive personal information of not more than 10,000 persons since 1 January of the preceding year.

The relevant personal information processor shall enter into a standard contract strictly in accordance with the template standard contract appended to the Measures, and shall file the contract with the local cyberspace administration authority at the provincial level within 10 working days of the effective date of the contract.

It is noteworthy that personal information processors which are required to duly undergo security assessments for transferring personal information outside the jurisdiction shall not deploy tactics such as quantity splitting so that they may transfer personal information outside the jurisdiction by entering into standard contracts.

The personal information protection impact assessment shall assess, among others, the following
key matters:

• the legality, propriety and necessity of the purpose, scope and manner of processing of the personal information by the personal information processor and the recipient outside the jurisdiction;
• the scale, scope, category and sensitivity of the outbound personal information, and the risks that cross-border transfer of personal information might pose to the rights and interests of individuals regarding personal information;
• whether the obligations undertaken by the recipient outside the jurisdiction and the management, technical measures and capabilities of such recipient to perform such obligations can ensure the security of the outbound data;
• the risks of the outbound personal information suffering from alteration, destruction, leakage, loss or illegal use, etc., during and after the cross-border transfers, and whether the channels provided to uphold the rights and interests of individuals regarding personal information are clear, etc.;
• the impact of personal information protection policies and regulations of the location of the recipient outside the jurisdiction on the performance of the standard contract; and
• other matters that may affect the security of the cross-border transfers of personal information.

Please click here for the full text of the Measures and the template standard contract (Chinese only).

Background Information

The Personal Information Protection Law of the Mainland provides that personal information processors which need to transfer personal information outside the jurisdiction shall carry out their own personal information protection impact assessments, obtain separate consent from the individuals concerned, and meet the specified requirements, including passing the security assessment organised by the national cyberspace authorities, obtaining personal information protection certification from the relevant specialised institution, and entering into a contract prescribed by the state cyberspace authorities with the overseas recipients to stipulate the rights and obligations of both parties. The Measures set out conditions under which personal information processors may enter into standard contracts before transferring personal information out of the Mainland and provide a template standard contract.

The Measures were drafted with reference to relevant laws of the Mainland including the Personal Information Protection Law, for the purposes of regulating cross-border transfers of personal information, protecting the rights and interests of individuals regarding personal information, and safeguarding the safe and free flow of personal information out of the Mainland. 

A 42-year-old Chinese Male Arrested for a Suspected Doxxing Offence

The PCPD arrested a Chinese male aged 42 in the New Territories on 24 February 2023. He was suspected to have disclosed the personal data of a data subject without her consent, in contravention of section 64(3A) of the PDPO.

The investigation revealed that the victim and the arrested person knew each other. In February 2022, the victim gave the arrested person, at his request, her identification documents and a number of documents relating to some properties in the Mainland which she purchased because he offered to help reclaim her money back from the real estate agency. Soon after, the victim suspected that she might have been deceived by the arrested person and she tried to stop the arrested person from dealing with her properties. Subsequently, in May 2022, posts containing the victim’s personal data with some negative comments were published on an online platform on two occasions. Photos of the victim and her daughter were also attached to the posts, along with copies of the documents relating to the said properties. The personal data disclosed included the victim’s Chinese name, her Hong Kong Identity Card number, Home Return Permit number, gender, date of birth, residential address, partial mobile phone number and the addresses of her properties in the Mainland.

The PCPD reminds members of the public that doxxing is a serious offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for 5 years. The PDPO applies equally to the online world. To avoid breaking the law, members of the public should think twice before publishing or forwarding any doxxing messages on the internet or social media platforms.

Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any
personal data of a data subject without the relevant consent of the data subject – 

1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for 2 years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if – 

1. the person discloses any personal data of a data subject without the relevant consent of the data subject – 
   
   1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
2. the disclosure causes any specified harm to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for 5 years.

According to section 64(6) of the PDPO, specified harm in relation to a person means – 

1. harassment, molestation, pestering, threat or intimidation to the person;
2. bodily harm or psychological harm to the person;
3. harm causing the person reasonably to be concerned for the person’s safety or wellbeing; or
4. damage to the property of the person.

Conviction Secured against a Chinese Medicine Practitioner in a Direct Marketing Case, Privacy Commissioner Welcomes the Court’s Ruling

On 10 February 2023, the Eastern Magistrates’ Court convicted a Chinese medicine practitioner (the Defendant) of two charges of direct marketing offences under the PDPO upon her guilty plea. The Police laid charges earlier in October 2022 under sections 35C(1) and 35F(1) of the PDPO against the Defendant. She pleaded guilty on 10 February 2023 to the relevant offences, in that in December 2020, she failed to take the necessary action and obtain the data subject’s consent before using her personal data, which was provided to another clinic, in direct marketing. She also failed to inform the data subject, when using her personal data in direct marketing for the first time, of her right to request not to use her personal data in direct marketing without charge. The Defendant was fined HK$2,000 in respect of each charge, which amounted to HK$4,000 in total. Privacy Commissioner Ms Ada CHUNG Lai-ling welcomed the court’s ruling.
 
Background of the Case
 
The case originated from a complaint received by the PCPD in December 2020. The Complainant was a patient of a Chinese medicine clinic (the Clinic). She provided her personal data to the Clinic in 2015. The Defendant also worked at the Clinic as a Chinese medicine practitioner. However, the Complainant has never consulted the Defendant at the Clinic. Thereafter, on 4 December 2020, the Complainant received a WhatsApp message from the Defendant who claimed herself as a former Chinese medicine practitioner at the Clinic. The message contained a photo of the Defendant’s business name card, promoting the Chinese medicine service of the Defendant’s new clinic. The Complainant considered that the Defendant had used her personal data for direct marketing without her consent, thus she lodged a complaint with the PCPD.
 
As the PCPD considered that the case involved contraventions of the direct marketing offences under the PDPO, the PCPD referred the case to the Police for criminal investigation and consideration of prosecution.
 
Relevant Statutory Provisions
 
Section 35C(1) of the PDPO requires a data user who intends to use a data subject’s personal data in direct marketing to take a number of specified actions, including notifying the data subject that the data user intends to so use the personal data; that the data user may not so use the data unless the data user has received the data subject’s consent; the types of personal data that will be used; the classes of goods or services that will be marketed; and a response channel through which the individual can communicate his/her consent.
 
Pursuant to section 35F(1) of the PDPO, the data user must, when using a data subject’s personal data in direct marketing for the first time, inform the data subject of his/her right to request the data user to cease to so use the data, without charge to the data subject.
 
Failure to comply with the requirements of section 35C(1) and 35F(1) constitutes a criminal offence. The offender is liable to a fine up to $500,000 and imprisonment for 3 years.

Privacy Commissioner’s Office’s Response to the Incident relating to the Film To My Nineteen-Year-Old Self

The PCPD noted the media reports on the personal data privacy issues relating to the film To My Nineteen-Year-Old Self. The PCPD is concerned about the incident. In order to protect the personal data privacy of the relevant students (as data subjects), the PCPD has taken the initiative to contact the school concerned to ascertain the details of the incident.
 
Generally speaking, everyone’s personal data privacy should be protected and respected, regardless of age. If any person or organisation intends to identify an individual or compile information about a specific individual through shooting a film, this may constitute collection of the personal data of the data subject, and the relevant individual or organisation (as data user) must comply with the requirements of the PDPO and relevant DPPs when it collects, holds, processes or uses personal data.
 
With regard to the use of personal data, DPP 3 provides that personal data shall not, without the voluntary and explicit consent of the data subject, be used (including the disclosure and transfer of relevant data) for a new purpose other than the purpose for which the data was to be used at the time of the collection of the data or a directly related purpose.
 
Any person who suspects that his or her personal data privacy has been infringed and can provide prima facie evidence (including details about misuse of the personal data) may lodge a complaint with the PCPD.

Conviction Secured for 36-year Old Female in a Doxxing Case Relating to Monetary Dispute

On 1 February 2023, The Shatin Magistrates’ Court  convicted a 36-year old female, Ms SHAM Chun-kiu (defendant), of 14 charges of doxxing offence upon her guilty plea. Earlier in December 2022, the PCPD laid 14 charges of “disclosing personal data without consent”, contrary to section 64(3A) of the PDPO, against the defendant and she pleaded guilty on 1 February 2023 to all the charges relating to the disclosure of the personal data of the victim and her husband in 14 groups on a social media platform in December 2021. The defendant made the disclosures without the consents of the victim and her husband, with an intent to cause specified harm to them or their family members, or being reckless as to whether specified harm would be, or would likely be, caused to them or any of their family members.

This is the third conviction under the new anti-doxxing regime which took effect on 8 October 2021.

Background of the Case

The defendant was an online trader and the victim was her supplier. Their business relationship turned sour because of a monetary dispute. In December 2021, the defendant disclosed the personal data of the victim and her husband in 14 groups on a social media platform, which also contained allegations about fraudulent behaviour. The personal data disclosed included the Chinese names and photos of the victim and her husband, and the phone number of the victim. The PCPD arrested the defendant on 26 July 2022. Upon legal advice obtained from the Department of Justice, a total of 14 charges were laid against her on 7 December 2022 in respect of the doxxing acts.

Court Proceedings

In the court hearing on 1 February 2023 at the Shatin Magistrates’ Court, the defendant pleaded guilty to and was convicted of all 14 charges. The court adjourned the case to 8 March for sentence, pending the acquisition of relevant report(s).

Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject – 

1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for 2 years.

According to section 64(6) of the PDPO, specified harm in relation to a person means – 

1. harassment, molestation, pestering, threat or intimidation to the person;
2. bodily harm or psychological harm to the person;
3. harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. damage to the property of the person.

A 29-year-old Chinese Male Arrested for Posting Doxxing Posters

On 1 February 2023, the PCPD arrested a Chinese male aged 29 in Kowloon. He was suspected to have disclosed the personal data of two data subjects without their consent, in contravention of section 64(3A) of the PDPO.
 
The investigation revealed that the female victim engaged the construction company of the arrested person to renovate the victims’ residential unit in March 2022. Subsequently, in July 2022, disputes arose between the parties on the progress and payment of the renovation. Shortly thereafter, posters were found in the vicinity of the relevant building to urge the victims to settle the arrears of payment for the renovation. The personal data disclosed on the posters included the victims’ Chinese surnames, the address of the unit and a photo of them with their eyes defaced.
 
The PCPD reminds members of the public that doxxing is a serious offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for 5 years. To avoid breaking the law, members of the public should think twice before disclosing others’ personal data.
 
Relevant Provisions under the PDPO
 
Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject – 

1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for 2 years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if – 

1. the person discloses any personal data of a data subject without the relevant consent of the data subject – 

   1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or

   2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and

2. the disclosure causes any specified harm to the data subject or any family member of the data subject. 

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for 5 years.

According to section 64(6) of the PDPO, specified harm in relation to a person means – 

1. harassment, molestation, pestering, threat or intimidation to the person;
2. bodily harm or psychological harm to the person;
3. harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. damage to the property of the person.

MAINLAND CORNER

Highlights of the “Provisions on the Administration of Deep Synthesis of Internet-based Information Services”
《互聯網信息服務深度合成管理規定》的重點

On 10 January 2023, the Provisions on the Administration of Deep Synthesis of Internet-based Information Services (the Provisions), which was jointly published by the Cyberspace Administration of China, the Ministry of Industry and Information Technology and the Ministry of Public Security, came into force. The Provisions sets out, amongst others, the obligations of deep synthesis service providers, technical operators, and users to strengthen the supervision of deep synthesis technology and services. Deep synthesis technology is technology that employs deep learning, virtual reality and other synthetic algorithms to produce text, images, audio, video, virtual scenes, and other network information.  This article provides an overview of the Provisions.

為加强對互聯網信息服務行業就應用深度合成技術的管理，維護網絡空間的良好生態，並從而達到保障數據安全管理的目標，國家互聯網信息辦公室、工業和信息化部 ( 工信部 ) 及公安部於2022年11月3日聯合通過《互聯網信息服務深度合成管理規定》(《規定》)¹。《規定》已於2023年1月10日起正式實施，並就全國深度合成服務的治理和相關監督管理工作作出明確規範，有關《規定》的重點如下：

適用情況

《規定》適用於在境內應用深度合成技術提供互聯網信息服務。「深度合成技術」是指利用深度學習、虛擬現實等生成合成類算法製作文本、圖像、音頻、視頻、虛擬場景等網絡信息的技術，當中包括但不限於²：

1. 篇章生成、文本風格轉換、問答對話等生成或者編輯文本內容的技術；
2. 文本轉語音、語音轉換、語音屬性編輯等生成或者編輯語音內容的技術；
3. 音樂生成、場景聲編輯等生成或者編輯非語音內容的技術；
4. 人臉生成、人臉替換、人物屬性編輯、人臉操控、姿態操控等生成或者編輯圖像、視頻內容中生物特徵的技術；
5. 圖像生成、圖像增強、圖像修復等生成或者編輯圖像、視頻內容中非生物特徵的技術；和
6. 三維重建、數字仿真等生成或者編輯數位人物、虛擬場景的技術。

監管對象

《規定》的監管對象為「深度合成服務提供者」，「深度合成服務技術支持者」和「深度合成服務使用者」。《規定》亦就三者作出清晰定義：³

• 深度合成服務提供者: 指提供深度合成服務的組織、個人。
• 深度合成服務技術支持者: 指為深度合成服務提供技術支援的組織、個人。
• 深度合成服務使用者: 指使用深度合成服務製作、複製、發布、傳播信息的組織、個人。

《規定》的重點内容

一般規定

根據《規定》，任何組織和個人不得利用深度合成服務製作、複製、發布、傳播法律、行政法規所禁止的信息，不得利用深度合成服務從事危害國家安全和利益、損害國家形象、侵害社會公共利益、擾亂經濟和社會秩序、侵犯他人合法權益等法律、行政法規禁止的活動⁴。深度合成服務提供者需遵守的其他規定則包括：

• 不得利用深度合成服務製作、複製、發布、傳播虛假新聞信息⁵；
• 落實信息安全主體責任，當中包括建立健全用戶註冊、算法機制機理審核、科技倫理審查、信息發布審核、數據安全、個人信息保護、反電信網絡詐騙、應急處置等管理制度⁶；
• 制定和公開管理規則、平台公約，完善服務協議⁷；
• 對深度合成服務使用者進行真實身份信息認證⁸；和
• 建立健全闢謠機制，發現利用深度合成服務製作、複製、發布、傳播虛假的，應當及時採取闢謠措施，保存有關記錄，並向網信部門和有關主管部門報告⁹。

數據和技術管理規範

《規定》亦就深度合成服務提供者和技術支持者提出包括以下的數據和技術管理規範：

• 加強訓練數據管理，採取必要措施保障訓練資料安全¹⁰；
• 加強技術管理，定期審核、評估、驗證生成合成類算法機制機理¹¹；和
• 提供者的深度合成服務若可能導致公眾混淆或者誤認，應當在生成或者編輯的信息內容的合理位置、區域進行顯著標識，向公眾提示深度合成情況¹²。

另外，網信部門和有關主管部門發現深度合成服務存在較大信息安全風險的，可以按照職責依法要求深度合成服務提供者和技術支持者採取暫停信息更新、用戶帳號註冊或者其他相關服務等措施。¹³

總結

總括而言，《規定》根據目前深度合成技術的最新發展，對服務提供者、技術支持者和使用者等相關主體的義務提供了詳盡的規定。這既與《互聯網信息服務管理辦法》¹⁴互相協調，亦體現了國內對新興科技的重視和理解。作爲全球少數就深度合成服務提出監管的法律條文，從事有關行業的持份者宜密切留意內地在這方面的最新法律發展，以避免誤墮法網。

¹ 全文：http://www.gov.cn/zhengce/zhengceku/2022-12/12/content_5731431.htm

²《規定》第二十三條

³《規定》第二十三條

⁴《規定》第六條

⁵《規定》第六條

⁶《規定》第七條

⁷《規定》第八條

⁸《規定》第九條

⁹《規定》第十一條

¹⁰《規定》第十四條

¹¹《規定》第十五條

¹²《規定》第十七條

¹³《規定》第二十一條

¹⁴ 全文：http://www.gov.cn/gongbao/content/2000/content_60531.htm

RECOMMENDED ONLINE TRAININGS

Online Practical Workshop on Data Protection in Human Resource Management

This workshop is designed for human resource practitioners, who handle a large amount of employees’ personal data in the course of their work. Participants will learn the good practices and how to meet the requirements under the PDPO in handling personal data in different phases of the employment process.

Date: 8 March 2023 (Wednesday)

Time: 2:15pm – 5:15pm

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: human resource officers, data protection officers, compliance officers, solicitors, administration managers, recruitment agents

Online Practical Workshop on Data Protection in Direct Marketing Activities

This workshop provides a practical approach to the compliance of the requirements under the PDPO in direct marketing activities and provides hands-on solutions to problems that marketers face in devising direct marketing activities. Conviction cases will also be shared with the participants.

Date: 15 March 2023 (Wednesday)

Time: 2:15pm – 5:15pm

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend:  data protection officers, compliance officers, company secretaries, administration managers, IT managers, solicitors, database managers, marketing professionals

Other Professional Workshops on Data Protection from March to May 2023:

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are as below:

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

Renewal of DPOC’s Membership

Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!

Special offer for organisational renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$350).

Renew your membership now to keep up-to-date with the latest news and legal developments!

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.