PCPD e-NEWSLETTER
ISSUE Dec 2023
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Dec 2023
|
|
|
|
Privacy Commissioner’s Office Publishes Two Investigation Reports
|
Privacy Commissioner Ms Ada CHUNG Lai-ling (centre), Assistant Privacy Commissioner (Complaints and Criminal Investigation) Mr Billy KWAN Kai-yu (left) and Senior Personal Data Officer (Compliance & Enquiries) Mr John LO Ho-wing (right) introduced the two investigation reports.
|
The PCPD published two investigation reports on 21 December. The first report relates to four cases of improper retention and use of personal data of employees / former employees by employers and the second report relates to unauthorised scraping of the personal data of Carousell users. The new edition of an information leaflet on “Human Resource Management: Common Questions” is also published at the same time.
(1) Investigation Report: Four Organisations Improperly Retained and Used Personal Data of Employees / Former Employees
During the past five years, the PCPD received on average over a hundred complaints relating to human resource management per annum. To raise the awareness amongst employers and human resource managers of their duties in protecting personal data privacy and in complying with the relevant legal requirements, Privacy Commissioner Ms Ada CHUNG Lai-ling published an investigation report on 21 December in respect of four complaints received by the PCPD concerning human resource management. The four complaints involved four organisations, which are, respectively:
- Kwong Wah Hospital managed by the Hospital Authority (HA) – Staff improperly disclosed personal data in instant messaging application chat group;
- Christian Louboutin Asia Limited (Christian Louboutin) – Staff improperly disclosed personal data in instant messaging application chat groups;
- Star Entertainment (Universe) Limited (Star Entertainment) – Continued to use a former employee’s personal data as the user of a corporate bank account after he had left employment; and
- Ngan Yuet Health and Beauty Limited (Ngan Yuet) – Used the old address of a former employee for filing and mailing a tax return.
After conducting investigations into the four complaints, the Privacy Commissioner found that the HA, Christian Louboutin and Star Entertainment had contravened Data Protection Principle (DPP) 3(1) of the Personal Data (Privacy) Ordinance (PDPO) as regards the use (including the disclosure) of personal data, and Ngan Yeut had contravened DPP 2(1) as regards the accuracy of personal data and DPP 4(1) as regards the security of personal data. The Privacy Commissioner has served Enforcement Notices on the four organisations, directing them to remedy and prevent recurrence of their respective contraventions.
Four Recommendations for Employers
Through the report, the Privacy Commissioner would like to make four recommendations to employers. They are recommended to:
- Introduce the “Personal Data Privacy Management Programme” and showcase good data governance;
- Appoint a Data Protection Officer to implement the effective operation of the Privacy Management Programme;
- Devise a training strategy in respect of personal data privacy; and
- Proactively communicate with staff for the effective formulation of procedures, guidelines and training programmes that cater for their daily situations and needs.
To assist employers and human resource managers in understanding their duties in protecting personal data privacy and complying with the requirements under the PDPO in handling personal data relating to human resource management, the PCPD has in parallel updated an information leaflet on “Human Resource Management: Common Questions”. The content covers frequently asked questions relating to the application of the PDPO to human resource management.
Please click here to download the Executive Summary of “Investigation Report on the Improper Retention and Use of Personal Data of Employees / Former Employees by Employers”.
Please click here to download the Information Leaflet on “Human Resource Management: Common Questions”.
|
(2) Investigation Report: Unauthorised Scraping of the Personal Data of Carousell Users
On completion of its investigation into a data breach incident relating to Carousell Limited, the PCPD published an investigation report on 21 December. The investigation arose from a data breach notification lodged by Carousell Limited reporting that a listing posted on an online forum offered for sale the personal data of 2.6 million Carousell users, which included the leakage of the personal data of 324,232 user accounts in Hong Kong. According to Carousell Limited, the data breach incident was caused by a security vulnerability that was introduced during a system migration in January 2022.
According to the evidence obtained in the investigation, the Privacy Commissioner Ms Ada CHUNG Lai-ling considered that the incident had been caused by the following deficiencies of Carousell:
- Failing to conduct a privacy impact assessment prior to the system migration;
- Incomprehensive code review process;
- Inadequate security assessment associated with the system migration;
- Lack of a written policy in relation to the code review process; and
- Lack of effective detection measures.
Although Carousell Limited was at all material times using the information systems and database under the centralised model of the Carousell Group, Carousell Limited as a data user under the PDPO has a positive duty to safeguard the security of the personal data under its control. Having considered all of the evidence of the investigation, the Privacy Commissioner considered that Carousell Limited bore responsibilities for the following deficiencies:
- Failure to check whether a privacy impact assessment was conducted prior to the system migration;
- Failure to check whether a comprehensive code review process was implemented before the application programming interface (API) in question was committed to production;
- Failure to ensure that a thorough security assessment was conducted for the system migration;
- Failure to check and ensure that there was a written policy for the code review process; and
- Failure to ensure that effective measures were implemented to detect abnormal activities, which contributed to the failure to prevent or detect the extraction of personal data of Carousell users from the API in question.
Considering Carousell’s extensive international operations and the vast number of active users it serves, it is reasonable to expect that the Carousell Group, including Carousell Limited in Hong Kong, would have invested sufficienet resources in ensuring the robust security of its information systems. However, the Privacy Commissioner was very disappointed to note that the occurrence of the incident revealed fundamental failures by Carousell to ensure the security of the personal data held by the group, and that the incident could have been avoided if some normal risk and security assessment procedures and tools had been implemented. The Privacy Commissioner regretted that these fundamental failures had led to the leakage of the personal data of 2.6 million Carousell users worldwide, including over 320,000 of its users in Hong Kong.
Based on the above reasons, the Privacy Commissioner considered that Carousell Limited had not taken all practicable steps in relation to the system migration to ensure that the personal data involved were protected from unauthorised or accidentall access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) concerning the security of personal data.
The Privacy Commissioner has served an Enforcement Notice on Carousell Limited, directing it to remedy and prevent recurrence of the contravention.
Through the report, the Privacy Commissioner wishes to make the following recommendations on strengthening data security to organisations which may perform information system migration involving personal data:
- Carry out privacy impact assessments, especially when significant changes are made to their systems or practices and upon the adoption of new technologies;
- Develop a migration plan that prioritises data protection;
- Conduct effective vulnerability assessments;
- Provide relevant employee training;
- Implement an effective mechanism for detecting abnormal activities; and
- Formulate localised policies and procedures to ensure compliance with the PDPO.
In addition, given that the Carousell Group is based in Singapore, the PCPD has shared a copy of the investigation report with Singapore’s Personal Data Protection Commission (PDPC) in accordance with the Memorandum of Understanding signed between the PCPD and Singapore PDPC.
Please click here to download the Investigation Report “Unauthorised Scraping of the Personal Data of Carousell Users”.
|
The PCPD Welcomes the Facilitation Measures of Using Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong)
The PCPD welcomes the facilitation measures of using the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (GBA SC) announced by the Cyberspace Administration of China (CAC) and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region (ITIB) on 13 December. The facilitation measures seek to streamline the compliance arrangements concerning cross-boundary flows of personal information from the Mainland to Hong Kong. Given the close integration of cities within the GBA, and the increasing demand for cross-boundary flow of data between Hong Kong and other cities within the GBA, the PCPD is extremely grateful to the staunch support of the CAC in facilitating the cross-boundary flow of personal information within the GBA. Cross-boundary data flow can facilitate the overall development of the GBA and expedite the establishment of the “Digital Bay Area”. The GBA SC was formulated by the CAC, ITIB, and PCPD, with a view to providing a mechanism that is compliant with the relevant requirements which facilitate the cross-boundary flow of personal information within the GBA. To help organisations in Hong Kong understand the applicability of the GBA SC and the relevant contractual clauses, the PCPD issued the “Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” on 13 December. Please click here to download the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong). Please click here to download the “Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)”.
|
|
|
Open and Transparent Management of Personal Data
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
PRIVACY COMMISSIONER’S FINDINGS
|
An Educational Institution’s Improper Password Management Led to Unauthorised Access to Students’ and Parents’ Personal Data
|
|
Artificial Intelligence Chatbots and Data Privacy Protection in the Age of AI
|
|
|
“Don’t Hand Over Your Personal Data – Beware of Fraudsters” – The PCPD Volunteer Team Organises a Christmas Talk for the Elderly
|
A 37-year-old Male Arrested for Suspected Doxxing of His Former Colleague
|
Privacy Commissioner Officiates at HKU Faculty of Law’s 211th Congregation and Appeals to the Legal Profession to Uphold Professionalism and Safeguard the Legal Regime
|
RECOMMENDED ONLINE TRAININGS
|
Free Online Seminar: Introduction to the PDPO
|
Arrange an In-house Seminar for Your Organisation
|
APPLICATION / RENEWAL OF DPOC MEMBERSHIP
|
The International Conference on “Enhancing Personal Data Protection in the Age of Artificial Intelligence”
|
|
Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain the Two Investigation Reports
|
Promoting Data Security – Privacy Commissioner Publishes an Article entitled “Safeguarding Data Security in Hong Kong: A Call to Action” on Hong Kong Lawyer
|
Reaching Out to the IT Sector – Privacy Commissioner Attends the Cybersecurity Symposium 2023
|
Reaching Out to Legal Professionals – Privacy Commissioner Attends the Law Society 2023 Pro Bono and Community Service Award Presentation Ceremony
|
Promoting Cross-Boundary Flow of Personal Information – Privacy Commissioner Speaks at the Industry Briefing for the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong)
|
Reaching Out to the Financial Sector – Privacy Commissioner Speaks at MPF Symposium 2023
|
Raising Public Awareness to Combat Fraud – The PCPD Organises a Seminar on “Safe Use of WhatsApp and Social Media Platforms”
|
Telling a Good Hong Kong Story – Privacy Commissioner Speaks at the Knowledge Event – Health System and Community Resilience: Lessons From The COVID-19 Pandemic
|
Reaching Out to the IT Sector – Privacy Commissioner Attends the 22nd APICTA Awards
|
Telling a Good Hong Kong Story – PCPD Representatives Attend the 60th Asia Pacific Privacy Authorities Forum and the IAPP ANZ Summit 2023
|
Reaching Out to the IT Sector – Representative of the PCPD Attends the Inauguration Ceremony of the Hong Kong China Network Security Association
|
Reaching Out to the Community – Assistant Privacy Commissioner Attends “Safer Internet Day 2023”
|
Enhancing Data Governance – PCPD Organises “Experience Sharing Session on Good Data Governance by Privacy-Friendly Awardees 2023”
|
|
Overview of the Facilitation Measure on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong – Hong Kong – Macao Greater Bay Area (Mainland, Hong Kong) 《粵港澳大灣區(內地、香港)個人信息跨境流動標準合同》便利措施之概覽
|
International: G7 Endorses AI Process Policy Framework and Discusses Operationalising Data Flows with Trust
|
EU: CJEU Clarifies Imposition and Calculation of Fines under GDPR
|
UK: ICO Publishes Draft Guidance on Employment Practices and Data Protection, Focusing on Keeping Employment Records, and Recruitment and Selection
|
Synthetic Data: What Operational Privacy Professionals Need to Know
|
|
|
Open and Transparent Management of Personal Data
According to DPP 5 of the PDPO, an organisation (as a data user) is required to take all practicable steps to ensure the openness and transparency of its personal data management policies and practices, the types of personal data held and the main purposes for holding it. To fulfil this requirement, an effective Privacy Policy Statement (PPS) should be readily available to data subjects.
What is a PPS?
A PPS is a general statement about an organisation’s privacy policies and practices in relation to the personal data it handles. The content of the PPS includes a policy statement expressing the organisation’s overall commitment to protecting the privacy interests of the data subjects, and a statement that outlines the types of personal data held by the organisation and the purposes for which the personal data is used, depending on its actual operational needs.
Typically, a PPS covers a broader scope than the Personal Information Collection Statement, and may include other privacy-related policies and practices such as data retention policy, data security measures, data breach handling, and the use of special tools (such as cookies) on websites.
Here are some recommended good practices for creating an effective PPS:
- Use user-friendly language and presentation – the PPS should be easily understandable and readable, with considerations given to factors such as content, font size and language;
- Use proper headings and adopt a layered approach to presentation if the privacy policies and practices are complex and lengthy; and
- State clearly:
- Whether the website allows access by individuals who do not accept cookies, and what loss of functionality may result from not accepting cookies;
- How long the personal data will be retained;
- How to make a data deletion request;
- How sensitive personal data will be used, processed, handled and transferred;
- Whether personal data would / would not be disclosed to other parties with the data subject’s express and voluntary consent;
- How to ensure the security and confidentiality of the personal data collected; and
- The policy on handling individuals’ requests to access and correct their personal data held by the organisation; and the contact details of the officer in the organisation who can answer enquiries.
Please read the PCPD’s publication below to learn more about preparing a PPS: Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement
|
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
An Educational Institution’s Improper Password Management Led to Unauthorised Access to Students’ and Parents’ Personal Data
Background
An educational institution reported to the PCPD that a hacker had acquired the administrator password of its information management system through a brute force attack and created a new account with administrative rights, gaining access to the personal data stored within. The incident affected the personal data of more than 24,000 parent and student.
Investigation revealed that the incident resulted from improper password management, failing to adequately protect the administrator account in line with industry best practices.
Remedial Measures
Upon receiving the notification from the institution, the PCPD initiated a compliance check and provided recommendations to the institution to ensure compliance with the relevant provisions of the PDPO. In response, the institution implemented remedial measures. These included introducing two-factor authentication for its information management system to provide an additional layer of protection for system accounts, enforcing strong password protocols, regularly purging unnecessary accounts and enhancing training programmes to raise employees’ awareness of data privacy protection.
Lessons Learnt
Educational institutions typically possess a large amount of personal data about students and their parents for administrative and educational purposes. With the increasing adoption of online learning models, these educational institutions reap the benefits of information technology but must not neglect the associated privacy risks, particularly concerning the personal data of children and youngsters. Organisations managing personal data systems must stay vigilant and implement appropriate security policies, measures and procedures (e.g. utilising multi-factor authentication and adopting suitable robust password management policies) to minimise the risks of unauthorised or accidental access, processing, erasure, loss or use of personal data.
|
Artificial Intelligence Chatbot and Data Privacy Protection in the Age of AI
Generative artificial intelligence (AI) tools, including AI chatbots, have taken the world by storm since their launch. With the advantages of 24/7 availability to deliver personalised responses to queries on diverse topics, AI chatbots offer tremendous convenience to users for tasks such as translation, researching and programming. AI chatbots also greatly enhance the operational efficiency of organisations in different industries, including customer service and e-commerce. Millions of users are enjoying the benefits brought by AI chatbots, but there are still important privacy risks and concerns of which we should be aware.
What are AI Chatbots?
AI chatbots are computer programmes that use AI technologies, including large natural language models, with the ability to interpret human speech and text inputs, and generate natural language responses. The operation of AI chatbots usually depends heavily on deep learning technology, which involves the analysis of massive amounts of unstructured data without supervision. The training data may often be collected and copied from the internet, including blog posts, comments and review sites, which may result in the inadvertent collection of sensitive personal data. AI chatbots may also be vulnerable to cyberattacks resulting in data leakage or be misused for malicious purposes, such as developing malware and creating more convincing and personalised social engineering attacks.
Here are some practical tips for users of AI chatbots:
Before Registration or Use
- Read the Privacy Policy, the Terms of Use and other relevant data handling policies;
- Beware of fake apps and phishing websites posing as known AI chatbots;
- Adjust the settings to opt-out of sharing chat history (if applicable); and
- Use AI chatbots from reputable sources and companies with a strong track record of data security measures in place.
When Interacting with AI Chatbots
- Refrain from sharing your own personal data and that of others;
- Submit a correction or removal request if necessary;
- Guard against cybersecurity threats; and
- Delete outdated conversations from chat history.
Safe and Responsible Use of AI Chatbots:
- Be mindful of the potentially incomplete or inaccurate information that AI chatbots may provide. If a chatbot gives biased or discriminatory responses, report it to the chatbot vendor; and
- Refrain from sharing confidential information and files.
|
|
|
Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain the Two Investigation Reports
|
Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK’s “Hong Kong Today”, RTHK Radio 1’s “Open Line Open View” and “HK2000”, Commercial Radio 1’s “On a Clear Day” as well as Now News’ “News Magazine” on 21 and 22 December. During the interviews, the Privacy Commissioner explained the two reports published by the PCPD, namely, an investigation report on the “Improper Retention and Use of Personal Data of Employees / Former Employees by Employers”, and an investigation report on “Unauthorised Scraping of the Personal Data of Carousell Users”. The Privacy Commissioner also introduced an information leaflet on “Human Resource Management: Common Questions” updated by the PCPD. Regarding the data breach incident of Carousell Limited, the Privacy Commissioner was very disappointed to note that the occurrence of the incident revealed fundamental failures by Carousell to ensure the security of the personal data held by the group, which had led to the leakage of the personal data of over 320,000 of its users in Hong Kong. The Privacy Commissioner has served an Enforcement Notice on Carousell Limited. For the cases of improper retention and use of personal data of employees / former employees by employers, the Privacy Commissioner said that the PCPD received on average over a hundred complaints relating to human resource management per annum. She also provided recommendations to the employers, including the introducion of the “Personal Data Privacy Management Programme” and appointment of a Data Protection Officer.
|
Promoting Data Security – Privacy Commissioner Publishes an Article entitled “Safeguarding Data Security in Hong Kong: A Call to Action” on Hong Kong Lawyer
|
Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Safeguarding Data Security in Hong Kong: A Call to Action” on Hong Kong Lawyer.
Citing the results of the “Hong Kong Enterprise Cyber Security Readiness Index and Privacy Awareness Survey 2023” jointly published by the PCPD and the Hong Kong Productivity Council, the Privacy Commissioner highlighted that the cybersecurity readiness amongst the surveyed enterprises dropped from 53.3 points out of 100 in 2022 to 47.0 points in 2023, and a staggering 73% of the surveyed enterprises have encountered cybersecurity attacks in the past 12 months.
The Privacy Commissioner encouraged enterprises to take all reasonably practicable steps to safeguard the security of personal data and to join hands in creating a safe and secure technological ecosystem in the era of Web 3.0.
The Privacy Commissioner also mentioned that, to assist enterprises in safeguarding data security, the PCPD had recently launched a Data Security thematic webpage, a data security hotline (2110 1155) and the “Data Security Scanner”, which is a self-assessment toolkit for enterprises to assess the adequacy of their data security measures for ICT systems.
Please click here to read the article.
|
Reaching Out to the IT Sector – Privacy Commissioner Attends the Cybersecurity Symposium 2023
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the “Cybersecurity Symposium 2023” (Symposium) on 14 December. At the event, the Privacy Commissioner exchanged views with experts from the Information and Technology (IT) sector on mitigating cyberthreats and safeguarding data security. The Symposium is co-organised by the Office of the Government Chief Information Officer and the Hong Kong Internet Registration Corporation Limited. It aims to address the cybersecurity challenge in the digital era and explore how the IT industry can collaborate to enhance the overall cybersecurity resilience of Hong Kong.
|
Reaching Out to Legal Professionals – Privacy Commissioner Attends the Law Society 2023 Pro Bono and Community Service Award Presentation Ceremony
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 2023 Pro Bono and Community Service Award Presentation Ceremony of the Law Society of Hong Kong on 13 December and presented prizes at the ceremony. The Law Society has been organising the Pro Bono and Community Work Recognition Programme (the Programme) since 2010. The key objectives of the Programme are to promote public awareness of the pro bono work offered by members of the Law Society, trainee solicitors, registered foreign lawyers, university law students, and to recognise their pro bono efforts and contributions to the society. The Privacy Commissioner is a member of the judging panel for Distinguished Pro Bono Service Awards (for individual / law firm) this year.
|
Promoting Cross-Boundary Flow of Personal Information – Privacy Commissioner Speaks at the Industry Briefing for the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong)
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the industry briefing for the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (GBA SC) organised by the Office of the Government Chief Information Officer on 13 December and gave an address. The Privacy Commissioner introduced the facilitation measures for cross boundary flow of personal information under the GBA SC to the banking, credit referencing and healthcare industries, and highlighted that the PCPD would continue to exercise its powers under the PDPO to ensure that cross-boundary transfers of personal information by data users to other mainland cities in the Guangdong-Hong Kong-Macao Greater Bay Area comply with relevant requirements under the PDPO. The Privacy Commissioner sincerely thanked the Cyberspace Administration of China for its staunch support in promoting cross-boundary flow of personal information within the Guangdong–Hong Kong–Macao Greater Bay Area. She also introduced the “Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” published by the PCPD on 13 December to help organisations in Hong Kong understand the applicability of the GBA SC and related contractual clauses.
|
Reaching Out to the Financial Sector – Privacy Commissioner Speaks at MPF Symposium 2023
|
Privacy Commissioner Ms Ada CHUNG Lai-ling delivered a speech on 12 December at the MPF Symposium 2023 themed “Embrace, Enrich, Evolve: The Future of MPFTech”. In her presentation entitled “Addressing Privacy Risks in Fintech: Safeguarding Data Security”, the Privacy Commissioner discussed how to address the privacy risks associated with the development of Fintech amidst rising cybersecurity risks. The Privacy Commissioner introduced to the attendees measures on safeguarding data security and handling data breaches. She also recommended the industry to adopt a Personal Data Privacy Management Programme. The Symposium was organised by the Mandatory Provident Fund Schemes Authority, and attracted an audience of over 550 practitioners and leaders of the MPF industry. Please click here for the Privacy Commissioner’s presentation deck.
|
Raising Public Awareness to Combat Fraud – the PCPD Organises a Seminar on “Safe Use of WhatsApp and Social Media Platforms”
|
The PCPD organised a seminar on “Safe Use of WhatsApp and Social Media Platforms” in hybrid mode on 8 December, which attracted over 600 participants.
At the seminar, Privacy Commissioner Ms Ada CHUNG Lai-ling explained the methods used by fraudsters to hijack WhatsApp accounts, and provided advice on minimising privacy risks when the public use instant messaging apps and social media platforms. Ms Raina YEUNG Sau-ling, Director of Privacy and Data Policy, Engagement, APAC, Meta, spoke as a guest speaker on Meta’s policy and approach to combat scams on WhatsApp, Facebook and Instagram platforms, as well as the account features that users can use to protect their accounts. Please click here for the Privacy Commissioner’s presentation deck (Chinese only).
Please click here for Ms YEUNG’s presentation deck (Chinese only).
|
Telling a Good Hong Kong Story – Privacy Commissioner Speaks at the Knowledge Event – Health System and Community Resilience: Lessons From The COVID-19 Pandemic
|
Privacy Commissioner Ms Ada CHUNG Lai-ling gave a presentation on 4 December at the Knowledge Event entitled “Health System and Community Resilience: Lessons From The COVID-19 Pandemic.” The event was organised by the Centre for Health Systems and Policy Research, Jockey Club School of Public Health and Primary Care, Chinese University of Hong Kong and Asia-Pacific Network for Health Systems Strengthening. The event attracted an audience of around 200 experts and academics from the medical and healthcare sector globally.
In her presentation entitled “Protecting Privacy and Building Trust for Community Resilience”, the Privacy Commissioner discussed the key findings of the two Compendiums on the “Best Practices in Response to COVID-19” compiled by the PCPD in 2020 and 2021 respectively. In particular, she highlighted the privacy protection designs adopted in Hong Kong’s contact tracing app (namely, the LeaveHomeSafe App) and the Vaccine Pass Arrangement.
Drawing on the examples of the LeaveHomeSafe App and Vaccine Pass Arrangement, the Privacy Commissioner pointed out that striking the right balance between protecting privacy and safeguarding public health was the key to building trust with the public and fostering community resilience in a public health crisis.
Please click here for the Privacy Commissioner's presentation deck.
|
Reaching Out to the IT Sector – Privacy Commissioner Attends the 22nd APICTA Awards
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 22nd Asia Pacific Information Communications Technology Alliance Awards (APICTA Awards) on 5 December. At the event, the Privacy Commissioner and experts from the Information and Communications Technology (ICT) sector exchanged views on the development of the industry in the Asia-Pacific region.
This year, the APICTA Awards is held on 5-8 December, and co-organised by the Office of the Government Chief Information Officer and the Hong Kong Computer Society. The international awards programme aims to increase ICT awareness in the community and serves as a platform for members of the industry to collaborate with each other.
|
Telling a Good Hong Kong Story – PCPD Representatives Attend the 60th Asia Pacific Privacy Authorities Forum and the IAPP ANZ Summit 2023
|
60th Asia Pacific Privacy Authorities Forum Privacy Commissioner Ms Ada CHUNG Lai-ling and representatives of the PCPD attended the 60th Asia Pacific Privacy Authorities (APPA) Forum from 30 November to 1 December. The Forum was held in hybrid mode in Sydney, Australia.
At the Forum, Assistant Privacy Commissioner (Legal, Global Affairs and Research) Ms Cecilia SIU shared with APPA members the findings of the PCPD’s report on “Privacy Protection in the Digital Age: A Comparison of the Privacy Settings of 10 Online Shopping Platforms”. She also highlighted the PCPD’s recommendations to operators of online shopping platforms and summarised the tips to users of such platforms. Major themes discussed at the APPA Forum included:
- Emerging technologies such as generative artificial intelligence;
- Promoting trust in cross-border data flows;
- Safeguarding children’s privacy; and
- Intersections between privacy and other regulatory spheres.
Founded in 1992, APPA is the principal forum for privacy and data protection authorities in the Asia Pacific region to strengthen cooperation and discuss best practices. IAPP ANZ Summit 2023 Assistant Privacy Commissioner and Acting Legal Counsel of the PCPD Ms Dorothy Fung also attended the IAPP ANZ Summit 2023 organised by the International Association of Privacy Professionals (IAPP) in Sydney, Australia, from 28 to 29 November. The Assistant Privacy Commissioner participated in a panel discussion entitled “Global Regulatory Roundtable” where fellow regulators from British Columbia of Canada, Singapore, the United Kingdom and the United States discussed the key regulatory updates in the respective jurisdictions and in particular, different approaches in the regulation of emerging technologies such as artificial intelligence. The conference was joined by about 300 privacy professionals in Australia, New Zealand and worldwide, and data protection authorities from different jurisdictions to discuss and exchange their views on the latest developments in the protection of personal data.
|
Reaching Out to the IT Sector – Representative of the PCPD Attends the Inauguration Ceremony of the Hong Kong China Network Security Association
|
Acting Chief Personal Data Officer (Compliance & Enquiries) of the PCPD Mr Brad KWOK spoke as the Guest of Honour on 6 December at the Inauguration Ceremony of the Hong Kong China Network Security Association (HKCNSA). Mr Kwok congratulated HKCNSA on its establishment and exchanged views with stakeholders in the cybersecurity industry at the event. The PCPD wishes to continue its exchanges with the stakeholders in the IT industry with a view to addressing cybersecurity challenges together.
HKCNSA is a non-profit organisation dedicated to promoting cybersecurity and information security.
|
Reaching Out to the Community — Assistant Privacy Commissioner Attends “Safer Internet Day 2023”
|
Assistant Privacy Commissioner (Corporate Communications and Compliance) Ms Joyce LAI attended the “Safer Internet Day 2023-Be a Smarter Digital Citizen” Recognition Ceremony cum Fun Day jointly organised by the Hong Kong Council of Social Service and Google Hong Kong on 2 December. She officiated the ceremony and delivered an address on the importance of personal data protection. In her address, Ms Lai pointed out that in the digital age, a vast amount of personal data may be collected by different online platforms. She reminded members of the public to “stop and think” before providing personal data online, and beware of the risk that their personal data posted online could be scrapped for harmful purposes. Please click here for the speech (Chinese only).
|
Enhancing Data Governance – PCPD Organises “Experience Sharing Session on Good Data Governance by Privacy-Friendly Awardees 2023”
|
The PCPD organised the “Experience Sharing Session on Good Data Governance by Privacy-Friendly Awardees 2023” (Sharing Session) in hybrid mode on 30 November, which attracted over 160 participants from various sectors, including the banking, insurance, government / public bodies, legal and information technology sectors. At the Sharing Session, Assistant Privacy Commissioner (Corporate Communications and Compliance) Ms Joyce LAI delivered the welcome address and highlighted the importance of implementing good data governance in the era of big data. In addition, representatives of the Outstanding Gold Awardees of the PCPD’s “Privacy-Friendly Awards 2023”, including Census and Statistics Department, CLP Power Hong Kong Limited, Swire Coca-Cola Limited and The Hong Kong and China Gas Company Limited, were invited to share their practical experience and insights in setting up a Personal Data Privacy Management Programme, establishing privacy safeguards to protect personal data and ensure data security, as well as how they cope with the risks brought by technological developments. Please click here for the presentation deck of the Census and Statistics Department. Please click here for the presentation deck of CLP Power Hong Kong Limited. Please click here for the presentation deck of Swire Coca-Cola Limited. Please click here for the presentation deck of The Hong Kong and China Gas Company Limited.
|
|
|
“Don’t Hand Over Your Personal Data – Beware of Fraudsters” – The PCPD Volunteer Team Organises a Christmas Talk for the Elderly
|
The Volunteer Team of the PCPD visited over 80 elders at St. James’ Settlement Wanchai District Elderly Community Centre on 27 December. In addition to conveying their good wishes with love and joy, the Volunteer Team arranged a talk and some interactive games to raise the elderly’s awareness of the prevention of fraud, highlighting the different kinds of scams in recent times. As part of the PCPD’s anti-fraud promotional campaign this year under the theme of “Don’t Hand Over Your Personal Data – Beware of Fraudsters”, Privacy Commissioner Ms Ada CHUNG Lai-ling shared the latest anti-fraud information with the elderly during the visit. Artiste Ms Kitty YUEN (阮小儀) was invited to play host to the event, with anti-fraud messages integrating into the quizzes and role-playing games to increase the participants’ involvement and raise their awareness of the prevention of fraud. A number of lucky winners received prizes at the lucky draw session during the event, and the Volunteer Team also distributed Christmas gift bags to every participant. The event ended successfully in a joyous festive atmosphere. Please click here for the Privacy Commissioner’s presentation deck (Chinese only).
|
A 37-year-old Male Arrested for Suspected Doxxing of His Former Colleague
|
The PCPD arrested a Chinese male aged 37 on Hong Kong Island on 12 December. The arrested person was suspected to have disclosed the personal data of a data subject without his consent, in contravention of section 64(3A) of the PDPO. The PCPD’s investigation revealed that the victim and the arrested person were former colleagues in a company. After leaving the company, the arrested person created a chat group on an instant messaging application for some current and former employees of the company. Later, the arrested person also added the victim to the group. In August 2023, the arrested person criticised the victim’s work performance in the group, and subsequently removed the victim from the group. A few days later, a message containing some allegations against the victim was sent to the group, alongside a partly redacted copy of his Hong Kong Identity Card (HKID card) which showed particulars of his personal data, including his Chinese name, English name, partial HKID card number, date of birth, gender and a photo of him. The PCPD reminds members of the public that they should not dox others because of personal disputes. Identity cards contain sensitive personal data. Disclosing or reposting copies of identity cards without the consent of the data subject concerned, either arbitrarily or maliciously, may constitute a doxxing offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.
Relevant Provisions under the PDPO Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject –
- with an intent to cause any specified harm to the data subject or any family member of the data subject; or
- being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.
Pursuant to section 64(3C) of the PDPO, a person commits an offence if –
- the person discloses any personal data of a data subject without the relevant consent of the data subject –
-
with an intent to cause any specified harm to the data subject or any family member of the data subject; or
-
being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
- the disclosure causes any specified harm to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.
According to section 64(6) of the PDPO, specified harm in relation to a person means –
- harassment, molestation, pestering, threat or intimidation to the person;
- bodily harm or psychological harm to the person;
- harm causing the person reasonably to be concerned for the person’s safety or well-being; or
- damage to the property of the person.
|
Privacy Commissioner Officiates at HKU Faculty of Law’s 211th Congregation and Appeals to the Legal Profession to Uphold Professionalism and Safeguard the Legal Regime
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 211th Congregation of the Faculty of Law of the University of Hong Kong on 1 December and delivered a speech as the Guest of Honour. The Privacy Commissioner extended her warmest congratulations to all graduates and shared with them the highlights of her legal career in public service which spanned over the past four decades. She cited President Xi’s speech during the 25th anniversary celebration of Hong Kong’s return to the motherland last year and encouraged the graduates to strive to ensure the continuous, robust and smooth implementation of the guiding principle of “One Country, Two Systems” and to safeguard the legal regime. She highlighted that the first and foremost duty of lawyers is to uphold and promote the rule of law, especially at a time when the rule of law in Hong Kong has come under unwanted attacks by certain overseas politicians and media outlets for political reasons. She encouraged all new members of the legal profession to uphold the highest standards of professionalism, integrity, humility and ethics in their future career, and emphasised the importance of serving with profound dedication and heart in their legal work. She believed that with the development of emerging technologies, technology-related laws, such as fintech, data protection, privacy, cybersecurity and other aspects of law will continue be develop, and the demand for lawyers in these fields will be higher than ever as technology advances. She urged graduates to keep pace with the continuous evolution of the profession, adapt to and stay abreast of all the latest developments. Please click here for the Privacy Commissioner’s Keynote Address.
|
Overview of the Facilitation Measure on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong – Hong Kong – Macao Greater Bay Area (Mainland, Hong Kong) 《粵港澳大灣區(內地、香港)個人信息跨境流動標準合同》便利措施之概覽
|
To promote the cross-boundary flows of personal information within the Guangdong-Hong Kong-Macao Greater Bay Area (the GBA), the Cyberspace Administration of China (the CAC) and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region (the ITIB) signed a Memorandum of Understanding on Facilitating Cross-boundary Data Flow Within the Guangdong–Hong Kong–Macao Greater Bay Area (the MoU) on 29 June 2023.
As a facilitation measure under the MoU to foster the cross-boundary flows of personal information within the GBA, the CAC, ITIB and the Office of the Privacy Commissioner for Personal Data, Hong Kong have jointly formulated the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (the GBA SC). Announced and issued on 13 December 2023, the GBA SC comes with a set of Implementation Guidelines. This article provides an overview of the GBA SC.
為推動粵港澳大灣區(大灣區)個人信息的跨境流動,國家互聯網信息辦公室(國家網信辦)與香港特別行政區政府創新科技及工業局(創科及工業局)於2023年6月29日簽署《促進粵港澳大灣區數據跨境流動的合作備忘錄》(《合作備忘錄》)。
《粵港澳大灣區(內地、香港)個人信息跨境流動標準合同》(《大灣區標準合同》)是《合作備忘錄》下就促進粵港澳大灣區個人信息跨境流動所推出的便利措施,由國家網信辦、創科及工業局及香港個人資料私隱專員公署(私隱專員公署)共同制定。《大灣區標準合同》連同《粵港澳大灣區(內地、香港)個人信息跨境流動標準合同實施指引》(《大灣區標準合同實施指引》)1於2023年12月13日發布。為幫助香港機構理解《大灣區標準合同》的適用性及相關合約條款,私隱專員公署已於2023 年12 月13 日發出了「跨境資料轉移指引:《粵港澳大灣區(内地、香港)個人信息跨境流動標準合同》」2。《大灣區標準合同》3的重點如下:
適用範圍
《大灣區標準合同》適用於粵港澳大灣區內地城市(即廣東省廣州市、深圳市、珠海市、佛山市、惠州市、東莞市、中山市、江門市及肇慶市)和香港之間的個人信息跨境轉移,即包括由粵港澳大灣區内地城市至香港的個人信息跨境轉移,及由香港至粵港澳大灣區内地城市的個人資料跨境轉移。有關個人信息處理者4及接收方應註冊於(適用於組織)/ 位於(適用於個人)廣東省廣州市、深圳市、珠海市、佛山市、惠州市、東莞市、中山市、 江門市、肇慶市、或者香港特別行政區。
整體內容
《大灣區標準合同》包含以下八個部分:定義、個人信息處理者(即包括資料使用者)的義務和責任、接收方的義務和責任、個人信息主體(即包括資料當事人)的權利、 救濟、合同解除、違約責任及其他。
個人信息處理者的義務和責任
《大灣區標準合同》列明個人信息處理者(涵蓋資料使用者)通過訂立《大灣區標準合同》跨境提供個人信息應當遵守的義務及責任,當中包括但不限於:
- 向個人信息主體(涵蓋資料當事人5)告知以下事項 (屬地相關法律法規要求不需要告知的,從其規定)6:
- 接收方的名稱或者姓名、聯繫方式;
- 個人信息跨境提供的處理目的、處理方式;
- 個人信息的種類、保存期限;
- 個人信息向接收方的同轄區第三方7提供的情況;及
- 行使個人信息主體權利的方式和程序等事項;
- 向接收方跨境提供個人信息前,應當按照屬地法律法規要求取得個人信息主體同意8;
- 向個人信息主體告知其與接收方通過《大灣區標準合同》約定個人信息主體為第三方受益人,如個人信息主體未在30日內明確拒絕,則可以依據《大灣區標準合同》享有第三方受益人的權利9;及
- 對擬向接收方提供個人信息的活動開展個人信息保護影響評估,重點評估以下內容,並保存個人信息保護影響評估報告至少3年10:
- 個人信息處理者和接收方處理個人信息的目的、方式等的合法性、正當性、必要性﹔
- 對個人信息主體權益的影響及安全風險﹔
- 接收方承諾承擔的義務,以及履行義務的管理和技術措施、能力等能否保障跨境提供的個人信息安全。
接收方的義務和責任
《大灣區標準合同》亦列明接收方的義務和責任,當中包括但不限於:
- 不得向粵港澳大灣區以外的組織、個人提供據《大灣區標準合同》接收的個人信息11 ;
- 同時符合下列條件的,方可向粵港澳大灣區内地或香港特別行政區同轄區12內的第三方提供個人信息13:
- 確有業務需要;
- 已告知個人信息主體該第三方的名稱或者姓名、聯繫方式、處理目的、處理方式、個人信息種類、保存期限以及行使個人信息主體權利的方式和程序等事項。個人信息處理者屬地相關法律法規要求不需要告知的,從其規定;
- 基於個人同意處理個人信息的,應當按照個人信息處理者屬地法律法規要求取得個人信息主體同意;
- 按照《大灣區標準合同》附錄一“個人信息跨境提供說明”所列約定向同轄區内的第三方提供個人信息;
- 對開展的個人信息處理活動進行客觀紀錄,保存記錄至少3年14;及
- 接收方所在地的政府部門、司法機構要求接收方提供《大灣區標準合同》下的個人信息的,應當立即通知個人信息處理者15。
備案責任
根據《大灣區標準合同實施指引》,個人信息處理者及接收方應在《大灣區標準合同》生效之日起10個工作日內,按照屬地向廣東省互聯網信息辦公室或者香港特別行政區政府政府資訊科技總監辦公室(資科辦)進行標準合同備案16,而需提交的材料包括承諾書,當中列明個人信息保護影響評估工作為備案之日前3個月內完成17。有關香港的備案詳情,請參閱《粵港澳大灣區(內地、香港)個人信息跨境流動標準合同備案指南》18。
總結
《大灣區標準合同》簡化了涉及大灣區的九個內地城市和香港之間就內地個人信息跨境流動的合規安排,同時免除了內地數據跨境安全管理框架下就有關個人信息處理者跨境轉移個人信息的數量限制,以及簡化了相關個人信息保護影響評估的評估內容。資科辦已於本月開展《大灣區標準合同》先行先試安排,首階段會公開邀請對跨境服務需求較為殷切的銀行業、徵信業及醫療業機構參與。香港特區政府將會適時檢討首階段先行先試安排,以期將便利措施進一步推展至其他界別。
值得注意的是,《大灣區標準合同》的規定並不影響私隱公署按《個人資料(私隱)條例》(《私隱條例》)在職責範圍内依法加強保障個人資料和監督管理工作,包括處理與保障個人資料有關的投訴、舉報,調查、處理違法個人資料處理活動等。資料使用者如需要從香港跨境轉移個人資料到香港以外的地方,仍然需要遵守《私隱條例》下的相關規定,包括《私隱條例》附表一內的保障資料原則。
1 全文:
http://www.cac.gov.cn/2023-12/13/c_1704042786237103.htm;
https://www.ogcio.gov.hk/tc/our_work/business/cross-boundary_data_flow/doc/gbascc00_gn_scc_tc.pdf。
2 全文:https://www.pcpd.org.hk/tc_chi/resources_centre/publications/files/standard_contract_gba.pdf。
3《大灣區標準合同實施指引》附件一,全文亦可於
https://www.pcpd.org.hk/tc_chi/data_privacy_law/mainland_law/files/gba_sc.pdf 下載。
4 根據《大灣區標準合同》,“個人信息處理者”,就內地而言,是指在個人信息處理活動中自主決定處理目的、處理方式的組織、個人;就香港特別行政區而言,亦涵蓋“資料使用者"”,即就個人資料而言,指獨自或聯同其他人或與其他人共同控制該資料的收集、持有、處理或使用的人。“個人信息處理者”為個人信息跨境提供方。
5 根據《大灣區標準合同》,“個人信息主體”,就內地而言,是指個人信息所識別或者關聯的自然人;就香港特別行政區而言,亦涵蓋“資料當事人”,即就個人資料而言,指屬該資料的當事人的個人。
6《大灣區標準合同》第二條第(二)項。
7 如接收方註冊於(適用於組織)/位於(適用於個人)粵港澳大灣區内地城市,同轄區即粵港澳大灣區内所有内地城市;如接收方註冊於(適用於組織)/位於(適用於個人)香港,同轄區只限於香港。
8《大灣區標準合同》第二條第(三)項。
9《大灣區標準合同》第二條第(四)項。
10《大灣區標準合同》第二條第(八)項。
11《大灣區標準合同》第三條第(七)項。
12 如接收方註冊於(適用於組織)/位於(適用於個人)粵港澳大灣區内地城市,同轄區即粵港澳大灣區内所有内地城市;如接收方註冊於(適用於組織)/位於(適用於個人)香港,同轄區只限於香港。
13《大灣區標準合同》第三條第(八)項。
14《大灣區標準合同》第三條第(十一)項。
15《大灣區標準合同》第三條第(十三)項。
16 《大灣區標準合同實施指引》第八條。
17《大灣區標準合同實施指引》附件二。
18 全文:https://www.ogcio.gov.hk/tc/our_work/business/cross-boundary_data_flow/doc/gbascc02_fg_tc.pdf 。
|
|
|
Professional Workshop on Data Protection in Direct Marketing Activities
|
Organisations often use customers’ personal data to conduct direct marketing activities to promote products or services. These activities are governed by the PDPO. Organisations have the responsibility to ensure that their employees clearly understand and comply with the provisions on direct marketing under the PDPO, which also helps organisations maintain a positive reputation and demonstrate their corporate social responsibility.
This workshop will explain in detail the requirements of the direct marketing provisions under the PDPO and provide participants with practical guidance on compliance and share conviction cases relating to direct marketing, aiming to help participants understand how to properly use customers’ personal data in direct marketing activities.
Date: 10 January 2024 (Wednesday)
Time: 2:15pm – 5:15pm
Mode: Face-to-face
(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)
Fee: $750/$600*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: data protection officers, compliance officers, company secretaries, administration managers, IT Managers, solicitors, database managers and marketing professionals
|
Professional Workshop on Data Protection in Insurance
|
Insurance transactions involve a huge amount of customers’ personal data, including customers’ names, telephone numbers, addresses, identity card numbers, etc. Therefore, it is necessary for insurance practitioners to understand the requirements under the PDPO. This workshop examines key concepts of data protection compliance, and illustrates various scenarios in industry operations to highlight potential issues and the solutions in relation to personal data privacy.
Date: 17 January 2024 (Wednesday)
Time: 2:15pm – 5:15pm
Mode: Online
Fee: $750/$600*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: insurance practitioners, data protection officers, compliance officers, solicitors, advisers and other personnel undertaking work relating to the insurance industry
|
Other Professional Workshops on Data Protection from January to March 2024:
|
Online Free Seminar – Introduction to the PDPO Seminar
|
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming session shows below:
Date: 16 January 2024 (Tuesday)
Time: 3:00pm – 4:30pm
Mode: Online
Language: Cantonese
Seminar Outline:
- A general introduction to the PDPO;
- The six Data Protection Principles;
- Offences and compensation;
- Direct marketing; and
- Q&A session.
|
Other Introduction to the PDPO Seminars from February to March 2024:
|
Arrange an In-house Seminar for Your Organisation
|
Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form. With effect from January 2024, seminars will also cover measures to safeguard data security.
The seminar outline is as follows:
- A general introduction to the PDPO;
- The six Data Protection Principles (industry-related cases will be illustrated);
- Safeguarding data security;
- Handling of data breach incidents;
- Direct marketing;
- Offences and compensation; and
- Q&A session.
Duration: 1.5 hours
|
APPLICATION / RENEWAL OF DPOC MEMBERSHIP
|
Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$350).
Join us now to keep up-to-date with the latest news and legal developments!
|
We would like to inform you that starting from 1 April 2024, there will be a revised DPOC membership fee of $450. This adjustment is necessary to support the improvement and expansion of our offerings. Please apply or renew your DPOC membership early if you wish to enjoy the current package.
|
The International Conference on “Enhancing Personal Data Protection in the Age of Artificial Intelligence”
|
The International Conference on “Enhancing Personal Data Protection in the Age of Artificial Intelligence” will be held at the University of Hong Kong on 10 and 11 January 2024. With the rapid rise of generative AI systems such as ChatGPT, the conference will bring together legal counsels from tech companies, senior regulators from multiple jurisdictions, and leading academics from around the world to explore the cutting-edge issues concerning personal data protection in the age of AI.
On the first morning of the conference, the PCPD will co-host a panel discussion entitled “Addressing the Risks of AI from the Regulatory Perspective”, featuring insights from privacy commissioners and senior data regulators from multiple jurisdictions. The panelists and the moderator of the panel discussion are as follows:
Panelists
- Ms Ada CHUNG
Privacy Commissioner for Personal Data, Hong Kong
- Mr Hisato ASADA
Commissioner for International Cooperation of Personal Information Protection Commission, Japan
- Ms Adeline TUNG
Director of Policy & Technology of Personal Data Protection Commission, Singapore
- Ms Jennifer M. URBAN
Chair of the California Privacy Protection Agency Board
- Mr Steve WOOD
Director and Founder of PrivacyX Consulting; Former Deputy Commissioner (Executive Director, Regulatory Strategy) of Information Commissioner’s Office, United Kingdom
Moderator
- Mr Loke-Khoon TAN
Senior Partner, Baker & McKenzie
Please click here to learn more about the conference and click here to register for the event.
|
The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.
|
|
|
Contact Us
Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|