Happy Year of the Dragon!

Privacy Commissioner’s Office Reports on its Work in 2023 and
Publishes a Report on “Privacy Concerns on Electronic Food Ordering at Restaurants”

Privacy Commissioner Ms Ada CHUNG Lai-ling (left) and Chief Personal Data Officer (Compliance & Enquiries) Mr Brad KWOK Ching-hei (right) introduced the report on “Privacy Concerns on Electronic Food Ordering at Restaurants”.

The PCPD reported on its work in 2023 and released a report on “Privacy Concerns on Electronic Food Ordering at Restaurants” on 29 January. A leaflet containing the tips on protecting privacy in electronic food ordering is also published at the same time.

1. Complaint Cases

In 2023, the PCPD received 3,582 complaints, which represented a decrease of 7% when compared to 3,848 cases in 2022. This was mainly attributable to a decrease in the number of doxxing cases handled in the past year. Of these complaint cases, nearly 92% involved complaints against private organisations or individuals (3,284 cases), while the remaining 8% were against public organisations or government departments (298 cases).

2. Enquiries

The PCPD received a total of 15,914 public enquiries in 2023. The figure increased by 7% when compared to 14,929 cases in 2022. The PCPD handled over 1,300 public enquiries on average per month. Among the public enquiries received in 2023, 32% related to the collection and use of personal data (e.g. Hong Kong Identity Card (HKID card) numbers and/or copies). The other main types of enquiries were about the complaint handling policy of the PCPD (8%), application of the Personal Data (Privacy) Ordinance (PDPO) (6%), and access to and correction of personal data (6%), etc.
 
In 2023, the PCPD received 793 enquiries relating to suspected personal data frauds, which represented an increase of 12% when compared to 707 similar enquiries for 2022.
 

3. Data Breach Incidents

In 2023, the PCPD received 157 data breach notifications, with 48 from the public sector and 109 from the private sector. The figure represented a significant increase of nearly 50% as compared to 105 data breach notifications in 2022. The data breach incidents involved hacking, loss of documents or portable devices, inadvertent disclosure of personal data by email, post or fax, employee misconduct and system misconfiguration, etc. The number of data breach incidents involving hacking more than doubled, showing a significant increase from 29 cases in 2022 (constituted 28% of data breach incidents in 2022) to 64 cases in 2023 (constituted 41% of data breach incidents in 2023).
 
The PCPD initiated 393 compliance checks in 2023, which is comparable to the 392 compliance checks in 2022.

4. Anti-Doxxing Regime

The provisions criminalising doxxing acts under the PDPO came into effect on 8 October 2021. The amendments empower the Privacy Commissioner for Personal Data to carry out criminal investigations, institute prosecutions for doxxing-related offences and issue cessation notices to request the cessation of disclosure of doxxing messages.
 
Enforcement Actions in 2023
 
In 2023, the PCPD handled a total of 756 doxxing cases (including doxxing-related complaints received and doxxing cases uncovered by the PCPD’s proactive online patrols). The figure significantly dropped by 57% when compared to 1,764 cases in 2022. Among the aforesaid 756 doxxing cases, 525 of them were doxxing complaints received by the PCPD. The nature of disputes leading to these 525 doxxing acts were mainly monetary disputes (43%), as well as family and relationship disputes (20%).
 
In the same period, the PCPD issued a total of 378 cessation notices to 23 online platforms to request the removal of 10,682 doxxing messages, with a compliance rate of over 95%. Other than individual doxxing messages, 117 doxxing channels were also successfully removed by the cessation notices.
 
The PCPD initiated 140 criminal investigations in 2023, and 31 cases were referred to the Police for further follow-up actions. As regards arrest operations, the PCPD has mounted a total of 30 arrest operations in 2023 (including two arrests made as joint operations with the Police). A total of 31 suspects were arrested. The means used by the doxxers were mainly through social media platforms and instant messaging apps (90%), as well as posters (7%) and mail (3%).
 
Summary of Enforcement Actions under the New Anti-doxxing Regime
 
From the effective date (8 October 2021) of the relevant provisions to 31 December 2023, the PCPD handled a total of 2,884 doxxing cases (including doxxing-related complaints received and doxxing cases uncovered by the PCPD’s proactive online patrols). The PCPD also issued a total of 1,878 cessation notices to 41 online platforms to request the removal of 28,385 doxxing messages, with a compliance rate of over 95%. Other than individual doxxing messages, 192 doxxing channels were successfully removed by the cessation notices.
 
From the effective date (8 October 2021) of the relevant provisions to 31 December 2023, the PCPD initiated 254 criminal investigations, and 63 cases were referred to the Police for further follow-up actions. As regards arrest operations, the PCPD has mounted a total of 42 arrest operations in the same period (including three arrests made as joint operations with the Police). A total of 43 suspects were arrested.

5. Report on “Privacy Concerns on Electronic Food Ordering at Restaurants” and Leaflet on “Food Ordering Using Mobile Apps or QR Codes at Restaurants: Tips for Protecting Privacy”

There is an increasing number of restaurants offering electronic ordering services that allow customers to order food by using a mobile application (app) or scanning a QR code. However, the PCPD noted that restaurants may collect personal data of customers when they provide these electronic ordering services, which raises concerns in the society. As such, the PCPD paid visits to 60 local restaurants from November 2023 to January 2024 to carry out tests on the collection and use of customers’ personal data by the restaurants concerned in the provision of electronic food ordering services. The PCPD published the findings in a report on “Privacy Concerns on Electronic Food Ordering at Restaurants” and the leaflet on “Food Ordering Using Mobile Apps or QR Codes at Restaurants: Tips for Protecting Privacy” on 29 January.
 
According to the review results, the PCPD’s overall observations on the protection of customers’ privacy by the restaurants reviewed are as follows: 

• All restaurants reviewed offered means for non-electronic food ordering;
• Four restaurants that offered QR code ordering services collected personal data of customers;
• Four restaurants that provided mobile apps ordering services required customers to register an account;
• Some restaurants that allowed customers to place orders through mobile apps in the capacity of guests still required customers to provide their personal data; and
• All restaurants that provided mobile apps ordering services also used customers’ personal data for user tracking and direct marketing.

Through this review, the PCPD would like to provide the following tips on privacy protection to citizens:
 
Food Ordering through Mobile Apps

1. Understand the information to be accessed, collected or shared by the apps before deciding whether to download and use the apps. Download the apps via official channels;
2. Consider whether to use the mobile apps and create an account solely for restaurant dining purposes;
3. When ordering as a guest using the app, consider whether the types of personal data to be collected are necessary and not excessive, and whether the order could be placed without providing such data;
4. Read the Personal Information Collection Statement carefully to understand the purpose(s) and use(s) of personal data collected by the restaurant;
5. Determine the access permission of the apps based on actual needs, and check the default security or privacy settings in order to opt for the most privacy-protecting setting; and
6. Pay attention to whether the mobile apps provide an option for customers to choose whether they accept direct marketing, and make corresponding choices based on personal needs.

Scanning QR Codes for Food Ordering

1. Stay alert before scanning QR codes. Pay attention to whether the codes have been tampered with, and do not scan any codes from unknown sources;
2. Check the authenticity of the related websites and third-party ordering platforms;
3. Check whether it is possible to place orders without providing personal data, or provide only the minimum amount of personal data required to place orders;
4. Use the built-in QR code scanner on mobile phones as far as practicable; and
5. Do not share the QR codes for food ordering on social media platforms to prevent the possibility of third parties using the QR codes to place orders and potentially causing financial losses.

The PCPD provides the following advice to the food and beverage industry regarding the use of electronic ordering services: 

1. Provide food ordering means to customers which do not involve the collection of personal data;
2. Restaurants offering mobile apps for food ordering should allow customers to place orders in the capacity of guests (without registration) using the mobile apps without collecting their personal data or collect minimal amount of personal data according to need;
3. Consider the necessity of collecting customers’ personal data via QR code for food ordering. Where the collection of personal data is involved, provide a Personal Information Collection Statement to stipulate, among other things, the purpose(s) and use(s) of the personal data collected;
4. If customers’ personal data is intended to be used for direct marking purposes, inform and seek consent from customers. The setting for options should not be set as “agree” by default;
5. If a third-party service provider is to be engaged to provide the food ordering platform, ensure that the platform has adequate information security measures to safeguard the personal data collected from customers;
6. Regularly check whether the QR codes for ordering food have been maliciously tampered with; and
7. Formulate a clear data retention policy and regularly delete obsolete or unnecessary customer data so as to minimise the risk of data leakage.

Please click here to download the report on “Privacy Concerns on Electronic Food Ordering at Restaurants” (Chinese only).

Please click here to download the leaflet on “Food Ordering Using Mobile Apps or QR Codes at Restaurants: Tips for Protecting Privacy”.

PRIVACY 101

Good Data Governance – Develop Your Organisation’s Oversight and Review Plan

Many organisations have implemented a Personal Data Privacy Management Programme (PMP). To ensure the effectiveness of the PMP and maintain good data governance, the PMP should be seen as an ongoing process which involves continuous monitoring and assessment of the measures, policies and procedures of the PMP, and making necessary amendments. Therefore, developing an oversight and review plan is essential for organisations to keep their PMP on track and up to date. An effective oversight and review plan must:

• Cover the implementation of all programme controls;
• Cover all policies and procedures related to personal data privacy;
• State when and how assessments should be conducted, by whom, and establish clear assessment criteria;
• Include periodic assessments (at least once a year), and
• Be endorsed by the top management.
  

Here is a sample oversight and review plan for reference:

PRIVACY COMMISSIONER’S FINDINGS

A Staff Member of a Sports Organisation Accidentally Uploaded and Transmitted the Personal Data of Event Participants

Background

A sports organisation reported to the PCPD that a staff member accidentally uploaded a file to the organisation’s website and sent it to participants via email. This file contained the names, phone numbers and email addresses of 308 event participants and was sent along with competition information.

Remedial Measures

Upon receiving the notification from the sports organisation, the PCPD initiated a compliance check. The organisation informed the PCPD that it had enhanced its personal data handling procedures in response to the incident. These measures included implementing a protocol for properly naming files containing personal data to facilitate easy identification and to reduce the risk of selecting the wrong file. Furthermore, managerial staff should review files containing personal data before they are uploaded to the website or sent via email. The organisation also held a meeting with all employees to explain the new procedures and stressed the importance of compliance.

Lessons Learnt

Data breach incidents are often caused by human errors. Therefore, it is essential for data users to continuously raise employees’ awareness of the importance of data protection and to provide them with proper training on personal data handling. Establishing clear and effective procedures and guidelines for handling personal data is imperative. Moreover, implementing measures such as regular reminders and audits is essential to ensure adherence to these procedures.

TECH TALK

Data Privacy Protection and the Use of Mobile Applications

In the digital age, mobile devices are widely used and mobile applications have become an essential part of our daily lives. A wide range of free or paid mobile applications with various functions is available for users to download and use, including social networking, entertainment and business operations. However, while enjoying the convenience brought by these mobile applications, are you aware of the type and amount of personal data you have provided to the application developers?

Here are some practical tips to help you avoid malicious applications and limit the personal data collected by mobile applications developers:

Before Installing Mobile Applications

• Avoid potentially harmful applications by limiting download sources to official application stores, such as those provided by your device’s manufacturer or operating system;
• Do not download any mobile applications from unknown sources or install untrusted enterprise certificates;
• Read the reviews and research the developer before downloading and installing an application;
• Review the permissions the application is requesting and decide whether the personal data it asks to access is related to the purpose of the application; and
• Always read the Privacy Policy carefully when downloading an application to understand what personal data will be accessed, shared and how it will be used.
  

After Installing Mobile Applications

• Review the permission settings of the applications periodically;
• Ensure your installed applications have access only to the information they need and remove unnecessary permissions;
• Consider removing applications with excessive permissions, especially those that have access to your contact list, camera, storage, location and microphone;
• Keep your applications up to date. Out-of-date software may be at risk of exploitation due to known vulnerabilities;
• Protect your mobile devices from malware by installing application updates promptly;
• Uninstall applications that you do not use to prevent unnecessary data collection; and
• Be cautious when signing into applications with social network accounts. In such cases, applications may collect personal data from your social network profiles.
  

WHAT’S ON

Promoting Responsible Sharenting – Privacy Commissioner Publishes an Article Entitled “Think Twice Before Sharing Your Children’s Lives Online”

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Think Twice Before Sharing Your Children’s Lives Online”.

The Privacy Commissioner pointed out that the growing popularity of sharenting as reflected by a recent survey has called for parents to reconsider the underlying privacy risks and potential long-term impacts on children. With digital footprints being difficult to erase completely, she encouraged parents to place their children’s well-being as the top priority and think twice before sharing their lives online. She also encouraged parents to show respect to their children’s privacy rights by communicating with them and seeking their views before posting any materials about them.

The PCPD published a pamphlet entitled “Sharenting Dos and Don’ts” earlier to provide helpful tips for parents on responsible sharenting.

The article was published in South China Morning Post, HK01, Hong Kong Economic Journal, Hong Kong Economic Times, Ming Pao, Sing Tao Daily, and Wen Wei Po on 25 January 2024.

Please click here to read the article in Chinese.

Please click here to read the article in English.

Reaching Out to the Media – The Privacy Commissioner Attends the 8^th Media Convergence Awards Presentation Ceremony

On 16 January, Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 8^th Media Convergence Awards Presentation Ceremony cum the 15th Anniversary Dinner of the Hong Kong Association of Interactive Marketing (HKAIM) and presented prizes to the winning media organisations.
 
Organised by the HKAIM, the Media Convergence Awards aims to recognise the outstanding performance of local media in the fields of television, radio, newspapers and magazines in the past year, commending their efforts in utilising technology to disseminate news and information.

Promoting Ethical and Responsible Use of AI – Privacy Commissioner Publishes an Article in Banking Today

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “AI and Ethics: Ensuring the Responsible Use of Generative AI in Banking” in Banking Today, a bi-monthly journal of the Hong Kong Institute of Bankers, where she outlined the potential benefits of generative AI on the banking industry, analysed the technology’s associated privacy and ethical risks, and introduced the evolving regulatory landscape of AI.

In the article, the Privacy Commissioner pointed out that the PCPD published the “Guidance on the Ethical Development and Use of Artificial Intelligence” in August 2021 to help organisations develop and use AI systems in a privacy-friendly and ethical manner.

She called on practitioners in the banking industry to collaboratively craft a proper regulatory framework and establish norms to enable the development and use of AI in a privacy-friendly and ethical manner.

Please click here to read the article.

Promoting Cross-Boundary Flow of Personal Information – Privacy Commissioner Speaks at the Briefing on the Standard Contract for Cross–boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong)

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the briefing on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (GBA SC) on 5 January and gave an address. The Privacy Commissioner explained the facilitation measures introduced by the GBA SC for cross boundary flow of personal information within the GBA to enterprises from different sectors, and encouraged enterprises to adopt the GBA SC for cross-boundary transfers of personal information within the GBA.

The Privacy Commissioner sincerely thanked the Cyberspace Administration of China for its staunch support in promoting cross-boundary flow of personal information within the GBA. She also introduced the “Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” published by the PCPD on 13 December 2023 to help enterprises in Hong Kong understand the applicability of the GBA SC and related contractual clauses.

Please click here for the Privacy Commissioner's address (Chinese only).

Please click here for the Privacy Commissioner's presentation deck (Chinese only).

Reaching Out to the Community – Privacy Commissioner Attends the Hong Kong Volunteer Award Presentation Ceremony 2023

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Hong Kong Volunteer Award Presentation Ceremony 2023 and presented prizes to the awardees on 3 January.

The Hong Kong Volunteer Award is co-organised by the Home and Youth Affairs Bureau and the Agency for Volunteer Service. It is dedicated to recognising the contributions and achievements of outstanding volunteers, young volunteers/ teams, corporations, cross-sectoral partnership projects, schools and etc.

Reaching Out to the Community – PCPD Representative Attends the Press Conference on the Release of “Survey on ‘Sharenting’ and Protecting Children’s Digital Privacy” 

Acting Assistant Privacy Commissioner for Personal Data (Complaints and Criminal Investigation) of the PCPD Ms Hermina NG attended the press conference on the release of “Survey on ‘Sharenting’ and Protecting Children’s Digital Privacy” held by the Chinese YMCA of Hong Kong on 14 January. Ms NG shared with participants what parents should watch out before they publish any post regarding their children’s daily lives online, so as to safeguard children privacy. She also introduced a pamphlet entitled “Sharenting Dos and Don’ts” published by the PCPD to the participants, which provides some tips for parents before they publish any post about their children’s daily lives online.

PCPD Issues Leaflet on “Note for Job Applicants on Disclosure of Criminal Records”

Job applicants may be asked to provide personal data (including criminal records) when they apply for jobs. As data subjects, job applicants’ personal data privacy is protected under the  PDPO. As regards the disclosure of criminal records, according to the Rehabilitation of Offenders Ordinance (ROO), a rehabilitated individual does not have to disclose spent conviction records unless any of the exceptions under the ROO apply, for example, when applying for admission as a barrister, solicitor or an accountant, for a job in the disciplined services or for appointment as a senior civil servant or judicial officer.

To enable members of the public (in particular rehabilitated individuals) better understand the relevant legal requirements, the PCPD published a leaflet on “Note for Job Applicants on Disclosure of Criminal Records”.

Please click here to download the “Note for Job Applicants on Disclosure of Criminal Records”.

MEDIA STATEMENT

A 31-year-old Male Arrested for Suspected Doxxing of a Taxi Driver

The PCPD arrested a Chinese male aged 31 in the New Territories on 26 January. The arrested person was suspected to have disclosed the personal data of a data subject without his consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim, who is a taxi driver, had rented a taxi from the arrested person since September 2023, and the victim had provided a copy of his HKID card to the arrested person for identity verification purpose. Later in November 2023, the rental arrangement was terminated upon the parties’ mutual agreement. Disputes, however, subsequently ensued between the parties. In December 2023, a message containing some allegations against the victim was posted in an open discussion group on a social media platform, alongside a partly redacted copy of his HKID card which showed particulars of his personal data, including his Chinese name, English name, HKID card number, gender and a photo of him.
 
The PCPD reminds members of the public that they should not dox others because of personal disputes. Identity cards contain sensitive personal data. Disclosing or reposting copies of identity cards without the consent of the data subject concerned, either arbitrarily or maliciously, may constitute a doxxing offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.
 
Relevant Provisions under the PDPO
 
Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject –

1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject. 
   

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if –

1.  the person discloses any personal data of a data subject without the relevant consent of the data subject –

1. 1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or

   2.  

      being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
      

       

2. the disclosure causes any specified harm to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means –

1. harassment, molestation, pestering, threat or intimidation to the person;
2. bodily harm or psychological harm to the person;
3. harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. damage to the property of the person.

Global Data Breach Involving Various Social Media and Online Platforms

The PCPD Reminds Platform Users to Stay Vigilant

The PCPD noted reports of overseas media that researchers of cybersecurity information websites uncovered global data breach incidents affecting various online platforms. The breaches were said to involve 12 terabytes of information, containing 26 billion records of personal data. It was also reported that the majority of the leaked data might have come from previous data breach incidents, involving user records worldwide from various social media and online platforms such as Tencent QQ, Weibo, X, LinkedIn, Adobe, Dropbox and Telegram, etc.
 
Although there is no further information at this stage about whether users in Hong Kong are affected, given that a huge amount of personal data is involved and the affected platforms include social media and online platforms commonly used by citizens in Hong Kong, the PCPD reminds users of the relevant social media and online platforms to stay vigilant and guard themselves against potential theft of their personal data. In particular, hackers may make use of the leaked data to perpetuate frauds, including phishing scams, fraudulently using users’ identities to borrow money, etc. If members of the public are concerned about whether their personal data have been leaked, they may make enquiries with the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk) or the organisations concerned. To protect personal data privacy, users of the relevant social media and online platforms are also advised to take the following measures:  

• Consider changing the passwords of the online accounts concerned and activate the multi-factor authentication function (if available);
  
• Beware of any unusual logins of personal emails or accounts;
• If they suspect that their credit card information has been leaked, they should contact the credit card company or apply for a replacement;
• Stay vigilant when they receive any suspicious calls, text messages or emails from unknown sources, do not open attachments or disclose personal data arbitrarily; and
• Be vigilant against phishing or other possible scams.

Promoting Data Protection in the Age of AI, The Faculty of Law of the University of Hong Kong Co-organises an International Conference with the PCPD

To promote data protection in the development and use of artificial intelligence (AI), the Programme on Artificial Intelligence and the Law of the Faculty of Law and the AI & Humanity Lab of the University of Hong Kong co-organised an international conference with the PCPD. The Conference, entitled “Enhancing Personal Data Protection in the Age of Artificial Intelligence”, was held on 10 and 11 January and attracted over 330 participants.
 
Professor Max Shen, Vice-President and Pro-Vice-Chancellor (Research) of the University of Hong Kong, and the Privacy Commissioner Ms Ada Chung Lai-ling gave welcome remarks respectively. Professor Shen mentioned the impact AI has had on our society and looked forward to an in-depth dialogue at the conference for shaping a positive future in this domain. In the Privacy Commissioner’s welcome remarks, she highlighted the rapid evolution of AI, its influence on our daily lives, and the associated personal data protection challenges. Noting that the global nature of the challenges required a global solution, both Professor Shen and the Privacy Commissioner called for an open dialogue in the society to advance personal data protection in the era of AI.
 
The Privacy Commissioner also participated in a panel discussion at the Conference. The panel discussion, titled “Addressing the Risks of AI from the Regulatory Perspective”, was joined by privacy commissioners, senior representatives or privacy experts from California, Japan, Singapore and the United Kingdom. The Privacy Commissioner gave an account of the work of the PCPD in addressing the risks posed by the rapid development of AI, including Generative AI. She also explained the guidance materials relating to AI published by the PCPD and the Government’s AI initiatives to the participants.
 
The two-day conference served as a platform for academia, AI experts and stakeholders from around the world to delve into AI’s implications for personal data protection. The event featured keynote speakers from the University of Pennsylvania and Georgetown University, and distinguished speakers from various universities including the University of Hong Kong, Tsinghua University, Peking University, Harvard University and the University of Oxford. Representatives from the industry such as Meta, Microsoft, Tencent and Ant Group, regulators from various jurisdictions, and practitioners from law firms also shared their invaluable insights, enriching the dialogue on enhancing personal data protection in the AI era from multiple perspectives.
 
Please click here for the Privacy Commissioner’s welcome remarks and here for her presentation deck for the panel discussion.

A 42-year-old Male Convicted and Sentenced for Doxxing Another Person Because of Monetary Dispute

On 12 January, the Shatin Magistrates’ Court convicted a 42-year old male, Mr WONG Ho-loon (defendant), of two charges of a doxxing offence upon his guilty plea. The Court on the same day sentenced the defendant to two months’ imprisonment, suspended for two years. Privacy Commissioner Ms Ada CHUNG Lai-ling welcomed the court’s ruling.
 
Background of the Case
 
The victim had a monetary dispute with a third party in 2020. Subsequently, the defendant posted two messages containing the personal data of the victim on a personal account of a social media platform respectively in September and December 2022 requesting settlement of the outstanding loan from the victim. The personal data disclosed included the victim’s English name, mobile phone number, his photos and a copy of the victim’s HKID card which showed particulars of his Chinese name, English name, HKID card number, date of birth, gender and a photo of him, etc.
 
The PCPD arrested the defendant on 27 July 2023. Upon legal advice obtained from the Department of Justice, two charges of “disclosing personal data without consent”, contrary to section 64(3A) of the PDPO, were laid against him on 29 December 2023 in respect of the doxxing acts.
 
Court Proceedings
 
The defendant pleaded guilty to all charges at the Shatin Magistrates’ Court and was convicted by the Court on 12 January 2024 in relation to the two disclosures of the personal data of the victim made by the defendant on a social media platform in September and December 2022 without the consent of the victim, with an intent to cause specified harm to the victim or his family members, or being reckless as to whether specified harm would be (or would likely be) caused to the victim or his family members.
 
Relevant Provisions under the PDPO
 
Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject –

1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject. 
   

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

According to section 64(6) of the PDPO, specified harm in relation to a person means –

1. harassment, molestation, pestering, threat or intimidation to the person;
2. bodily harm or psychological harm to the person;
3. harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. damage to the property of the person.

The PCPD has Completed Compliance Checks of All Credit Reference Agencies in Hong Kong to Ensure the Data Security of Credit Reference Databases

The PCPD published an investigation report on the unauthorised access to the credit data in the TE Credit Reference System in June 2023. In the light of the findings of the investigation report and the concern raised by the community on the handling of borrowers’ credit data by credit reference agencies in Hong Kong, the PCPD proactively commenced compliance checks of all credit reference agencies in Hong Kong to ensure the protection of the personal data privacy of borrowers and the data security of credit reference databases. The compliance checks were carried out to ascertain whether the security measures and retention periods adopted by credit reference agencies regarding the credit data of borrowers comply with the requirements of the PDPO. The PCPD has now completed the compliance checks and has found no contravention of the PDPO as regards the security measures and retention periods during the compliance check process.
 
The PCPD also makes the following recommendations to all credit reference agencies through the compliance checks, with a view to enhancing their data security measures:

• Establish and thoroughly implement a Privacy Management Programme to incorporate the protection of personal data privacy into the organisation’s data governance responsibility;
• Appoint a Data Protection Officer for overseeing compliance with the PDPO;
• Adopt effective measures to monitor the access to credit reference databases, and regularly review the implementation and effectiveness of the measures;
• Stipulate and timely review policies and measures regarding the handling of consumers’ credit data, and regularly review the implementation and effectiveness of the measures; and
• Strengthen employee training on data protection to ensure they have a thorough understanding of the PDPO.

Any person who suspects that his or her credit data has been accessed inappropriately, or prolongedly retained, may enquire with the relevant credit reference agencies, or make enquiries or complaints to the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk／complaints@pcpd.org.hk）.

Response of the PCPD on the Social Welfare Department’s Data Breach Incident

The PCPD received a data breach notification from the Social Welfare Department on 4 January, reporting that about 1,300 data subjects had been affected. The PCPD noted that the relevant department had already notified all affected data subjects, and the PCPD has commenced a compliance check into the incident in accordance with established procedures.

Having considered that the incident involved the leakage of personal data, the PCPD appeals to the affected persons to make enquiries or complaints with the PCPD or the relevant department if they suspect that their personal data have been leaked. As of 9 January, the PCPD has not received any enquiries or complaints regarding the incident.   

The PCPD calls on the affected persons to be vigilant about potential theft of their personal data and to take the following measures to protect personal data privacy:

• Stay vigilant when they receive any suspicious calls, text messages or emails from unknown sources;
• Do not open text message or email attachments or disclose personal data arbitrarily; and
• Be vigilant against phishing or other possible scams.

Appointment of Two New Members to the Standing Committee on Technological Developments of the PCPD

On 29 December 2023, Privacy Commissioner Ms Ada CHUNG Lai-ling announced the appointments of two new members, namely Prof Pascale FUNG and Dr Gregg LI, to the Standing Committee on Technological Developments (SCTD) of the PCPD for a two-year term from 1 January 2024 to 31 December 2025.
 
Professor Pascale FUNG is a Chair Professor at the Department of Electronic and Computer Engineering at The Hong Kong University of Science and Technology (HKUST) and a visiting professor at the Central Academy of Fine Arts in Beijing. She is an elected Fellow of the Association for the Advancement of Artificial Intelligence (AAAI), an elected Fellow of the Association for Computational Linguistics (ACL), a Fellow of the Institute of Electrical and Electronic Engineers (IEEE) and an elected Fellow of the International Speech Communication Association (ISCA). Prof Fung is the Director of HKUST Centre for AI Research (CAiRE) and also an affiliated faculty with the Robotics Institute and the Big Data Institute at HKUST.
 
Dr Gregg LI is the founding director and President of Orion Astropreneur Space Academy. He served as an Adjunct Professor at various universities including the University of Hong Kong, the Chinese University of Hong Kong, the Hong Kong Polytechnic University and Tsinghua University. Educated as a systems engineer and organisational and technology architect, Dr Li has had over four decades of experience assisting companies and family businesses in finding common grounds for transformation and adopting management practices for hyper-change and growth.
 
Separately, three incumbent members, namely Mr Jason LAU, Professor the Hon William WONG Kam-fai, MH and Professor S M YIU, have been re-appointed to the SCTD as members for the period from 1 January 2024 to 31 December 2015.
 
The Privacy Commissioner would also like to take the opportunity to thank all members of the SCTD, and in particular the outgoing member, Mr Francis FONG, for their invaluable contributions and advice to the SCTD over the years.
 
With effect from 1 January 2024, the members of the SCTD (in alphabetical order of surname) are as follows:

• Ms Ada CHUNG Lai-ling (Privacy Commissioner) (Co-chairperson)
• Ms Cecilia SIU (Assistant Privacy Commissioner for Personal Data (Legal, Global Affairs & Research)) (Co-chairperson)
• Ir Alex CHAN
• Mr Alan CHEUNG
• Professor Pascale FUNG (new member)
• Mr Jason LAU
• Dr Gregg LI (new member)
• Professor the Hon William WONG Kam-fai, MH
• Professor S M YIU

The SCTD was established to advise the Privacy Commissioner on, among other things, the impacts of the developments in the processing of data and information technology on the privacy of individuals in relation to personal data. It comprises distinguished external members of exceptional calibre from the information and communications technology industry, particularly experts in fields such as information security, cybersecurity and artificial intelligence. The diversity of experts from academic and corporate backgrounds also ensures a broad representation of perspectives and insights, which assists the Privacy Commissioner in formulating policies and recommendations to address technological developments while safeguarding privacy in relation to personal data.

MAINLAND CORNER

Highlights of the “Regulations on the Protection of Minors in Cyberspace” 
《未成年人網絡保護條例》的重點

To create a positive cyberspace environment for minors that is conducive to their physical and mental well-being and to protect their legitimate rights and interests, the “Regulations on the Protection of Minors in Cyberspace” (the Regulations) was promogulated by the State Council on 24 October 2023. The Regulations came into effect on 1 January 2024 and clarifies the responsibilities of government departments in charge of, among other areas, internet and information technology, press and publication, public security, and market regulation in protecting minors in cyberspace. This article provides an overview of the Regulations, which comprises 60 articles in 7 chapters.

為營造有利於未成年人身心健康的網絡環境以及保障未成年人的合法權益，國務院於2023年10月24日發布《未成年人網絡保護條例》（《條例》）¹。《條例》已於2024年1月1日起施行，並明確包括網信部門、新聞出版、公安、市場監督管理等各政府部門就未成年人網絡保護的職責，而統籌未成年人網絡保護工作則由國家網信部門負責。《條例》共含60條，分7個章節，有關重點如下：

適用範圍

雖然《條例》並未就「未成年人」一詞作出定義，但根據《未成年人保護法》²，未成年人一般指未滿十八周歲的中國公民³。根據《條例》，網絡產品和服務提供者、個人信息處理者、智能終端產品製造者和銷售者，均受管轄⁴。

網絡信息内容規範

《條例》就網絡信息内容方面的主要規範包括：

• 任何組織和個人不得製作、複製、發布、傳播危害或可能影響未成年人身心健康內容的網絡信息⁵；
• 網絡產品和服務提供者不得在首頁首屏、彈窗、熱搜等處於產品或者服務醒目位置、易引起用戶關注的重點環節，呈現可能影響未成年人身心健康的信息，並不得通過自動化決策方式向未成年人進行商業行銷⁶；
• 網絡產品和服務提供者應建立健全網絡欺淩行為的預警預防、識別監測和處置機制⁷；
• 以未成年人為服務對象的在線教育網絡產品和服務提供者應根據不同年齡階段未成年人的身心發展特點和認知能力提供相應的產品和服務⁸。

個人信息網絡保護的要求

《條例》在《個人信息保護法》等法規的基礎上，進一步健全未成年人個人信息保護的規則，當中包括：

• 網絡服務提供者為未成年人提供信息發布、即時通訊等服務的，應依法要求未成年人或其監護人提供未成年人的真實身份信息⁹；
• 網絡直播服務提供者應建立網絡直播發布者真實身份信息的動態核驗機制¹⁰；
• 未成年人或其監護人均可請求查閱、複製、更正、補充、刪除未成年人個人信息¹¹；
• 個人信息處理者對其工作人員應當以最小授權為原則，嚴格設定信息訪問權限，控制未成年人個人信息知悉範圍¹²；
• 發生或可能發生未成年人個人信息洩露、篡改、丟失的，個人信息處理者應立即啟動個人信息安全事件應急預案，採取補救措施，及時向網信等部門報告¹³；
• 個人信息處理者應自行或委託專業機構每年對其處理未成年人個人信息的情況進行合規審計，並將審計情況及時報告網信等部門¹⁴；
• 網絡服務提供者發現未成年人私密信息或者未成年人通過網絡發布的個人信息中涉及私密信息的，應當及時提示，並採取停止傳輸等必要保護措施，防止信息擴散¹⁵。

其他規定

《條例》在針對防止未成年人沉迷網絡方面亦提出相關監督管理要求，當中包括：

• 網絡產品和服務提供者應建立健全防沉迷制度，不得向未成年人提供誘導其沉迷的產品和服務，並每年向社會公布防沉迷工作情況，接受社會監督¹⁶；
• 網絡遊戲、直播、音視頻和社交等服務提供者應合理限制不同年齡階段未成年人在使用其服務中的單次消費數額和單日累計消費數額¹⁷，防範和抵制流量至上等不良價值傾向¹⁸；
• 網絡遊戲服務提供者應通過統一的電子身份認證系統等必要手段，驗證未成年人使用者的真實身份信息，並不得為未成年人提供遊戲帳號租售服務¹⁹。

法律責任

違反《條例》規定的網絡產品和服務提供者將依法遭受處分²⁰。受關閉網站、吊銷相關業務許可證或吊銷營業執照處罰的提供者將不得在5年内重新申請相關許可，其直接負責的主管人員和其他直接責任人員 5 年內亦不得從事同類網絡產品和服務業務²¹。

有關監管部門亦可依據各自職責責令改正，給予警告，沒收違法所得，並處以相應罰款²²。如構成侵犯未成年人合法權益，並對未成年人造成損害的，將依法承擔民事責任；如構成違反治安管理行為的，將依法給予治安管理處罰；如構成犯罪的，則依法追究刑事責任²³。

總結

總括而言，《條例》就未成年人網絡素養的培養²⁴、網絡信息內容的規範、未成年人個人信息網絡保護、以及未成年人網絡沉迷的防治等各方面作出了細緻而全面的規定，為未成年人的身心健康成長提供了更強而有力的法律保障。作為國内第一部專門為未成年人網絡保護而設的綜合立法，《條例》充分體現了國家對未成年人成長成才環境的高度重視，標誌著我國未成年人網絡保護法治建設的新階段²⁵。

¹ 全文：http://www.cac.gov.cn/2023-10/24/c_1699806932316206.htm

² 全文：https://www.gov.cn/xinwen/2020-10/18/content_5552113.htm

³《未成年人保護法》第2條。

⁴《條例》第6條。

⁵《條例》第22和23條。

⁶《條例》第24條。

⁷ 根據《條例》第26條，網絡產品和服務提供者應設置便利未成年人及其監護人保存遭受網絡欺淩記錄、行使通知權利的功能和渠道。

⁸《條例》第28條。

⁹ 根據《條例》第31條，如未成年人或其監護人不提供未成年人真實身分信息，網絡服務提供者不得為未成年人提供相關服務。

¹⁰《條例》第31條。

¹¹ 根據《條例》第34條，個人信息處理者須及時受理並處理未成年人或其監護人查閱、複製、更正、補充、刪除未成年人個人信息的申請，拒絕未成年人或其監護人行使權利的請求的，應當書面告知申請人並說明理由。

¹² 根據《條例》第36條，能訪問未成年人個人信息的工作人員，應經過相關負責人或者其授權的管理人員審批，記錄訪問情況，並採取技術措施，以避免違法處理未成年人個人信息的行爲。

¹³ 根據《條例》第35條，有關個人信息處理者亦須按照國家有關規定將事件情況以郵件、信函、電話、信息推送等方式告知受影響的未成年人及其監護人。個人信息處理者難以逐一告知的，則應當採取合理、有效的方式，及時發布相關警示信息。

¹⁴ 《條例》第37條。

¹⁵ 根據《條例》第38條，如網絡服務提供者透過未成年人私密信息發現未成年人可能遭受侵害的，應立即採取必要措施保存相關記錄，並向公安機關報告。

¹⁶《條例》第42條。

¹⁷《條例》第44條。

¹⁸ 根據 《條例》第45條，有關網絡服務提供者不得設置以應援集資、投票打榜、刷量控評等為主題的網絡社區、群組和話題，亦不得誘導未成年人參與有關網絡活動。

¹⁹《條例》第46條。

²⁰《條例》第6章。

²¹《條例》第57條。

²²《條例》第53至56條。

²³《條例》第58條。

²⁴《條例》第2章。

²⁵ http://www.cac.gov.cn/2024-01/11/c_1706639666854036.htm

RECOMMENDED TRAININGS

Professional Workshop on Data Protection in Human Resource Management

Since job applicants, current and former employees may request access to their personal data kept by organisations from time to time, employers or human resource management professionals have to ensure compliance with the requirements of the PDPO when they collect and handle data of their employees. On the other hand, employers should meet public expectations to constantly protect and respect their employees’ personal data privacy. This workshop enables participants to learn how to handle different scenarios and strengthen their knowledge of data protection in human resource management.

Date: 28 February 2024 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Face-to-face

(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: human resource officers, data protection officers, compliance officers, solicitors, administration managers, recruitment agents

Other Professional Workshops on Data Protection in March 2024:

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions show below:

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form. With effect from January 2024, seminars will also cover measures to safeguard data security.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Safeguarding data security;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special offer for organisational renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$350).

Join us now to keep up-to-date with the latest news and legal developments!

We would like to inform you that starting from 1 April 2024, there will be a revised DPOC membership fee of $450. This adjustment is necessary to support the improvement and expansion of our offerings. Please apply or renew your DPOC membership early if you wish to enjoy the current package.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.