Enhancing Data Security – Privacy Commissioner’s Office
Reruns the Seminar on “Lessons from Data Breach Cases and Recommended Data Security Measures”

Privacy Commissioner Ms Ada CHUNG Lai-ling (left) and PCPD's Chief Personal Data Officer (Compliance and Enquiries) Mr Brad KWOK (right) answered participants’ questions at the seminar.

Owing to the overwhelming response of the seminar held earlier, the PCPD re-organised the seminar on “Lessons from Data Breach Cases and Recommended Data Security Measures” in hybrid mode on 9 July, which attracted over 620 participants.
 
At the seminar, Privacy Commissioner Ms Ada CHUNG Lai-ling provided an overview of the latest trends of data breach incidents, highlighted some data breach cases which occurred in recent years and elaborated on the causes of the data breaches and the remedial measures taken. PCPD's Chief Personal Data Officer (Compliance and Enquiries) Mr Brad KWOK also spoke on how to enhance data security and the adoption of proper security measures, as well as explained the key points in preventing and handling data breach incidents.
 
Please click here to download the presentation deck (Chinese only).

The PCPD Joins Global Privacy Enforcement Network in Completing Global Privacy Protection Sweep on Deceptive Design Patterns

The PCPD joined the Global Privacy Enforcement Network (GPEN) earlier to conduct a global privacy protection sweep (Sweep) on more than 1,000 websites and mobile applications (apps) from around the world under the theme of “Deceptive Design Patterns” and a global joint report was issued today upon completion of the Sweep. A total of 52 authorities, including 26 privacy or data protection enforcement authorities and 26 consumer protection authorities participated in the Sweep, which was coordinated jointly by GPEN and the International Consumer Protection and Enforcement Network (ICPEN). The privacy or data protection enforcement authorities included the authorities from Australia, Canada, the United Kingdom, the United States of America, Japan, Singapore, Macao SAR China and Hong Kong SAR China, to name a few.
 
During the Sweep period between 29 January and 2 February 2024, participating authorities examined more than 1,000 websites and mobile apps from around the world across multiple industries (including retail, health and fitness, travel and accommodation, and social media and dating) on the frequency and types of deceptive design patterns used by these websites and apps. The Sweep revealed that nearly all (97%) of the websites and apps reviewed employed one or more deceptive design patterns that made it difficult for users to make privacy-protective decisions.
 
Deceptive design patterns typically employ features that steer users towards options that may result in the collection of more of their personal data. These patterns may also force users to take multiple steps to find the privacy policy, log out or delete their account. They may also present users with repetitive prompts aimed at frustrating them and ultimately pushing them towards sharing more personal data than they initially wish.
 
According to the findings of the Sweep, issues relating to design patterns include:

• Complex and confusing language: More than 89% of privacy policies were found to be too long or have used complex language;
• Interface interference: When asking users to make privacy choices, 42% of websites and apps used emotionally charged language to influence user decisions (e.g. “Are you really certain you want to delete your account? It would be a shame to see you go!”, “If you click ‘Delete User Account’, you will immediately lose all your VIP privileges.”), while 57% made the least privacy protective option the most obvious;
• Nagging: 35% of websites and apps repeatedly asked users to reconsider their intention to delete their accounts;
• Obstruction: In nearly 40% of cases, users encountered obstacles when they made privacy choices or accessed privacy information, such as trying to find privacy settings or to delete accounts; and
• Forced action: 9% of websites and apps forced users to disclose more personal data when they tried to delete their accounts than they had to provide when they opened the accounts. 
  

The participating enforcement authorities encourage businesses to design their online platforms or apps in a manner that enables users to make informed privacy-protective choices that reflect their preferences. Good privacy-protective designs include:

1. Make the most privacy-protective option as the default choice;

2. Emphasise the provision of privacy options to users;
3. Avoid using biased language and design, and present privacy choices in a fair and transparent manner;
4. Allow users to easily find privacy information, log out, or delete an account without the need for multiple clicks; and
5. Provide timely relevant consent options to users.

Please click here to download the Sweep report (available in English and French).

PRIVACY 101

How to Manage Your Data Processor Properly?

Engaging contractors (i.e. data processors) for processing personal data is increasingly common. Examples of data processors include web service provider, cloud and data analytics service providers and event management companies. Under the Personal Data (Privacy) Ordinance (PDPO), a data user may be liable for the acts of its agents (including data processors) and must also adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to its data processors for processing. 

To manage data processors properly, a data user should consider whether they truly have an actual need to engage data processors. Generally, the types of obligations to be imposed on data processors by contract include:

• Prohibition against other use and disclose;
• Prohibition against sub-contracting to other service providers;
• Reporting of irregularity;
• Measures to ensure compliance with the agreed obligations by contractor’s staff;
• Organisation’s right to audit and inspect;
• Consequence for breach of the contract;
• Security measures to be taken by the data processor; and
• Timely return, destruction or deletion of personal data no longer required.

The data user can also make reference to the suggested measures below to have an effective management of their data processors to process personal data on their behalf:

• Implement policies and procedures to ensure that only competent and reliable data processors will be engaged; 
• Conduct assessment to ensure that only necessary personal data is transferred to the data processors;
• Clearly stipulate the security measures required to be taken by the data processors in the data processing contract;
• Require the data processors to immediately notify all data security incidents;
• Conduct field audits to ensure compliance with the data processing contract by the data processors and impose consequences for breach of contract; and
• Conduct an annual review to ensure that the management of data processors is adequate and comprehensive. 

Please read the PCPD’s publication below to learn more about the effective monitoring of the data processors: Outsourcing the Processing of Personal Data to Data Processors

PRIVACY COMMISSIONER’S FINDINGS

A Folder that Contained Personal Data of Students and Parents was Accidentally Disposed of

Background

A school reported to the PCPD that a cleaner had mistakenly treated a folder that contained auto-pay documents with personal data of over 100 students and parents (the Folder) as waste and disposed of it at the refuse collection point near the school. An investigation conducted by the school revealed that the clerk responsible for handling auto-pay documents placed the Folder on the rubbish bin under her desk. As a result, the cleaner disposed of the Folder together with other waste by mistake.

Remedial Measures

Upon receipt of the notification from the school, the PCPD initiated a compliance check. In response to the incident, the school reminded the clerk of the need to exercise caution in handling and safekeeping documents containing personal data. The school also provided the cleaner with training on proper waste disposal procedures. Besides, the school incorporated guidelines and points to note on personal data protection into its staff code of conduct. The revised code of conduct was disseminated to staff through meetings and workshop training.

Lessons Learnt

Regardless of whether personal data is accidentally lost, leaked or improperly disposed of, the potential harm to the affected individuals should not be underestimated. In addition to establishing effective data protection policies and practices, organisations should strengthen security measures to safeguard personal data. This includes implementing measures and monitoring mechanisms to ensure employees comply with policies and procedures, as well as providing comprehensive training to strengthen employees’ awareness of personal data protection and minimise the risk of human errors.

TECH TALK

Be Smart in the Internet Era – Voice Assistant and Personal Data Privacy Protection

Voice assistants have increasingly integrated into our daily lives to enhance convenience and efficiency by assisting users to handle a diverse range of tasks, including answering users’ questions, providing information, setting alarms and reminders, controlling smart home devices, sending messages and making calls, etc. in a hands-free way. Voice assistants operate through smart speakers or on electronic devices, such as computers, tablets or mobile phones. To respond to the users’ commands, voice recognition technology is used to interpret and process human speech. They can be activated by certain sound patterns or specific words, such as “Alexa” or “Hi Siri”. In the meantime, they may also collect users’ information or daily conversations via taking recordings automatically and sending them to the manufacturer’s servers, which poses privacy concerns. 

To protect your personal data privacy when using a voice assistant, you may make reference to the following practical tips:

• Disable voice activation feature to prevent your voice assistant from listening to you all the time. Instead of saying specific words, such as “Hey voice assistant”, users have to press a button or open an app to activate the voice assistant. This grants users with more control over when and what to share with the voice assistant. 
• Review and delete voice recordings regularly. Voice assistants may store users’ voice recordings in the cloud or on their own electronic devices. You can access the voice recordings through the settings or the app of the voice assistant, and delete the recordings if needed. Users can also opt out of sharing their voice recordings with the voice assistant providers for quality improvement purposes.
• Manage your permissions and settings for your voice assistant, and limit the access rights on your electronic devices. For examples, you can disable or restrict access to your contacts, location, camera, microphone, and other sensitive data; turn off personalisation features, such as personalised ads, recommendations, and reminders; and adjust your settings to enable encryption, password protection, and notifications for your voice assistant.
• Use a firewall to block unwanted or malicious connections and requests from reaching your electronic devices or network to prevent hackers or advertisers from spying on your voice assistant activities.

• Know which personal accounts are connected to your voice assistant.

• Choose a trustworthy voice assistant provider. You can research the privacy policies, terms of service, and reputation of different voice assistant providers, and compare their features, benefits, and drawbacks. Select the voice assistant providers that offer users with more transparency, control, and security options, such as deleting your data upon request, allowing you to opt out of data collection, or using end-to-end encryption.

• Check the Privacy Policy of your voice assistant to understand how your audio recordings are handled and who can listen to them, and change your settings to opt out of human review of recordings if needed.

WHAT’S ON

Promoting AI Security – Privacy Commissioner Publishes an Article Entitled “City’s AI Data Guidelines Can Help Firms Embrace the Future”

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “City’s AI Data Guidelines Can Help Firms Embrace the Future”.
 
The Privacy Commissioner pointed out that while organisations in various industries have been exploring ways to integrate artificial intelligence (AI) into their operations to enhance efficiency and diversify business portfolios, they are concerned about difficulties in compliance in the absence of guidance. On the other hand, the adoption of AI also presents privacy and ethical risks.
 
Indeed, AI security is an important aspect of national security. As advocated in the “Global AI Governance Initiative” promulgated by the Mainland in October 2023, the development and security of AI are of equal importance.
 
To support the Mainland’s “Global AI Governance Initiative” and to respond to industry needs, the PCPD has published the “Artificial Intelligence: Model Personal Data Protection Framework” (the Model Framework), with a view to assisting organisations to procure, implement and use AI, including generative AI, in compliance with the relevant requirements of the PDPO.
 
The Privacy Commissioner believes that the Model Framework will foster the healthy and safe development of AI in Hong Kong, facilitate Hong Kong’s development into an innovation and technology hub, and propel the expansion of the digital economy not only in Hong Kong but throughout the Greater Bay Area.
 
The article was published in South China Morning Post, Ta Kung Pao, Sing Tao Daily, HK01, Hong Kong Economic Journal, Hong Kong Economic Times and Ming Pao on 25 July.
 
Please click here to read the article in Chinese.

Please click here to read the article in English.

Promoting AI Literacy Learning – Privacy Commissioner Visits Hong Kong Book Fair 2024

Privacy Commissioner Ms Ada CHUNG Lai-ling visited Hong Kong Book Fair 2024 and attended the book launch event of 《AI智能時代的素養學習》, written by Professor the Hon William WONG Kam-fai, MH, member of the Standing Committee on Technological Developments of the PCPD.
 
Professor Wong has given an objective and comprehensive account of six areas in the new book, including “Technology and Society”, “Metaverse” and “Generative Artificial Intelligence”, with a view to providing readers with a better understanding of the direction and significance of literacy learning. 
 
The Privacy Commissioner also visited the booth of City University of Hong Kong Press and promoted the book “The Treasure-trove of Privacy – Understanding Your Personal Data Privacy” (《私隱法．保 — 了解你的個人資料私隱》), which was jointly published by the PCPD and the City University of Hong Kong Press earlier.

Strive for the Best with No Regrets – Privacy Commissioner Cheers for DSE Candidates

Privacy Commissioner Ms Ada CHUNG Lai-ling gave a boost to DSE candidates before the release of the Hong Kong Diploma of Secondary Education (DSE) Examination results. She trusted that they had exerted their best efforts in completing the DSE Examination, and encouraged them to embrace the outcome with peace of mind.
 
Addressing the candidates, the Privacy Commissioner said, “Life is full of possibilities. Although public examinations are of great importance, examination results do not define everything. ‘Don’t get conceited when winning and don’t lose heart when losing’. Never give up! Find out your virtues and propel yourself to a new horizon!”

Reaching Out to the Community – Privacy Commissioner Attends EOC’s Accessible for All @ Hong Kong Symposium

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Accessible for All @ Hong Kong Symposium organised by the Equal Opportunities Commission on 15 July.

The symposium brought together experts and leaders in public policy, architecture, urban design and innovative technology from Hong Kong and other cities in the Guangdong-Hong Kong-Macao Greater Bay Area. The participants discussed how to improve the well-being and social participation opportunities for individuals of diverse abilities and ages through universal design and smart technology, including removing the barriers to digital accessibility and reducing digital divide.

Reaching Out to the Community – Privacy Commissioner Interviewed by i-Cable News’ “Let’s Talk”

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by i-Cable News’ “Let’s Talk” on 13 July to share the work of the PCPD in safeguarding the privacy of members of the public in relation to personal data.

During the interview, the Privacy Commissioner mentioned that the PCPD received about 600 enquiries in the first half of this year relating to the collection of personal data for fraudulent purposes. She reminded members of the public to stay vigilant to avoid being tricked into providing biometric data such as facial images/issue170, voice, etc., as fraudsters could impersonate a person by applying deepfake technology to such data.  

The Privacy Commissioner mentioned that the PCPD received 97 data breach notifications in the first half of the year, with an increasing trend recorded in the second quarter. She pointed out there had been an increasing trend in data breach incidents both globally and in Hong Kong in the digital era. The PCPD has been conducting compliance checks and on-site inspections of the personal data systems of organisations, and will reinforce such work in the future.

In response to the increasing popularity of the use of artificial intelligence (AI) in Hong Kong, the PCPD recently published the “Artificial Intelligence: Model Personal Data Protection Framework”. The Privacy Commissioner also reminded the public to think twice before providing personal data to an AI system.

Please click here to view “Let’s Talk” (Chinese only). 

Privacy Commissioner Attends the 13^th Anniversary Celebration of the New People’s Party

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 13^th anniversary celebration of the New People’s Party on 13 July. The Privacy Commissioner extended congratulations to the New People’s Party and wished them continuous success and achievements in undertaking more people-to-people diplomacy initiatives.

Reaching Out to Legal Professionals – Privacy Commissioner Attends Cocktail Reception for the Launch of Sentencing in Hong Kong – Eleventh Edition

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the cocktail reception for the launch of Sentencing in Hong Kong – Eleventh Edition, a legal reference book edited by Mr Ian Grenville CROSS, GBS, SC, the former Director of Public Prosecutions, and Mr Patrick W S CHEUNG, barrister, on 3 July.
 
Sentencing in Hong Kong has been published for 30 years and is an authoritative sentencing textbook in Hong Kong. The new edition explains the sentencing provisions for persons convicted of national security offences and incorporates the content of the Safeguarding National Security Ordinance passed in March 2024.

Reaching Out to the Community – Privacy Commissioner Publishes “Hong Kong Letter” Entitled “Adopt AI Model Framework to Mitigate Privacy Risks”

Privacy Commissioner Ms Ada CHUNG Lai-ling published a “Hong Kong Letter” on RTHK Radio 1 on 29 June to explain the privacy risks brought about by AI, and introduce the “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework) published by the PCPD recently.

The Privacy Commissioner pointed out that the Model Framework was published with a view to assisting organisations in complying with the relevant requirements of the PDPO when they procure, implement and use AI. She believed that the Model Framework will help nurture the healthy and safe development of AI in Hong Kong, facilitate Hong Kong’s development into an innovation and technology hub, and propel the expansion of the digital economy not only in Hong Kong but also in the Greater Bay Area.

Please click here to read the “Hong Kong Letter” (Chinese only).

The PCPD Organises AI Practical Workshop for Secondary School Students

The rapid development of Artificial Intelligence (AI) in recent years has led to an increasing use of AI chatbots by youngsters in their learning and daily activities. Against this background, the PCPD organised an AI Practical Workshop (Workshop) on 23 July, which attracted over 100 secondary school students. The Workshop highlighted the privacy risks associated with AI and taught the participants how to use AI responsibly through a thematic talk and interactive AI games. The Workshop also included a visit to Microsoft Hong Kong’s headquarters.
 
The Workshop was supported by Microsoft Hong Kong, and representatives of Microsoft gave a presentation to the students about AI privacy issues. In addition, Microsoft also collaborated with other technology partners in the setting up of various interactive AI games and demonstrations to enable the students to learn how to use AI properly through games.

Please click here for more details (Chinese only).

Reaching Out to Universities – PCPD and the University of Hong Kong Jointly Organise the “Seminar on Personal Data Privacy and Protection in Higher Education”

The PCPD and Information Technology Services – Data Protection Office of the University of Hong Kong (HKU) co-organised the “Seminar on Personal Data Privacy and Protection in Higher Education” on 11 July, which attracted more than 120 participants from the higher education sector.

At the seminar, Acting Senior Legal Counsel of the PCPD Ms Clemence WONG provided the participants with an overview of the six data protection principles and the requirements for cross-border transfers of personal data from Hong Kong under the PDPO, as well as the facilitation measures of the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong).

During the panel discussion, Senior Legal Counsel of the PCPD Ms Ines LEE shared with the other guest speakers her insights on the development and challenges of protecting personal data privacy, including the privacy risks brought by artificial intelligence.

Please click here for Ms Clemence WONG’s presentation deck.
Please click here for Ms Ines LEE’s presentation deck.

Reaching Out to Schools – PCPD’s Representative Speaks at a Cybersecurity Seminar

Acting Senior Personal Data Officer (Compliance and Enquiries) of the PCPD Ms Ayee MAN spoke at the Cybersecurity Seminar for schools organised by the Hong Kong Academy of School Managers on 29 June.
 
At the seminar, Ms Man shared data breach cases involving the education sector with the participants, and explained the key points in preventing and handling data breach incidents.
 
Please click here for the presentation deck (Chinese only).

MEDIA STATEMENT

A 40-year-old Male Arrested for Suspected Doxxing Arising from Relationship Entanglements

The PCPD arrested a Chinese male aged 40 in the New Territories on 22 July. The arrested person was suspected to have disclosed the personal data of his ex-girlfriend without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim and the arrested person formerly were lovers, but the two broke up in April 2022. After that, the arrested person remained in contact with the victim occasionally. In May 2023, the victim cut off contact with the arrested person. Thereafter, between July 2023 and May 2024, a total of 14 messages containing the personal data of the victim were written on lamp posts in the district where the victim resides and stairwells of vice establishments in two districts in Kowloon, with some messages containing negative allegations against the victim and alluring others to contact the victim. The personal data disclosed included the victim’s Chinese name, English surname and alias, name of residential building and flat number, mobile phone number, occupation and the usernames of her social media accounts.
 
The PCPD reminds members of the public that they should not dox others because of relationship disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO
 
Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject – 

1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject. 
   

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if – 

1. the person discloses any personal data of a data subject without the relevant consent of the data subject –
   1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
      
2. the disclosure causes any specified harm to the data subject or any family member of the data subject.
   

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means – 

1. harassment, molestation, pestering, threat or intimidation to the person;
2. bodily harm or psychological harm to the person;
3. harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. damage to the property of the person.

Response of the PCPD to the Consumer Council’s Study Report on Home Removal Companies

The PCPD noted that the Consumer Council published a study report on the services of home removal companies, in which 10 companies were reported to have failed to establish a privacy policy, and one company was reported to state that the longest retention period for photos and videos used for quotation was 10 years. The PCPD has immediately initiated a compliance check on the matter, and would take the initiative to contact the companies concerned to follow up the matter.
 
Generally speaking, Data Protection Principle (DPP) 5 of the PDPO requires data users to take all practicable steps to ensure openness of their personal data policies and practices, the kinds of personal data held and the purpose(s) of use. With regard to retention of personal data, DPP2 requires data users to take all practicable steps to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose for which the data is or is to be used.

A 21-year-old Male Arrested for Suspected Doxxing Arising from Relationship Entanglements

The PCPD arrested a Chinese male aged 21 in Kowloon on 12 July. The arrested person was suspected to have disclosed the personal data of his ex-girlfriend without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim and the arrested person formerly were lovers, but the two broke up in March 2024. In May 2024, the arrested person suspected that the victim started a new relationship. Shortly afterwards, several messages containing the personal data of the victim were posted in a personal account of a social media platform on two occasions, alongside some negative comments against her. The personal data disclosed included the victim’s English name, residential address, mobile phone number, photo and the username of her social media account.
  
The PCPD reminds members of the public that they should not dox others because of relationship disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

A 38-year-old Female Arrested for Suspected Doxxing Arising from Relationship and Monetary Disputes

The PCPD arrested a Chinese female aged 38 in the New Territories on 5 July. The arrested person was suspected to have disclosed the personal data of her ex-boyfriend without his consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim and the arrested person had an intimate relationship since 2019, and the victim had supported the arrested person’s living expenses. Thereafter, the two broke up in October 2023. A few days later, a signboard containing the personal data of the victim was displayed in a street near the victim’s workplace, alongside some negative comments against the victim, including a claim to demand repayment of debt from the victim. Shortly afterwards, flyers with similar contents were posted outside the victim’s residential building and his flat. A message with similar contents was also posted in an open discussion group on a social media platform. The personal data disclosed included the victim’s Chinese name, approximate age and photos.
 
The PCPD reminds members of the public that they should not dox others because of relationship or monetary disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

A Car Company Convicted of Direct Marketing Offences, Privacy Commissioner Welcomes the Court’s Ruling

On 2 July, the Eastern Magistrates’ Court convicted Azzurri Automobile Limited (the Company) of four charges of direct marketing offences under the PDPO upon its guilty plea. The Magistrates’ Court fined the Company $2,500 in respect of each charge, which amounted to $10,000 in total. Privacy Commissioner Ms Ada CHUNG Lai-ling welcomed the court’s ruling.
 
Earlier in April 2024, the Police laid four charges under sections 35C(1) and 35F(1) of the PDPO against the Company, and the Company pleaded guilty on 2 July to the relevant charges. According to the facts of the case, in November 2023, the Company failed to take the necessary actions to notify the two data subjects and obtain their consents before using their personal data, which was obtained from the records of the Transport Department, in direct marketing. The Company also failed to inform the two data subjects, when using their personal data in direct marketing for the first time, of their rights to request the Company not to use their personal data in direct marketing without charge.
 
Background of the Case
 
The case originated from two complaints received by the PCPD in November 2023.
 
Each of the complainants received a marketing letter from the Company by post on 6 November 2023. The letters contained the complainants’ English names and addresses. Both of the complainants called the Company to make enquiries and were told by the staff of the Company that the Company had collected their personal data from the records of the Transport Department for the purpose of issuing the letters. The complainants considered that the Company had used their personal data for direct marketing without their consents, thus they lodged complaints with the PCPD.
 
As the PCPD considered that the two cases might involve contraventions of the direct marketing requirements under the PDPO, the PCPD referred the cases to the Police for criminal investigation and consideration of prosecution.
 
Relevant Statutory Provisions
 
Section 35C(1) of the PDPO requires a data user who intends to use a data subject’s personal data in direct marketing to take a number of specified actions, including notifying the data subject that the data user intends to so use the personal data; that the data user may not do so unless the data user has received the data subject’s consent; the types of personal data that will be used; the classes of goods or services that will be marketed; and a response channel through which the data subject can communicate his/her consent.
 
Pursuant to section 35F(1) of the PDPO, the data user must, when using a data subject’s personal data in direct marketing for the first time, inform the data subject of his/her right to request the data user to cease to so use the data, without charge to the data subject.
 
Failure to comply with the requirements of section 35C(1) and 35F(1) constitutes a criminal offence. The offender is liable to a fine up to $500,000 and imprisonment for three years.

MAINLAND CORNER

Highlights of the “Practical Guidance of Cybersecurity Standards – Cybersecurity Assessment Guidelines for Large Online Platforms” 
《網絡安全標準實踐指南 – 大型互聯網平台網絡安全評估指南》的重點

To guide large online platforms in conducting cybersecurity assessments through identifying and preventing cybersecurity risks that affect or could potentially affect social stability or the public interests, the National Technical Committee 260 on Cybersecurity of Standardization Administration of China released the “Practical Guidance of Cybersecurity Standards – Cybersecurity Assessment Guidelines for Large Online Platforms” (the Assessment Guidelines) on 25 June 2024, setting out the content of cybersecurity assessments and the methods of conducting them. This article provides an overview of the Assessment Guidelines.

為幫助大型互聯網平台在網絡安全合規基礎上，進一步評估發現和防範影響或者可能影響社會穩定、公共利益的網絡安全風險，全國網絡安全標準化技術委員會（網安標委）於2024年6月25日發布《網絡安全標準實踐指南 – 大型互聯網平台網絡安全評估指南》（《評估指南》）¹，提出對大型互聯網平台開展網絡安全評估的內容和方法，指導平台提升安全水準。有關重點如下：

適用情況

《評估指南》適用於大型互聯網平台所開展的網絡安全評估活動。「大型互聯網平台」（large online platform）定義為「通過網絡技術將個人與個人、商品、信息、服務、線下資源、資金、軟件等進行連接，並以此為基礎提供業務²的較大規模的網絡平台」³。「較大規模」則指「在過去的一年期間，在内地累計平均月度活躍用戶總數不低於5,000萬」⁴。

網絡安全評估工作組

《評估指南》明確指出，大型互聯網平台開展網絡安全評估需首先設立網絡安全評估工作組（工作組）⁵，並由平台主要負責人⁶直接領導，在其領導下制定管理制度和工作程序。工作組的職責為負責開展大型互聯網平台的網絡安全評估工作，當中包括⁷：

1. 根據各項業務發生網絡安全問題時對社會穩定、公共利益的影響程度，識別核心業務範圍，明確網絡安全評估範圍；
2. 組織開展年度網絡安全評估；
3. 研究制定重要事項網絡安全評估工作方案並組織開展相關評估工作；
4. 根據網絡安全評估中發現的安全問題組織開展整改。

網絡安全評估

工作組需每年組織開展一次網絡安全評估及撰寫報告，並由平台主要負責人、牽頭人簽字確認留檔⁸。

評估内容

網絡安全評估的内容可參考下表的7個範疇：

1. 核心業務連續性風險⁹

評估内容的部分詳情

• 評估内容包括：
  a) 可能導致平台長時間業務癱瘓的情形；及
  b) 匯總過去一年中，平台的核心業務發生過長時間業務癱瘓的安全事件。

2. 災難恢復能力¹⁰

評估内容的部分詳情

• 評估内容包括：
  a) 平台容災備份系統能否獨立運行；及
  b) 災難發生後，核心業務從停頓到恢復的時間，以及系統和數據必須恢復到的時間點要求。 

3. 關鍵軟硬件產品供應鏈安全性¹¹

評估内容的部分詳情

• 評估内容包括：
  a) 關鍵軟硬件產品的安全性、開放性、透明性、來源多樣性，以及供應渠道的可靠性；及
  b) 關鍵軟硬件產品是否可能因為政治、外交、貿易等因素導致供應中斷。

4. 對外提供數據的可控性¹²

評估内容的部分詳情

• 評估圍繞對外提供重要數據、個人信息開展網絡安全評估，特別是評估相關安全管理制度，以及評估已對外提供數據的失控、洩露、濫用風險。該評估需要平台業務、法務、合規、安全等相關部門共同參與，並重點考慮對社會穩定、公共利益可能造成的安全影響。評估内容包括：
  a) 是否具有健全的對外提供重要數據、個人信息的管理制度¹³；及

  b) 已對外提供的個人信息和重要數據是否存在失控、洩露、濫用的風險。 

5. 數據洩露事件發生後應急處置¹⁴

評估内容的部分詳情

• 評估一旦發生嚴重數據洩露，能否採取有效措施減緩對社會穩定、公共利益造成危害。評估內容包括：
  

  a) 數據加密情況、被破解難度，以及所採用密碼算法是否符合内地相關政策法規要求；及

  b) 發生嚴重數據洩露事件後，平台及時感知處理事件、阻斷洩露、追溯事件來源、定位數據去向的能力。

6. 平台控制權¹⁵

評估内容的部分詳情

• 評估當前平台對重要設施和數據的控制權情況。評估內容包括：

  a) 平台重要崗位設置及相應權限設置情況；是否具備完整記錄、感知、回溯重要崗位人員的行為操作的能力；及

  b) 是否對重要崗位人員開展安全背景審查。

7. 用戶權益保護¹⁶

評估内容的部分詳情

• 評估用戶個人信息權益保障情況，以及平台面向用戶提供算法應用服務的合理性。評估內容包括：

  a) 保障用戶便利行使其個人信息查詢權、複製權、刪除權、更正權、轉移權等權益的情況；及

  b) 平台利用算法向用戶定向推送信息的真實性、準確性、安全性以及來源的合法性。

《評估指南》的附錄A亦為工作組提供一份年度網絡安全評估報告模板，以作參考。

重要事項網絡安全評估

在大型互聯網平台開展下述調整變更前，工作組亦需要就該調整變更對社會穩定、公共利益可能造成的影響進行網絡安全評估¹⁷：

1. 平台的實際控制人變更；
2. 啟動新核心業務、關停現有核心業務；
3. 擴大收集用戶敏感個人信息的範圍、數量或頻率，對網絡安全可能產生重大影響的；
4. 增加重要數據、累計100萬以上的個人信息、10萬以上的敏感個人信息的接收方，或向已有接收方提供數據的技術方式發生變更；
5. 對外提供重要數據、累計100萬以上個人信息、10萬以上敏感個人信息的，接收方對信息的使用目的、使用方式發生變更。

總結

總括而言，《評估指南》就大型互聯網平台開展網絡安全評估的内容和方法提出落地指引，有助業界確保其網絡服務合法合規。相關平台宜細閱《評估指南》的要求，適時開展網絡安全評估，並考慮向社會公開報告的内容¹⁸。

¹ 全文：https://www.tc260.org.cn/upload/2024-06-26/1719392765857029020.pdf

² 提供業務包括但不限於即時通信、社交網絡、電子商務、直播、短視頻、信息資訊、應用商店、網絡預約汽車、網絡支付等。(《評估指南》第2.1條)

³《評估指南》第2.1條。

⁴《評估指南》第2.1條 。

⁵《評估指南》第3.1條。

⁶ 平台主要負責人指平台經營主體的主要負責人或實際控制人。(《評估指南》第3.1(a)條 )

⁷《評估指南》第3.2條。

⁸《評估指南》第3.3條。

⁹《評估指南》第4.1條。

¹⁰《評估指南》第4.2條。

¹¹《評估指南》第4.3條。

¹²《評估指南》第4.4條。

¹³ 當中若數據接收方是在國外，或平台營運者在國外上市，評估需涵蓋是否具有對平台業務所涉及的國家、地區網絡安全、數據安全、個人信息保護等最新政策進行分析、響應的機制。

¹⁴《評估指南》第4.5條。

¹⁵《評估指南》第4.6條。

¹⁶《評估指南》第4.7條。

¹⁷《評估指南》第3.4條。

¹⁸ 根據《評估指南》第5章，大型互聯網平台網絡安全評估報告以及重要事項網絡安全評估報告應真實、完整、詳實，並基於自願原則向社會公開。選擇向社會公開時，如涉及商業秘密且不易分割的，平台可基於完整的網絡安全評估報告另外裁剪公開發布版本。

RECOMMENDED TRAININGS

Professional Workshop on Data Protection in Direct Marketing Activities

Organisations often use customers’ personal data to conduct direct marketing activities to promote products or services. These activities are governed by the PDPO. To protect customers’ personal data privacy, organisations have the responsibility to ensure that their employees clearly understand and comply with the provisions on direct marketing under the PDPO. This also helps organisations maintain a positive reputation and demonstrate their corporate social responsibility. 

This workshop will explain in detail the requirements of the direct marketing provisions under the PDPO and offer practical guidance on compliance. Participants will also learn from conviction cases relating to direct marketing, aiming to help them understand how to properly use customers’ personal data in direct marketing activities. 

Date: 7 August 2024 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data protection officers, compliance officers, company secretaries, administration managers, IT managers, solicitors, database managers and marketing professionals

Professional Workshop on Personal Data Privacy Management Programme

With the ever-rising expectations of customers and stakeholders regarding organisations’ responsible use of personal data in recent years, the protection of personal data privacy should no longer be seen as purely a compliance issue. To build trust with customers and enhance their competitive and reputational advantages, organisations should develop and implement a comprehensive Personal Data Privacy Management Programme (PMP) to proactively embrace personal data privacy protection as part of their corporate governance responsibilities and apply it as a business imperative throughout the organisations. 

By attending this workshop, participants will understand the key components of a PMP, and learn how to continuously maintain and improve it for effective implementation in their organisations. 

Date: 21 August 2024 (Wednesday)

Time: 2:15pm – 4:15pm

Mode: Online

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices.

Other Professional Workshops on Data Protection from August to September 2024:

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions show below:

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special offer for organisational renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENT

The PCPD Supports the Ethical Phishing Email Campaign 2024

The PCPD is delighted to be one of the supporting organisations of the Ethical Phishing Email Campaign 2024, co-organised by the Cyber Security and Technology Crime Bureau of Hong Kong Police Force and the Hong Kong Internet Registration Corporation Limited. The Campaign aims to raise the staff awareness about suspicious emails and improving the organisation’s cyber security posture. The Campaign will be conducted from August to September 2024, and participation will be free of charge.

Please click here for more information about the Campaign.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.