Privacy Commissioner Urges Job Seekers to Stay Vigilant about
“Blind” Recruitment Advertisements
Online Doxxing Messages Dropped by 90% on Third Anniversary of Anti-Doxxing Law

Privacy Commissioner Ms Ada CHUNG Lai-ling (middle), Senior Legal Counsel Ms Hermina NG Wing-hin (left) and Senior Personal Data Officer (Criminal Investigation) Mr Lo Dik-fan (right), at the media briefing.

The PCPD held a media briefing on 19 September to elaborate on the PCPD’s concern on the placing of “blind” recruitment advertisements (Blind Ads) on online recruitment platforms, as well as to report on its enforcement work in the past three years since the commencement of the provisions criminalising doxxing acts under the Personal Data (Privacy) Ordinance (PDPO).

1. Investigations on the Placing of Blind Ads on Online Recruitment Platforms
 
Between September 2021 and August 2024, the PCPD received 57 enquiries and 11 complaints in relation to recruitment advertisements. The PCPD noticed that there were organisations placing Blind Ads on online recruitment platforms. In general, a Blind Ad is one that does not identify the recruiting organisation nor contain sufficient information to identify the organisation, and does not provide a means for job applicants to make further enquiries or such means does not contain sufficient information to identify the organisation, but directly invites job applicants to submit their personal data, such as their Hong Kong Identity Card numbers, contact details or resumes.
 
In view of this, from June to September 2024, the PCPD reviewed 22,270 recruitment advertisements across 13 online recruitment platforms, and 23 Blind Ads were found. The PCPD is concerned that the act of placing Blind Ads to collect personal data from job applicants may constitute a contravention of the relevant requirements under the PDPO. With a view to protecting the personal data privacy of members of the public, the PCPD has proactively initiated investigations against five organisations that had placed Blind Ads.
 
With regard to the collection of personal data, Data Protection Principle (DPP) 1(2) of the PDPO requires that personal data shall be collected by means which are lawful and fair in the circumstances of the case. DPP 1(3) provides that organisations must take all practicable steps to notify the data subjects on or before the collection of the data the purpose of data collection, the classes of persons to whom the data may be transferred, whether it is obligatory or voluntary for the data subjects to supply the data and the consequences for the data subjects if the data subjects fail to supply the data, etc.
 
In order to protect the job applicants’ personal data and project positive corporate image, the PCPD appeals to employers to:

• Increase transparency in placing recruitment advertisements and disclose the identities of the organisations;
• Refrain from placing Blind Ads to collect job applicants’ personal data; and
• If necessary, consider engaging a recruitment agency who is identified in the advertisement to collect the personal data from job applicants.
  

As Blind Ads may constitute a contravention of the PDPO and may be used by swindlers to collect personal data for fraudulent activities, the PCPD urges recruitment platforms to:

• Beware of anyone using Blind Ads to perpetrate frauds or collect personal data by unfair means; and
• Carefully review recruitment advertisements to identify Blind Ads and avoid publishing the same in order to protect the personal data privacy of members of the public.

For members of the public who wish to make any enquiries or lodge any complaint against the placing of Blind Ads, please contact the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk/complaints@pcpd.org.hk).

2. Online Doxxing Messages Dropped by 90% on Third Anniversary of Anti-Doxxing Law
 
The provisions criminalising doxxing acts under the PDPO came into effect on 8 October 2021. The amendments empower the Privacy Commissioner to carry out criminal investigations, institute prosecutions for doxxing-related offences and issue cessation notices to request the cessation of disclosure of doxxing messages.
 
From the effective date (8 October 2021) of the relevant provisions up to 31 August 2024, the PCPD handled a total of 3,234 doxxing cases, including 1,586 doxxing-related complaints and 1,648 doxxing cases uncovered by the PCPD’s proactive online patrols. The PCPD also issued a total of 2,032 cessation notices to 46 online platforms to request the removal of 33,494 doxxing messages, with a compliance rate of over 96%. Other than individual doxxing messages, 249 doxxing channels were successfully removed by cessation notices.
 
From the effective date (8 October 2021) of the relevant provisions up to 31 August 2024, the PCPD initiated 363 criminal investigations, and 88 cases were referred to the Police for further follow-up actions. As regards arrest operations, the PCPD mounted a total of 58 arrest operations (including three arrests made as joint operations with the Police). A total of 59 suspects were arrested. During the period, 37 prosecutions were made in respect of doxxing cases and there were 26 convictions.
 
Enforcement Work to Combat Doxxing
 
In the first eight months of 2024, the number of doxxing cases uncovered by the PCPD’s proactive online patrols was 80, representing a significant drop of 90% when compared to 803 cases during the same period in 2022 (i.e. the same period of the first year after the commencement of the anti-doxxing provisions). 270 doxxing-related complaints were received by the PCPD in the first eight months of 2024, which represented a drop of close to 40% (36%) when compared to the 421 complaints received during the same period in 2022.
 
Publicity and Education Work to Combat Doxxing
 
To combat doxxing acts, the PCPD launched a series of publicity and education campaigns to enhance the public’s awareness of the new doxxing offences and promote compliance. These included launching a thematic website on “Doxxing Offences”, issuing an implementation guideline, broadcasting short videos and television and radio announcements, distributing promotional leaflets and posters, publishing two new books titled “The Treasure-trove of Privacy – Understanding Your Personal Data Privacy” and “Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance (Third Edition)”, which included dedicated chapters on the new doxxing offences,  organising seminars/webinars and promoting the new provisions on social media platforms. By the end of August 2024, the Privacy Commissioner and the PCPD personnel conducted 104 webinars/seminars concerning the new anti-doxxing regime, with the number of participants reaching 22,000. To raise the awareness of secondary school students about the seriousness of cyberbullying and doxxing offences, the PCPD has in particular organised the School Touring of Anti-doxxing Education Talks to promote relevant information to secondary school students at schools. By the end of August 2024, the PCPD visited 50 secondary schools and held anti-doxxing education talks for over 17,000 students.

Privacy Commissioner’s Office Publishes “Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance (Third Edition)” to Echo with 2024 China Cybersecurity Week

Privacy Commissioner Ms Ada CHUNG Lai-ling (left) took a photo with Professor Ian Grenville CROSS, GBS, SC, Former Director of Public Prosecutions (right).

In support of 2024 China Cybersecurity Week, the PCPD has collaborated with the City University of Hong Kong Press in publishing the third edition of “Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance”.

The new book is co-edited by Privacy Commissioner Ms Ada CHUNG Lai-ling and Professor ZHU Guobin, Professor of Law, School of Law, City University of Hong Kong. A book launch was held on 9 September, where Professor Ian Grenville CROSS, GBS, SC, Former Director of Public Prosecutions, was invited to speak at the event. Other guests included member of the Personal Data (Privacy) Advisory Committee of the PCPD, the Hon Ms Carmen KAN Wai-mun, JP, and members of the Standing Committee on Technological Developments of the PCPD, Professor the Hon William WONG Kam-fai, MH and Ir Alex CHAN.

The new book provides a comprehensive overview and explanations on the requirements and DPPs under the PDPO, using decided cases and everyday examples as illustrations. It also encompasses the supervision and enforcement work carried out by the PCPD in relation to the PDPO. Three new chapters in this new edition are dedicated to the anti-doxxing regime, cross-border transfers of personal data from Hong Kong, and the Mainland’s personal information protection regime, respectively. The book also includes updates on decisions by the Administrative Appeals Board and the Court in recent years, investigation reports and materials published by the PCPD, and a comparative analysis of the similarities and differences between the personal data protection law of Hong Kong when compared to that of the Mainland and the European Union.

The book seeks to enhance the understanding of legal practitioners, students and privacy law enthusiasts regarding Hong Kong’s privacy law and serves as a reliable source of reference for navigating the complexities of this evolving field.

Please click here for the Privacy Commissioner’s welcome address.

Please click here for Professor CROSS, GBS, SC’s speech.

PRIVACY 101

Data Ethics in the Data-driven World: Navigating Challenges of Personal Data Privacy Protection

Personal data is now considered as the new gold, which is collected by organisations not only for providing products and services to customers, but the vast amount of personal data has also become the fuel for big data analytics, artificial intelligence (AI) and machine learning in today’s digital era. The unprecedented increase in the volume of personal data collected, shared, used and analysed in the digital privacy landscape has brought challenges to personal data privacy protection. Organisations that derive benefits from their customers’ personal data should get rid of the mindset of merely treating personal data protection as legal compliance. Instead, they should embrace the three core values of data ethics below when handling personal data: 

1. Be Respectful

• Organisations should be accountable for conducting advanced data processing activities with the interest of all stakeholders in mind;
• Decisions made about individuals and the decision-making process should be explainable and reasonable; and
• Individuals should always be able to make enquiries, obtain explanations and appeal against decisions made by the advanced data processing activities that impact them.

2. Be Beneficial

• Where advanced data processing activities may have impact on individuals, all the benefits and risks of the activities should be defined, identified and assessed; and
• Once all risks are identified, appropriate ways to mitigate those risks and to balance the interests of different parties should be implemented.

3. Be Fair

• Advanced data processing activities must avoid actions that seem inappropriate or offensive, and should be consistent with the ethical values of the organisation;
• Unfair discrimination should be prohibited; and
• The accuracy and relevancy of algorithms and models used in decision-making should be regularly reviewed to reduce errors, bias and discrimination.

Here are the recommended assessment models for organisations to adopt the three core values of data ethics in their daily operations:

• Ethical Data Impact Assessment (EDIAs) – for assessing the impact to all stakeholders’ interests on the data collection, use and disclosure in data-driven activities.
• Process Oversight – for evaluating how an organisation translates organisational ethical values into principles and policies and into an “ethics by design” programme. It also considers how the internal review processes are implemented, such as conducting EDIAs and establishing effective individual accountability systems.

Please read the PCPD’s publication to learn more about data ethics:
Data Ethics for Small and Medium Enterprises

PRIVACY COMMISSIONER’S FINDINGS

An Employee of a Hotel Discloses Customers’ Personal Data on Social Media without Authorisation

The Complaint 

The incident under complaint happened amid the outbreak of COVID-19. According to the anti-pandemic measures in force at the material time, people arriving in Hong Kong were required to undergo quarantine at a designated quarantine hotel. The complainant alleged that from a video clip (the Clip) uploaded onto the social media, he noticed a list (the List) of hotel guests who were under hotel quarantine. The List displayed sensitive information, such as the guests’ names, their booking confirmation numbers and room
numbers, which could be clearly seen in the Clip. The complainant hence lodged a complaint with the PCPD.

Outcome

Based on the information posted on the social media account in question, the Clip might have been posted by an employee of a designated hotel. The PCPD hence approached the hotel for enquiry.

The hotel confirmed that the Clip was uploaded by a member of its outsourced contract staff, who was authorised to access the List for the purpose of performing his duties. The staff member had inadvertently captured the List in the Clip while attempting to show the work environment to others. After the PCPD intervened, the staff member immediately removed the Clip from social media.

The hotel also confirmed that the staff member had breached its policy for protecting customers’ personal data by filming and uploading work related information to social media. In addition to warning the staff member and instructing him to strictly comply with the policy in future, the hotel provided relevant training for all staff members and reminded them of the practical steps that should be taken to protect customers’ personal data. 

The PCPD also issued a warning to the hotel, requiring it to regularly issue reminders to relevant staff members, heighten their awareness of personal data protection through training, and ensure that its staff members handle customers’ personal data with caution, in order to ensure compliance with the relevant requirements under the PDPO.

Lessons Learnt

Following the prevalent use of mobile phones and social media, filming and sharing video clips of daily life has become a common practice. While catching up with this trend, we must also be mindful of potential privacy pitfalls. To avoid the occurrence of incidents similar to this case, it is important to avoid filming any records of personal data, and to carefully review the recorded content to ensure its suitability for public sharing prior to uploading to social media.

TECH TALK

Be a Smart E-shopper – Protect Your Personal Data Privacy while Shopping Online

With the common use of the internet and the maturity of online shopping platforms, online shopping has integrated into our daily lives. While online shopping brings significant convenience to e-shoppers, their personal data will also be collected and used by online shopping platforms through account registration and transactions. E-shoppers’ browsing history and consumption habits may also be collected to provide personalised promotional information. 

To protect their own personal data privacy when carrying out online shopping activities, e-shoppers can refer to the following practical tips:

Protecting Personal Data Privacy

• Provide the minimum amount of personal data for registration and transactions, or consider conducting transactions as a guest;
• Pay attention to direct marketing settings and make corresponding choices based on personal needs;
• Consider using a reliable third-party payment platform to settle transactions;
• Read the privacy policy to understand the platform’s purposes and means of collecting personal data;
• Check and adjust default privacy and security settings, and delete unnecessary tracking functions or refuse requests for access to personal data; and
• Delete unused accounts to avoid identity theft and reduce the risk of data leakage.

Safe Online Shopping

• Verify the authenticity of the platform and ensure that the website or application is the official one. Search for information about the platform first;
• Use the platform securely, avoid using public Wi-Fi for transactions and use strong passwords;
• “Stop and think” before clicking and avoid providing personal data arbitrarily. Check with Scameter (https://cyberdefender.hk/) if in doubt; and
• Regularly check online shopping accounts and report problems. If there is any suspicion of fraud, immediately report the case to the Police or contact the PCPD.

Please read the PCPD’s publication to learn more about how to protect personal data privacy during online shopping: 
Tips for Users of Online Shopping Platforms

WHAT’S ON

Reaching Out to Directors – Privacy Commissioner Speaks at Directors’ Symposium 2024

Privacy Commissioner Ms Ada CHUNG Lai-ling gave a presentation at the “Directors’ Symposium 2024” organised by the Hong Kong Institute of Directors (HKIoD) on 24 September. The theme of the symposium was “Leading with Agility in an Era of Innovation”.
 
In her presentation entitled “Data Breach Incidents and Precautionary Measures”, the Privacy Commissioner pointed out the serious impact of data breaches on companies and discussed the possible measures which could be taken by companies to prevent a data breach and to enhance the protection of personal data privacy.
 
The Privacy Commissioner also recommended that companies implement a Personal Data Privacy Management Programme to ensure compliance with the requirements of the PDPO.
 
Please click here for the Privacy Commissioner's presentation deck.

Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Remind the Public to Beware of Blind Recruitment Advertisement and to Report on PCPD’s work in Combatting Doxxing Behaviour

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK News’ “Hong Kong Today”, RTHK Radio 3’s “Hong Kong Today”, RTHK Radio 1’s “HK2000” and “Open Line Open View”, as well as Commercial Radio’s “On a Clear Day” on 19 and 20 September to elaborate on the concern of the PCPD on the placing of “blind” recruitment advertisements (Blind Ads) on online recruitment platforms, as well as to report on the PCPD’s work in the past three years since the commencement of the provisions criminalising doxxing acts under the PDPO.
 
During the interviews, the Privacy Commissioner pointed out Blind Ads might be used as an unscrupulous means to collect personal data and might also be misused by swindlers to collect personal data for fraudulent activities. With a view to protecting the personal data privacy of members of the public, the PCPD has proactively initiated investigations against five organisations that had placed Blind Ads. The Privacy Commissioner reminded job seekers to check and verify the relevant employers’ identities and should not respond to Blind Ads and submit their personal data arbitrarily.

The Privacy Commissioner also pointed out that online doxxing messages dropped by 90% on the third anniversary of the new anti-doxxing law. She believed that this is attributable to the PCPD’s ongoing enforcement actions, publicity and education work, as well as a more congenial atmosphere in the society.

Please click here to listen to the interview by RTHK News’ “Hong Kong Today” (49:45-53:52) (Chinese only).
Please click here to listen to the interview by RTHK Radio 3’s “Hong Kong Today” (14:21-18:05, 33:45-35:27)
Please click here to listen to the interview by RTHK Radio 1’s “Open Line Open View” (Chinese only).

Promoting Cross-boundary Flow of Personal Information – Privacy Commissioner Speaks at the Forum on Challenges and Opportunities in Cross-boundary Data Flow Within the Greater Bay Area 

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Forum on Challenges and Opportunities in Cross-boundary Data Flow Within the Guangdong-Hong Kong-Macao Greater Bay Area organised by the Greater Bay Area International Information Technology Industry Association and Macau University of Science and Technology on 16 September and gave a keynote address. The Privacy Commissioner explained the facilitation measures introduced by the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (GBA SC) for cross boundary flow of personal information within the GBA and encouraged enterprises to adopt the GBA SC for cross-boundary transfers of personal information within the GBA.

In addition, Acting Senior Legal Counsel of the PCPD Ms Clemence WONG also gave a speech at the Closed Meeting on Cooperation in the Cross-boundary Data Flow Within the GBA held in Nansha, Guangzhou on 10 September to elaborate on the facilitation measures relating to the GBA SC.

Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

Building National Cybersecurity – Privacy Commissioner Attends 2024 China Cybersecurity Week Hong Kong Sub-forum

On 13 September, Privacy Commissioner Ms Ada CHUNG Lai-ling attended 2024 China Cybersecurity Week Hong Kong Sub-forum (Sub-forum), which was jointly organised by the Digital Policy Office, the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force, and Hong Kong Internet Registration Corporation Limited. At the Sub-forum, the Privacy Commissioner exchanged views with the cybersecurity sector from both the Mainland and Hong Kong to learn about the latest cybersecurity technologies and trends.

The Sub-forum was one of the events of the 2024 China Cybersecurity Week organised by the Cyberspace Administration of China. The theme of this year’s China Cybersecurity Week is “Cybersecurity for the People, Cybersecurity Relies on the People”.

Building National Cybersecurity – Privacy Commissioner Delivers Keynote Speech at 2024 China Cybersecurity Week Macao Sub-forum

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 2024 China Cybersecurity Week Macao Sub-forum (Sub-forum) on Personal Data Protection on 12 September and delivered a keynote speech. The event was co-organised by Macao’s Cybersecurity Incident Alert and Response Centre and the Personal Data Protection Bureau.  

The Sub-forum was one of the events of the 2024 China Cybersecurity Week organised by the Cyberspace Administration of China. At the Sub-forum, the Privacy Commissioner provided an overview of the latest trends of data breach incidents to the participants, highlighting recent data breach cases in Hong Kong and overseas. The Privacy Commissioner also explained how to adopt proper security measures to strengthen data security.  

Please click here for the presentation deck (Chinese only).

Spreading Love in the Festive Season – the PCPD Volunteer Team Visits the Elderly

As the Mid-Autumn Festival is around the corner, the Volunteer Team of the PCPD made home visits to elderly couples and elders who live alone on 4 September. The Volunteer Team prepared 100 Mid-Autumn Festival gift bags, celebrated the Mid-Autumn Festival with the “old pals”, and shared with them tips on fraud prevention.
 
Privacy Commissioner Ms Ada CHUNG Lai-ling and 15 members of the Volunteer Team visited the elderly’s homes in groups. In addition to chatting with the elderly and offering blessings, the team shared some anti-fraud tips and videos to enhance the elders’ awareness of fraud prevention. The Volunteer Team gave each elder a Mid-Autumn Festival gift bag, which included low-sugar mooncakes, festive fruits and some daily necessities.
 
Established in 2022, the PCPD Volunteer Team has made multiple visits to elderly centres to raise awareness of fraud prevention among the elderly. Recently, the Volunteer Team also helped prepare meal boxes for the needy. The Team donated anti-epidemic medical supplies to various social welfare organisations during the COVID-19 pandemic.

Enhancing Cybersecurity – PCPD Representative Attends “Bug Hunting Campaign 2024” Awards Gala

Chief Personal Data Officer (Compliance and Enquiries) of the PCPD Mr Brad KWOK attended the “Bug Hunting Campaign 2024” Awards Gala on 26 September to present awards and share the latest trends of data breach incidents.
 
The PCPD is the Strategic Partner of the “Bug Hunting Campaign 2024” (Campaign), which is co-organised by the Cyber Security and Technology Crime Bureau (CSTCB) of the Hong Kong Police Force and Cyberbay. Organisations enrolled in the Campaign would have the security levels of their websites tested by cybersecurity experts to help identify potential vulnerabilities.

Promoting AI Security – PCPD Representatives Speak to Industry Practitioners

Representatives from the PCPD attended two events on 20 September and shared with various industry practitioners the key features of the “Artificial Intelligence: Model Personal Data Protection Framework” (the Model Framework) published by the PCPD in June.

Assistant Privacy Commissioner for Personal Data (Legal, Global Affairs and Research) Ms Cecilia SIU delivered a keynote speech at the Cyber Security Annual Forum 2024 organised by the Hong Kong Computer Society Cyber Security Specialist Group. The theme of the forum was “Core Practice of Data Governance in Cyber Security and Artificial Intelligence (AI)”.
 
Separately, Acting Senior Legal Counsel (Global Affairs and Research) Ms Joyce LIU spoke at a sharing session organised by the Innovation, Data and Communication Committee of the Hong Kong General Chamber of Commerce and explained the key features of the Model Framework and how the Model Framework could benefit businesses. 
 
Please click here to download Ms SIU’s presentation deck.

Please click here to download Ms LIU’s presentation deck.

Telling a Good Hong Kong Story – the PCPD Welcomes a Mainland Delegation

The PCPD received a delegation of Mainland legal officials on 9 September. The delegation comprised 14 officials from six Departments/Bureaux of Justice from the Mainland, the Hong Kong and Macao Affairs Office of the State Council, and the Legal Affairs Bureau of Macao SAR Government.

The PCPD’s representatives Deputy Privacy Commissioner for Personal Data Ms Amy LAM, Senior Legal Counsel (Complaints) Ms Hermina NG, Head of Corporate Communications Ms Phoebe CHOW and Senior Personal Data Officer (Compliance and Enquiries) Mr John LO delivered a presentation to the delegation. The presentation covered Hong Kong’s personal data protection law, an overview of the PCPD’s role and functions, as well as how the PCPD handles complaints, combats doxxing and promotes the protection of personal data privacy.

Discharging Social Responsibility – the PCPD Fully Supports Hong Kong Green Building Week 2024

The PCPD joined the campaign on “Biz-Green Dress Day” of the Hong Kong Green Building Week 2024 on 5 September. The campaign was co-organised by the Construction Industry Council and the Hong Kong Green Building Council. By promoting light and cool yet professional workwear, the PCPD hopes to raise awareness of environmental protection and decarbonisation among colleagues in their everyday lives.

The PCPD 2022-23 Annual Report Wins the International ARC Awards

The PCPD 2022-23 Annual Report titled “Protecting Personal Data Privacy for a Smart Hong Kong” won a Bronze Award under the category of “Non-Profit Organisation (Print Annual Report) – Government Agencies & Offices” at the 2024 International Annual Report Competition (ARC) Awards. 

The ARC Awards is a globally recognised competition with over 30 years of history. It is the world’s largest international competition honouring excellence in annual reports. The final judging panel comes from around the globe and is composed of senior management from corporations, organisations and design firms. The Awards are given for overall performance including creativity, design, clarity of written text, presentation of information and how well the annual report showcases the vision and mission of the organisation. PCPD colleagues are very much encouraged by the Award.

Please click here to view the winner list of the 2024 ARC Awards.

MEDIA STATEMENT

Privacy Commissioner Leads Staff Members to Visit the National Security Exhibition Gallery

Privacy Commissioner Ms Ada CHUNG Lai-ling led a group of 20 staff members from the PCPD to visit the National Security Exhibition Gallery on 27 September. The PCPD staff members reviewed modern Chinese history under the guidance of the docent during the tour, which deepened their understanding of national security.

The National Security Exhibition Gallery is the first thematic gallery in the Hong Kong Special Administrative Region (HKSAR) dedicated to systematic promotion of national security education. Located on the second floor of the Hong Kong Museum of History in Tsim Sha Tsui, with an area of over 1,100 square metres, the National Security Exhibition Gallery has been open to the public free of charge starting from August 2024.

Two Men Arrested for Suspected Doxxing Arising from Monetary Disputes

The PCPD arrested a Chinese male aged 37 (the first arrested person) and a Chinese male aged 47 in Kowloon and the New Territories respectively on 26 September. The two arrested persons were suspected to have disclosed the personal data of the data subject without his consent, in contravention of section 64(3A) of the PDPO.

The PCPD’s investigation revealed that the victim engaged the first arrested person to carry out renovation works. However, upon completion of the renovation works, the victim did not pay the arrested person as originally agreed. Thereafter, between March and May 2024, three messages containing the personal data of the victim were posted in two open discussion groups on a social media platform, alongside some negative comments against the victim. The personal data disclosed included the victim’s Chinese name, English name, Chinese alias, Hong Kong Identity Card number, mobile phone number, residential address, photo, as well as his previous and current occupations.

The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO
 
Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject – 

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject. 
   

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if – 

1. The person discloses any personal data of a data subject without the relevant consent of the data subject –
   1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
      
2. The disclosure causes any specified harm to the data subject or any family member of the data subject.
   

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means – 

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

PCPD Staff Members Participate in National Academy of Governance National Studies Course

The PCPD arranged for 10 staff members from different divisions to participate in a National Studies Course (Course) organised by the National Academy of Governance (NAG) in Beijing from 9 to 13 September, to deepen their understanding of the system and development of the Mainland, to learn about the rule of law in the Mainland, the latest situations of economic and technological developments and people’s livelihood, as well as to enable them to keep abreast of the country’s development strategies and their relationship with Hong Kong. Alongside the PCPD, other participating statutory bodies included the Equal Opportunities Commission and the Office of The Ombudsman.
 
The Course consisted of lectures given by professors from the NAG and Peking University on the latest development of the country in different areas and the role of Hong Kong in integrating into the overall development of the country. Participants also visited the Museum of the CPC and the Zhongguancun Exhibition Center, and were received by the Vice-Chairperson of the Committee for the Basic Law of the Hong Kong Special Administrative Region (SAR) and Macao SAR of the Standing Committee of the National People’s Congress (NPCSC) and Deputy Director of the Legislative Affairs Commission of the NPCSC, Mr ZHANG Yong, who gave a lecture to the participants on the system and implementation of the “One Country, Two Systems” principle and the Basic Law.

A 50-year-old Female Arrested for Suspected Doxxing Arising from Monetary Disputes

The PCPD arrested a Chinese female aged 50 in the New Territories on 2 September. The arrested person was suspected to have disclosed the personal data of two data subjects without their consents, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the two victims are married. The female victim and the arrested person had jointly run a business between 2021 and 2022. Subsequently, the female victim decided to withdraw from the business and a dispute arose between the female victim and the arrested person over the sharing of profits.
 
In November 2023, flyers containing the personal data of the female victim were posted at the lift lobby of the floor where the couple resided and on one of the floors of the female victim’s workplace respectively, alongside demands requesting her to repay an alleged debt. Later in July 2024, similar flyers containing the personal data of the couple, accusing the female victim of fraud and demanding the victims to repay an alleged debt were posted in the vicinity of the workplace of the female victim.
 
The female victim’s personal data disclosed included her Chinese name, residential address, her position in an association and her photo. The male victim’s personal data disclosed included his Chinese name, previous occupation and place of work, as well as a partly redacted copy of his Hong Kong Identity Card showing his Chinese name, English name, gender and photo.

The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

MAINLAND CORNER

Highlights of the “AI Safety Governance Framework¹”
《人工智能安全治理框架》的重點

The National Technical Committee 260 on Cybersecurity of Standardization Administration of China released the “AI Safety Governance Framework” (V1.0)¹ (the Framework) on 9 September 2024. The Framework has been formulated to implement the Global AI Governance Initiative and promote consensus and coordinated efforts on AI safety governance among governments, international organisations, companies, research institutes, civil organisations and individuals, aiming to effectively prevent and defuse AI safety risks.

The Framework proposes several principles for AI safety governance, which prioritise the innovative development of AI and take effectively preventing and defusing AI safety risks as the starting point and ultimate goal. Based on the notion of risk management, the Framework (1) pinpoints AI’s inherent safety risks and safety risks in AI applications, and (2) outlines technical countermeasures and comprehensive governance measures to address these risks. The Framework also provides safety guidelines for AI development and application for (a) model algorithm developers, (b) AI service provides, (c) users in key sectors such as government departments and critical information infrastructure, and (d) general users.

This article provides an overview of the Framework.

全國網絡安全標準化技術委員會（網安標委）於2024年9月9日發布《人工智能安全治理框架》1.0版（《框架》）²，以落實《全球人工智能治理倡議》³，並推動政府、國際組織、企業、科研院所、民間機構和社會公眾等各方，就人工智能安全治理達成共識、協調一致，有效防範化解人工智能安全風險。

《框架》以促進人工智能創新發展為第一要務，以有效防範化解人工智能安全風險為出發點和落腳點，提出了人工智能安全治理的原則。《框架》按照風險管理的理念，針對人工智能内生安全風險及應用安全風險，提出相應的技術應對措施和綜合治理措施。《框架》亦提供人工智能安全開發應用指引予(a)模型算法研發者、(b)人工智能服務提供者、(c)重點領域（例如政府部門和關鍵信息基礎設施）的使用者及(d)社會公眾。《框架》的重點摘錄如下：

1. 人工智能安全治理原則

《框架》提出的人工智能安全治理原則，可概括為以下四點：「包容審慎、確保安全」；「風險導向、敏捷治理」；「技管結合、協同應對」；以及「開放合作、共治共享」⁴。

2. 安全風險及綜合治理措施

《框架》指出，人工智能系統的安全風險主要分為兩大類別：内生安全風險，以及應用安全風險。《框架》針對不同安全風險提出相應的綜合治理措施如下⁵： 

3. 技術應對措施

《框架》亦建議採取不同技術應對措施以防範上述安全風險，當中有部分措施與保障個人信息直接相關，摘錄如下：

針對數據安全風險的技術應對措施

• 在訓練數據和用戶交互數據的收集、存儲、使用、加工、傳輸、提供、公開、刪除等各環節，應遵循數據收集使用、個人信息處理的安全規則⁶。
• 訓練數據中如包含敏感個人信息和重要數據，應加強數據安全管理，符合數據安全和個人信息保護相關標準規範⁷。
• 使用真實、準確、客觀、多樣且來源合法的訓練數據，及時過濾失效、錯誤、偏見數據⁸。
• 向境外提供人工智能服務應符合數據跨境管理規定⁹。

針對網絡域風險的技術應對措施

• 應建立數據護欄，確保人工智能系統輸出敏感個人信息和重要數據符合相關法律法規¹⁰。

針對認知域風險的技術應對措施

• 對收集用戶提問信息進行關聯分析、匯聚挖掘，進而判斷用戶身份、喜好以及個人思想傾向的人工智能系統，應嚴格防範其濫用¹¹。

針對倫理域風險的技術應對措施

• 在算法設計、模型訓練和優化、提供服務等過程中，應採取訓練數據篩選、輸出校驗等方式，防止產生民族、信仰、國別、地域、性别、年齡、職業、健康等方面歧視¹²。

4. 人工智能安全開發應用指引

《框架》分別向模型算法研發者、人工智能服務提供者、重點領域使用者和社會公眾用戶提供安全開發應用指引，指引中的重點建議如下：

模型算法研發者

• 應重視數據安全和個人信息保護，確保數據來源清晰、途徑合規。建立完善的數據安全管理制度，確保數據安全性和質量，以及合規使用，防範數據泄露、流失、擴散等風險，人工智能產品終止下線時妥善處理用戶數據¹³。
• 應確保模型算法訓練環境的安全性，包括網絡安全配置和數據加密措施等¹⁴。

人工智能服務提供者

• 應在合同或服務協議中，以使用者易於理解的方式，告知人工智能產品和服務的適用範圍、注意事項、使用禁忌，支持使用者知情選擇、審慎使用¹⁵。
• 應提高人工智能風險防範意識，建立健全實時風險監控管理機制，持續跟蹤運行中安全風險¹⁶。

重點領域（包括政府部門及關鍵基礎設施等）的使用者

• 在使用人工智能產品前，應全面了解其數據處理和隱私保護措施¹⁷。
• 應增強網絡安全、供應鏈安全等方面的能力，降低人工智能系統被攻擊、重要數據被竊取或泄露的風險，保障業務不中斷¹⁸。
• 應確保操作符合保密規定，在處理敏感數據時使用加密技術等保護措施¹⁹。

社會公眾

• 應在使用前仔細閱讀產品合同或服務協議，了解產品的功能、限制和隱私政策，準確認知人工智能產品做出判斷決策的局限性，合理設定使用預期²⁰。
• 應提高個人信息保護意識，避免在不必要的情況下輸入敏感信息²¹。
• 應了解人工智能產品的數據處理方式，避免使用不符合隱私保護原則的產品²²。

總結

《框架》貫徹落實了《全球人工智能治理倡議》所提倡的原則，對推動社會各方積極參與、協同推進人工智能安全治理具有重要促進作用。《框架》為培育安全、可靠、公平、透明的人工智能技術研發和應用生態，促進人工智能的健康發展和規範應用，提供了基礎性、框架性技術指南。同時，《框架》也有助於推動人工智能安全治理國際合作，推動形成具有廣泛共識的全球人工智能治理體系，確保人工智能技術造福於人類。

¹ Full text available at https://www.tc260.org.cn/upload/2024-09-09/1725849192841090989.pdf

² 全文：https://www.cac.gov.cn/2024-09/09/c_1727567886199789.htm

³ 全文：https://www.cac.gov.cn/2023-10/18/c_1699291032884978.htm

⁴《框架》1.1至1.4段

⁵《框架》第17頁

⁶《框架》4.1.2 (a) 段

⁷《框架》4.1.2 (d) 段

⁸《框架》4.1.2 (e) 段

⁹《框架》4.1.2 (f) 段

¹⁰《框架》4.2.1 (b) 段

¹¹《框架》4.2.3 (b) 段

¹²《框架》4.2.4 (a) 段

¹³《框架》6.1 (b) 段

¹⁴《框架》6.1 (c) 段

¹⁵《框架》6.2 (b) 段

¹⁶《框架》6.2 (f) 段

¹⁷《框架》6.3 (c) 段

¹⁸《框架》6.3 (e) 段

¹⁹《框架》6.3 (g) 段

²⁰《框架》6.4 (b) 段

²¹《框架》6.4 (c) 段

²²《框架》6.4 (d) 段

RECOMMENDED TRAININGS

Professional Workshop on Recent Court and Administrative Appeals Board Decisions

Legal professionals and compliance officers should keep abreast of the latest decisions and arguments of the court and the Administrative Appeals Board relating to personal data privacy. In this regard, the PCPD lawyer will give participants a deep dive into those cases and the commonly deployed provisions of the PDPO, strengthening the participants’ understanding of the cases from a legal perspective and the knowledge in the interpretation and application of the PDPO.

Date: 9 October 2024 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Face-to-face

(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: $950/$760*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Solicitors, barristers, legal counsels, data protection officers and compliance officers, company secretaries and administration managers.

Professional Workshop on Data Protection in Direct Marketing Activities

Organisations often use customers’ personal data to conduct direct marketing activities to promote products or services. These activities are governed by the PDPO. Organisations have the responsibility to ensure that their employees clearly understand and comply with the provisions on direct marketing under the PDPO, which also helps organisations maintain a positive reputation and demonstrate their corporate social responsibility. 

This workshop will explain in detail the requirements of the direct marketing provisions under the PDPO and provide participants with practical guidance on compliance and share conviction cases relating to direct marketing, aiming to help participants understand how to properly use customers’ personal data in direct marketing activities. 

Date: 30 October 2024 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data protection officers, compliance officers, company secretaries, administration managers, IT Managers, solicitors, database managers and marketing professionals.

New Series of Professional Workshops on Data Protection from Nov to Dec 2024:

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions show below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENTS

The PCPD Supports the Cyber Security Summit 2024

The “Cyber Security Summit 2024” (Summit) jointly organised by the Hong Kong Productivity Council and leading information security organisations in Hong Kong is now open for enrolment. The PCPD is pleased to be one of the supporting organisations of this event.

“Cyber Security Fortification – The AI Paradox” is the theme of this year’s Summit. It aims to provide participants with valuable opportunities to gain insights in creating a safer digital landscape from industry leaders and experts with both local and international backgrounds in the cybersecurity field, through captivating keynote speeches, thought-provoking panel discussions and interactive workshops.

Please click here for the enrolment form and related information of the “Cyber Security Summit 2024”.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.