PCPD and HKPC Jointly Release
“Hong Kong Enterprise Cyber Security Readiness Index and AI Security” Survey

The PCPD and Hong Kong Productivity Council (HKPC) jointly released the results of the “Hong Kong Enterprise Cyber Security Readiness Index and AI Security” survey on 21 November. The “Hong Kong Enterprise Cyber Security Readiness Index” has increased by 5.8 points to 52.8 points (maximum being 100 points) compared with last year, approaching the level in year 2022. However, it remains at the “Basic” level¹, indicating that there is still significant room for improvement for enterprises. Both Small-and-Medium Enterprises (SMEs) (48.4 points) and Corporates (73.1 points) have recorded increases, up by 4.8 points and 10.6 points respectively, with the index for Corporates reaching an all-time high.

Hong Kong Enterprise Cyber Security Readiness Index

The “Hong Kong Enterprise Cyber Security Readiness Index” comprises four areas including “Policy and Risk Assessment”, “Technology Control”, “Process Control” and “Human Awareness Building”. This year, “Process Control” (70.9 points) slightly increases by 2.8 points, continues to rank top among all sub-indices, and is categorised as the “Managed” level. This sub-index has shown an upward trend, rising from 57.3 points in 2018 to 70.9 points this year. Similarly, “Technology Control” (57.3 points) also increases slightly by 2.2 points compared with last year, up from 36.9 points in 2018, which was at the “Ad-hoc” level, to 57.3 points, reaching the “Basic” level. “Policy and Risk Assessment” (52.1 points) has recorded a significant rebound of 12.4 points this year, returning to the “Basic” level. Additionally, “Human Awareness Building” increases by 5.7 points to 30.9 points this year. However, this area has remained at the “Ad-hoc” level since 2018. The survey found that only one-third (35%) of the surveyed enterprises had provided cyber security awareness training for their employees, and only one-fourth (24%) had conducted drills to enhance employees’ cyber security awareness, indicating that enterprises need to bolster efforts in these two areas.

By business sector, Financial Services sector (68.3 points) continues to remain at the “Managed” level. On the other hand, although there is an increase for the indices for the Retail and Tourism-related sector (45.3 points, +12.0 points) and the Professional Services sector (46.0 points, +2.5 points), they remain to be the business categories with the lowest index and their indices are still below the 50-point threshold.

The survey also found that nearly 70% (69%) of the surveyed enterprises had experienced at least one type of cyberattack in the past 12 months, a slight decrease of four percentage points from last year, but the incidence is still higher than that in 2022 (65%). The decreased incidence is mainly due to the reduction in percentage of SMEs experiencing cyber security attacks, which drop by four percentage points compared with last year. Nonetheless, over 70% (71%) of Corporates still experience cyberattacks, similar to the figure last year. Among these enterprises, phishing attacks continue to be the most common type of cyberattack, with 98% of enterprises encountering such attacks this year, an increase of two percentage points year-on-year. In addition to common types of phishing attacks such as phishing emails (79%) and online advertisement counterfeiting other organisations (42%), the survey also found that smishing (SMS phishing) (38%, +4 percentage points) had become more common compared with last year.

Artificial Intelligence (AI) Security and Privacy Risks Survey

The thematic survey this year examined the usage of AI of surveyed enterprises and the security measures that they have implemented. The survey results revealed that nearly 70% (69%) of enterprises believe that using AI in their operations pose significant privacy risks. Overall, around one-fifth (21%) of enterprises currently use AI in their operations, with a higher adoption rate among Corporates, exceeding 40% (43%).

Among enterprises that use AI in their operations, around two-thirds (65%) have implemented at least one data security measure, with the proportion being even higher among Corporates, with a figure close to 80% (79%). This suggested that Corporates place greater emphasis on data security compared to SMEs to ensure the security of the data of their AI tools. The most commonly adopted data security measures include “access control” (41%) and data protection measures (such as data encryption and anonymisation of personal data) (39%). However, fewer enterprises deploy security measures specifically designed for defending against adversarial machine learning attacks (14%) or set up AI related security alerts (13%).
 

Additionally, three-quarters (75%) of enterprises that use AI in their operations reported that they would not provide data to third parties when using AI. Among those who would provide data to third parties, the majority only share publicly available data (14%) as well as anonymised and aggregated data (8%), indicating that a cautious approach is adopted by enterprises when handling data. Regarding the incident response plans for personal data breaches, although over 60% (61%) of enterprises which use AI in their operations have established such response plans, only less than 20% (16%) of the plans specifically address AI related incidents.

The survey also found that Corporates have been more proactive than SMEs in providing AI related training and developing policies on AI security risks. Among the enterprises using AI in their operations, over 80% (82%) of Corporates are currently offering or planning to offer AI related training for their employees, and over 70% (74%) have developed or are planning to develop policies regarding AI security risks. In contrast, only about half of the SMEs (52% and 45%, respectively) have taken these steps. In addition, less than 20% (17%) of the surveyed SMEs plan to increase the use of AI technologies to enhance data security and cyber security in the next 12 months; yet, over 40% (46%) of Corporates have such plans.

The survey was commissioned by the PCPD and conducted independently by HKPC, with a view to assessing the readiness of local enterprises in responding to cyber security threats and AI security risks, as well as gauging public opinion on topics related to privacy. The latest survey was conducted in September to October 2024, with 442 enterprises from six business sectors² interviewed by telephone.

Please click here to download the survey report “Hong Kong Enterprise Cyber Security Readiness Index and AI Security Survey 2024”.

PCPD and HKPC Jointly Launch “Data Security Training Series for SMEs”
 
To help SMEs enhance their data security, the PCPD and HKPC will jointly roll out the Data Security Training Series in 2025. The series will cover topics including: (i) lessons from data breach cases in recent years; (ii) recommended data security measures; and (iii) how to prevent and handle a data breach incident.

PCPD Launches “Data Security” Package

To strengthen the capabilities of schools, NGOs and SMEs in safeguarding data security and cyber security, the PCPD has launched the “Data Security” Package. Participating organisations will receive five free quotas to join professional workshops and seminars organised by the PCPD upon completion of a free assessment by the “Data Security Scanner”, which will assess the adequacy of their data security measures. In addition, the PCPD has launched the thematic webpage on data security and the “Data Security Hotline” 2110 1155 to provide relevant information and assistance in this regard. Interested schools, NGOs and SMEs are welcome to obtain further information by emailing training@pcpd.org.hk.

HKPC Launches “Phishing Defence Services”

HKPC continues to enhance its diverse services and support for SMEs, aiming to improve their cyber security awareness and defensive capabilities. To enhance employees’ cyber security awareness and to help them understand different types of phishing attacks and the techniques involved, HKPC has launched its “Phishing Defence Services”. In addition to designing phishing campaign or scenarios and conducting phishing drills, the service also includes the provision of analysis and training based on the results of the phishing drills. The latest attacks will be simulated during the drill exercise, allowing participants to better understand the latest developments of and techniques involved in phishing attacks.

Visit HKPC’s “Phishing Defence Services” for more details:

https://www.hkpc.org/en/our-services/digital-transformation/cyber-security/phishing-defence-services

¹ The Index is categorised into five levels, ranking from high to low as “Anticipated” (80-100), “Managed” (60-79), “Basic” (40-59), “Ad hoc” (20-39) and “Unaware” (0-19).
² The six business sectors covered in this survey include “Retail and Tourism Related”, “Manufacturing, Trading and Logistics”, “Non-Governmental Organisations, Schools and Others”, “Financial Services”, “Professional Services” and “Information and Communications Technology”.

Privacy Commissioner’s Office Commends 67 Secondary Schools as “Partnering Schools” in Promoting a Privacy-Friendly Culture on Campus

The PCPD held an Award Presentation Ceremony for “Student Ambassador for Privacy Protection Programme – Partnering Schools Recognition Scheme 2024” (Student Ambassador Programme) cum “Future Leaders of AI and Privacy Protection Training Programme” (Future Leaders Programme) on 11 November. The Ceremony was officiated by the Secretary for Constitutional and Mainland Affairs Mr Erick TSANG Kwok-wai, GBS, IDSM, JP. Other guests included members of the Personal Data (Privacy) Advisory Committee of the PCPD, the Hon Ms Carmen KAN Wai-mun, JP and Mr Raymond SY Kim-cheung, JP, and members of the Standing Committee on Technology Development of the PCPD, Dr Alan CHEUNG, Adjunct Professor Jason LAU and Dr Gregg LI.
 
The activities, which were supported by the Business-School Partnership Programme of the Education Bureau, Microsoft Hong Kong and the Hong Kong Association for Computer Education, aimed to encourage all secondary schools to join the network of “Partnering Schools” and complete various “privacy protection missions” designated by the PCPD, with a view to fostering a culture of respecting and protecting personal data privacy on campus. This year, 67 secondary schools have become “Partnering Schools” to join hands with the PCPD in disseminating anti-doxxing messages by organising educational talks, broadcasting educational videos and distributing promotional materials, with a total of more than 17,000 students participating in the activities.

  
Given the rising popularity of the use of AI chatbots, the PCPD also included the Future Leaders Programme as one of the “privacy protection missions” of partnering schools. The Future Leaders Programme, themed “Small Leaders, Big Wisdom, Joins Hands to Build the AI Future”, enables participating students to learn the importance of a personal data privacy management programme and the standards of the ethical use of AI through various activities, including a topical seminar, exchanges with data protection officers and an AI practical workshop presented by Microsoft Hong Kong. A total of 90 secondary school students completed the training.

“Partnering Schools” of the Student Ambassador Programme would receive diamond, gold, silver and bronze awards respectively, while students who have completed the Future Leaders Programme would be awarded a certificate. For more information about the Student Ambassador Programme, please visit the website:

https://www.pcpd.org.hk/childrenprivacy/en/student_ambassador_program/student-ambassador-program-2024_mission.html

Please click here and refer to the appendix for the list of Partnering Schools of the Student Ambassador Programme 2024.

Telling a Good Hong Kong Story –
Privacy Commissioner Attends the 62^nd Asia Pacific Privacy Authorities Forum

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 62^nd Asia Pacific Privacy Authorities (APPA) Forum from 26 to 27 November in Tokyo, Japan, organised by the Personal Information Protection Commission of Japan. The Forum brought together representatives from 17 APPA members, along with delegates from other privacy or data protection authorities or networks, privacy protection think-tanks and academic institutions. Attendees exchanged views on regulatory experiences, enforcement challenges and legislative reforms, as well as discussed topical privacy issues.
 
The Privacy Commissioner participated in a panel discussion titled “Governance of AI and Emerging Technologies in the Asia Pacific Region: Perspectives and Initiatives” alongside fellow regulators and academics from California, the United States, Japan, Korea and Singapore where the panellists explored the interplay between governance of AI and protection of personal data privacy. 
 
The Privacy Commissioner also attended bilateral meetings with Commissioners or senior representatives from regulators in Japan, Korea, Singapore and Italy during which the parties discussed a variety of data protection issues and explored the potential areas for collaboration with a view to strengthening the ties between the PCPD and privacy or data protection authorities from other jurisdictions.
 
At the Forum, the Assistant Privacy Commissioner for Personal Data (Acting) (Legal, Global Affairs and Research) of the PCPD Ms Fiona LAI Ho-yan gave an overview of the PCPD’s work in relation to the handling of data breach incidents and introduced the wide array of educational and promotional efforts undertaken by the PCPD in promoting data security and cybersecurity.
 
Major themes discussed at the APPA Forum included:

• Governance of AI and emerging technologies;
• Enforcement and legislative developments;
• Training and awareness raising activities;
• Cross-border data transfers; and
• Protecting children’s privacy.

Founded in 1992, APPA serves as the principal forum for privacy and data protection authorities in the Asia Pacific region to strengthen cooperation, discuss best practices and share information on privacy regulations and emerging technologies.

Interested schools, NGOs and SMEs are welcome to obtain further information by emailing training@pcpd.org.hk. 

PRIVACY 101

Data Privacy Protection in Direct Marketing Activities

Direct marketing is a common business practice for organisations in different sectors to promote their products and services in Hong Kong. The direct marketing activities often involve the collection and use of personal data. According to the Personal Data (Privacy) Ordinance (PDPO), “direct marketing” is defined as the offering, or advertising of the availability, of goods, facilities or services; or the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes, through direct marketing means. The “means” is further defined as sending information or goods, addressed to specific persons, by mail, fax, electronic mail or other means of communication; or making telephone calls to specific persons.

If organisations intend to use customers’ personal data for direct marketing purposes, the following information should be provided and displayed in an easily readable manner to the customers in advance:

• The intention to use the customers’ personal data for direct marketing;
• Organisations may not so use the customers’ personal data unless they have received the customers’ valid consent to the intended use;
• The kinds of personal data to be used;
• The classes of marketing subjects in relation to which the data is to be used; and
• A free-of-charge response channel for customers to indicate their valid consent to the intended use. 

The customers’ valid consent includes an explicit indication of no objection to the use or provision of the personal data. Here are some examples of valid consent:

• An oral reply: “Okay, please send me the promotional offer/information to my address at XYZ”;
• Not checking the tick box indicating objection to receive direct marketing materials but signed and returned to the organisations an agreement to the effect that the organisations’ notification regarding collection, use and provision of personal data has been read and understood; and

• Ticking the box “I do not object to the use of my personal data for direct marketing of XXX” in an application form.

Organisations should also notify the customers of their opt-out right for the first time when using the data in direct marketing and cease using their personal data without charging them if they have opted out.

To learn more about data protection in direct marketing activities, please refer to Guidance on Direct Marketing.

PRIVACY COMMISSIONER’S FINDINGS

A Telecommunications Company Failed to Comply with the Opt-out Request from a Customer to Cease Using his Personal Data in Direct Marketing

The Complaint 

The complainant was a customer of a telecommunications company who had provided his personal data to the company. Subsequently, the complainant made a request to the company by email to opt out of direct marketing. Receipt of the same was acknowledged by the company in writing. However, the complainant later, on two occasions, received a call and an email respectively from the company promoting its services.

Outcome

The company was summoned for two offences of failing to comply with the request from a data subject to cease using his personal data in direct marketing, contrary to section 35G(3) of the PDPO. The company pleaded guilty to the offences and was fined HK$2,000 for each summons, totalling HK$4,000.

Lessons Learnt

As the public becomes more aware of the need to protect the privacy of their personal data, organisations need to respect their customers’ choices about the use of their personal data in direct marketing. To prevent recurrence of similar cases, organisations should regularly update opt-out lists and strengthen the training of staff on complying with customers’ opt-out requests to ensure that they are fully aware of the requirements relating to direct marketing under the PDPO. A data user who contravenes the requirements of section 35G under the PDPO commits an offence and is liable on conviction to a fine of HK$500,000 and to imprisonment for three years.

TECH TALK

Stay Vigilant! Beware of the Privacy Risks when “Juicing Up” Your Gadgets in Public

Living in a smart city, public USB charging stations can be commonly found in many public areas in Hong Kong, such as train stations, restaurants, shopping malls and even on public transportations. This free-charging service is undoubtedly a lifesaver for citizens when their electronic gadgets are running out of battery in daily lives. However, when we enjoy the convenience of free public charging service, are you aware of the potential risks to your personal data privacy, which might lead to the misuse of personal data for committing illegal acts such as fraud?

What is “Juice Jacking”?

“Juice jacking” is a form of cyber-attack whereby a hacker sets up fake charging kiosks in public areas to initiate attacks to electronic gadgets. There are two common types of “juice jacking”. The first type is known as “data theft”, which involves stealing sensitive data from electronic gadgets via fake charging kiosks. Another type refers to malware installation, which kiosks will be programmed to install malwares onto the connected electronic gadgets for collecting personal data continuously and even gaining control of the electronic gadgets remotely after disconnection.

Practical Tips for Using Public Charging Services

To protect your electronic gadgets and your stored personal data from “juice jacking”, here are some practical tips for users when using the public charging services:

• Verify the power source and charge the mobile devices by using an Alternating Current (AC) power outlet directly (as opposed to USB);
• Bring your own charging-only cables to prevent data transmission from or to the public charging stations;
• Use your own portable power banks instead of charging mobile devices through public charging stations;
• Turn off the option of installing applications from third-party sources on your electronic gadgets to prevent unauthorised software installations; and
• Install antivirus software on your electronic gadgets to detect and block malicious activities promptly.

WHAT’S ON

Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain the Collection of Personal Data by Online Travel Platforms

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000” on 19 November to explain the report titled “A Study of the Collection of Personal Data by 10 Online Travel Platforms” released by the PCPD.
 
The Privacy Commissioner pointed out the review found that all the platforms reviewed track user activities on their platforms, including user location information and browsing histories. In relation to direct marketing, some platforms only provide bundled consents or set the default option as “agreed”. She recommended that online travel platforms should provide users with options to make voluntary choices.
 
The Privacy Commissioner also reminded members of the public to provide the minimum amount of personal data and adjust privacy settings when using online travel platforms. The Privacy Commissioner urged members of the public to verify the authenticity of websites and social media pages before purchasing travel products online to avoid scams.

Acting Senior Legal Counsel (Global Affairs and Research) of the PCPD Ms Joyce LIU was also interviewed by RTHK News’ “Hong Kong Today” and RTHK Radio 3’s “Backchat” to explain the report.
 
The interview by RTHK News’ “Hong Kong Today” can be listened here (Chinese only). (54:07 – 59:38)
The interview by RTHK Radio 3’s “Backchat” can be listened here. (28:00 – 40:25)

Reaching Out to Accounting Professionals – Privacy Commissioner Speaks at the CPD Carnival 2024

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the CPD Carnival 2024 on 16 November and delivered a presentation on the latest trend of data breach incidents. The event was organised by The Society of Chinese Accountants & Auditors and attracted more than 120 participants from the accounting sector.

The Privacy Commissioner shared with the participants the trends of data breach incidents, some representative cases and recommended a series of data security measures. She also introduced the “Data Security” Package launched by the PCPD to the participants.
 
Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

Reaching Out to Legal Professionals – Privacy Commissioner Attends the Law Society’s Annual Cocktail Reception 2024

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Annual Cocktail Reception 2024 of the Law Society of Hong Kong on 11 November to meet with members of the legal professionals.

The Privacy Commissioner has been supporting the activities organised by the Law Society of Hong Kong. Other than serving as a member of the judging panel for its Pro Bono and Community Work Recognition Programme, the Privacy Commissioner has spoken at seminars or conferences organised by the Law Society.

Promoting AI Security – Privacy Commissioner Publishes an Article on A Plus

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article titled “Safeguarding personal data privacy in the AI era with PCPD’s Model Framework” on A Plus, the official quarterly magazine of the Hong Kong Institute of Certified Public Accountants.
  
In the article, the Privacy Commissioner highlighted that as technology evolves rapidly, privacy risks posed by AI are significant because massive amount of data is typically involved in the application of AI. It is more important than ever that accountants keep abreast of the latest trends and measures in ensuring AI security.
 
To that end, the Privacy Commissioner introduced the “Artificial Intelligence: Model Personal Data Protection Framework” published by the PCPD earlier, including the recommendations and best practices set out therein.

Please click here to read the article.

Promoting AI Security – Privacy Commissioner Speaks at the Hong Kong International Computer Conference 2024

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Hong Kong International Computer Conference 2024 themed “From Generative AI (GAI) to Artificial General Intelligence (AGI)” on 4 and 5 November and delivered a keynote speech titled “Safeguarding Personal Data Privacy in the Age of AI: Governance Recommendations”.

During the speech, the Privacy Commissioner discussed the privacy risks associated with the use of AI and introduced the “Artificial Intelligence: Model Personal Data Protection Framework” published by the PCPD earlier.

In addition, on 5 November, Acting Senior Legal Counsel of the PCPD Ms Joyce LIU participated in a panel discussion titled “the Upsides and Undersides of AI” where she shared with other panellists the PCPD’s insights on the promises and perils brought by AI.

The annual conference was organised by the Hong Kong Computer Society and was attended by around 200 ICT professionals, government officials and business executives.
 
Please click here for the Privacy Commissioner’s presentation deck.

Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain the PCPD’s Work

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “Accountability” on 2 November to explain the work of the PCPD.

 
The Privacy Commissioner pointed out that as the training of AI systems requires a large amount of data, which may be scrapped from online platforms, the PCPD, together with 15 privacy or data protection authorities worldwide, recently issued a global joint statement on data scraping to social media platforms and provided guidance to them on how to better protect users’ personal data. She also mentioned that social media platforms should allow users to choose whether they consent to the purpose(s) of use of their personal data. 
 
The Privacy Commissioner also said that since the implementation of the Personal Data (Privacy) Amendment Ordinance 2021 in October 2021, the PCPD had handled over 3,200 doxxing cases and issued over 2,000 cessation notices to 47 online platforms, with a compliance rate of over 96%. The PCPD also instigated criminal investigations in 363 cases and arrested 62 persons during the period. This showed that the PCPD’s work on combatting doxxing acts had been very effective.

Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain the Global Joint Statement Issued to Social Media Platforms on Data Scraping

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK News’ “Hong Kong Today”, RTHK Radio 1’s “HK2000” and “Open Line Open View” on 29 and 30 October to explain the global joint statement (Joint Statement) on data scraping issued by the PCPD together with 15 privacy or data protection authorities worldwide to social media platforms.
 
The Privacy Commissioner pointed out that as concerns grow among regulators worldwide about mass scraping of personal data, including scraping data for training AI systems, on social media platforms, the PCPD, together with the privacy or data protection authorities of other jurisdictions, issued the Joint Statement. The Joint Statement reminded social media platforms that they have a responsibility to ensure that personal data of users are adequately protected against unlawful data scraping, and provided further guidance to the industry.

The interview by RTHK News’ “Hong Kong Today” can be listened here (Chinese only). (54:40-59:32)
The interview by RTHK Radio 1’s “Open Line Open View” can be listened here (Chinese only).

Telling a Good Hong Kong Story – PCPD Representatives Attend the 46^th Global Privacy Assembly 2024

Privacy Commissioner Ms Ada CHUNG Lai-ling and representatives of the PCPD attended the 46^th Global Privacy Assembly (GPA) from 28 October to 1 November. The hybrid conference, which was held in Jersey, featured discussions of privacy issues relating to AI, cybersecurity, children education, cross-border data transfers, regulatory cooperation and more.

In the Open Session, the Assistant Privacy Commissioner for Personal Data (Corporate Communications and Compliance) Ms Joyce LAI (Assistant Privacy Commissioner) spoke at a panel titled “Education from the ground up: The societal impact of privacy education”. She discussed the proactive approach taken by the PCPD in advancing privacy education for children in Hong Kong through an array of initiatives such as publications, seminars and competitions.

 
At a side event, the Assistant Privacy Commissioner joined the representatives from the privacy or data protection authorities of Australia, Canada, Guernsey, Norway and the UK in a panel discussion on the “Concluding joint statement on data scraping and the protection of privacy”, which was co-signed by the authorities from 16 jurisdictions (including the PCPD) and published earlier.

It was also announced in the Closed Session that the PCPD has become a co-chair of the GPA’s Ethics and Data Protection in AI Working Group since October 2024.  

The GPA is the leading international forum for over 130 privacy or data protection authorities from around the globe to discuss and exchange views on privacy issues and the related international developments.

PCPD Officer Receives The Ombudsman’s Award 2024

An officer of the PCPD was one of the recipients of The Ombudsman’s Awards 2024 for Officers of Public Organisations (Awards) in recognition of his outstanding performance and professionalism in handling complaints and enquiries. This is the eighth consecutive year for the PCPD officers to receive the Awards.

The PCPD awardee is Acting Assistant Personal Data Officer of the Compliance and Enquiries Division Mr Saki CHOY Cho-hei. Privacy Commissioner Ms Ada CHUNG Lai-ling attended the presentation ceremony on 31 October and congratulated Mr CHOY. 

Enhancing Cybersecurity – PCPD's Representative Attends “Cyber Security Staff Awareness Recognition Scheme” Recognition Ceremony

Assistant Privacy Commissioner for Personal Data (Corporate Communications and Compliance) Ms Joyce LAI attended the “Cyber Security Staff Awareness Recognition Scheme” Recognition Ceremony on 27 November to present awards and deliver a speech on the importance of human firewall on personal data protection.
 
The PCPD is the Scheme Partner of the “Cyber Security Staff Awareness Recognition Scheme” (Scheme). Co-organised by the Hong Kong Internet Registration Corporation Limited (HKIRC) and ISACA China Hong Kong Chapter, the Scheme aims to encourage more organisations to enhance awareness of their staff on cybersecurity, with a view to strengthening the organisations’ ability to prevent cyber attacks.

Promoting AI Security – PCPD Representative Speaks at the IT Conference 2024 of the Hong Kong Institute of Certified Public Accountants

Acting Senior Legal Counsel (Global Affairs and Research) of the PCPD Ms Joyce LIU attended the IT Conference organised by the Hong Kong Institute of Certified Public Accountants on 9 November and delivered a keynote speech titled “AI Governance and Privacy: Best Practices for Accountants”.  The theme of the conference was “Innovation through New Intelligence – Harnessing AI to Revolutionize Accounting Practices”.   
 

In her speech, Ms Liu discussed the challenges and opportunities that AI presents to the accounting profession, and explained how the recommendations set out in PCPD’s recent guidance on “Artificial Intelligence: Model Personal Data Protection Framework” could help accountants adopt AI in a manner which protects personal data privacy.

Please click here for the presentation deck.

Telling a Good Hong Kong Story – PCPD’s Representative Speaks at the Seminar Entitled “Latest Developments of Personal Data Protection Regimes in China and Various Portuguese-speaking Countries”

Acting Senior Legal Counsel of the PCPD Ms Clemence WONG spoke at the seminar on the “Latest Developments of Personal Data Protection Regimes in China and Various Portuguese-speaking Countries” held in Macao on 1 November. The event was organised by the Personal Data Protection Bureau of the Macao Special Administrative Region Government and Macao Lawyers Association.

Ms WONG provided the participants with an overview of the latest developments of the personal data protection regime of Hong Kong, including the anti-doxxing provisions under the PDPO, the facilitation measures relating to the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong), the recommendations and best practices covered in the “Artificial Intelligence: Model Personal Data Protection Framework” issued by the PCPD, as well as the PCPD’s promotional and educational work on data security in recent years.

Please click here for the presentation deck (Chinese only).

Promoting AI Security – PCPD Representative Speaks at the 2024 Annual Conference of Practising Governance 

Acting Senior Legal Counsel (Global Affairs and Research) of the PCPD Ms Joyce LIU attended and spoke on the PCPD’s recent guidance titled “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework) at the 2024 Annual Conference of Practising Governance on 31 October.

In the conference, Ms Liu discussed the challenges governance practitioners face with the rise of AI and explained how the recommendations of the Model Framework can help organisations enhance their AI governance.

Please click here for the presentation deck.

MEDIA STATEMENT

The PCPD Reviews the Collection of Personal Data by 10 Online Travel Platforms

In the light of the growing popularity of online travel platforms and mobile applications, the PCPD reviewed 10 online travel platforms (including the relevant websites and mobile applications) commonly used by citizens to understand how these platforms collect and use the personal data of their users, and released a report titled “A Study of the Collection of Personal Data by 10 Online Travel Platforms” on 18 November. The 10 platforms are (in alphabetical order) Agoda, EGL Tours, Expedia, Goldjoy Holidays, Miramar Travel, Sunflower Travel, Travel Expert, Trip.com, Wing On Travel and WWPKG.

In the course of the review, some of the travel platforms have taken actions to make improvements to the provision of privacy protection information and the user interface design of their platforms. Upon conclusion of the review by the PCPD, the practices regarding the collection of users’ personal data by the platforms are summarised as follows:

• All the online travel platforms reviewed have displayed their privacy policies on their websites and mobile applications (if any);
• All the online travel platforms reviewed have stated in their privacy policies the purposes of the collection of personal data, and the categories of third parties (e.g. airlines, hotels and insurance companies, etc.) to whom the collected personal data may be transferred;
• Only seven of the online travel platforms reviewed (Agoda, EGL Tours, Expedia, Goldjoy Holidays, Trip.com, Wing On Travel and WWPKG) have stated their data retention policies in their privacy policies;
• Expedia ranks the highest in the readability of its privacy policy amongst the 10 platforms for, among others, its succinct and clear presentation as well as effective use of headings and tables;
• All the platforms reviewed track user activities on their platforms, collecting data such as user location information and/or browsing histories;
• All the platforms reviewed have obtained users’ consents for direct marketing. Sunflower Travel only provides an option for users to provide their bundled consents. Expedia, Goldjoy Holidays, Travel Expert, Trip.com and Wing On Travel provide users with the option to accept or decline the use of their personal data for direct marketing, but the default option is “agreed”;
• Users are not required to register for or log in to an account to make reservations or purchase some travel products on all the platforms reviewed;
• If users choose to register for an account, the platforms reviewed will collect one to six types of personal data in the registration process;
• Four of the platforms reviewed (Agoda, Expedia, Trip.com and Wing On Travel) provide an option on the checkout page to automatically save the personal data entered by users; and
• Agoda and Expedia state in their privacy policies that they use AI technologies to provide services which may involve the use of users’ personal data.

In view of the review results, the PCPD would like to make the following recommendations to the operators of online travel platforms on the best practices and enhancement of privacy protection:

1. Implement a Personal Data Privacy Management Programme and appoint a Data Protection Officer to monitor compliance with privacy regulations;
2. Incorporate privacy-protecting elements into the design of platforms by adopting “Privacy by Design” and “Privacy by Default”. For instance, setting the most privacy-protective option as the default option and providing users with relevant consent options timely;
3. Only collect personal data that is necessary;
4. Provide a clear and easy-to-understand privacy policy;
5. Enhance transparency in the processing of personal data by AI: If a platform uses AI to process personal data for automated decision making or other purposes in its operation, the platform should disclose in its privacy policy the purposes of the use of AI and the categories of personal data involved, as well as provide a clear explanation on how users can exercise their options in this regard;
6. Provide a convenient option to delete accounts;
7. Use third-party services (e.g. payment systems) cautiously: Ensure the reliability of the third-party service providers in the areas of privacy protection and data security;
8. Provide sufficient user control, including preferences for receiving various messages, deletion of user records, etc; and
9. Provide an option for using personal data in direct marketing: Obtain users’ consents. Should avoid configuring the default setting as “agreed”. Bundled consents from users should also be avoided.

The PCPD also provides the following tips to users of online travel platforms:

• Read the privacy policy;
• Adjust privacy settings;
• Pay attention to direct marketing settings and make corresponding choices based on personal needs;
• Provide the minimum amount of personal data;
• Beware of the use of AI, understand whether the platform uses AI to process personal data for automated decision making or other purposes, and understand the options available to the users in this regard; and
• Delete accounts that are no longer in use to reduce the risk of data leakage.
  

In addition, the PCPD noted that recently there are scammers impersonating operators of online travel platforms and creating bogus pages on social media platforms to perpetrate frauds. The PCPD urges members of the public to verify the authenticity of websites and social media pages before purchasing travel products online. They should stay vigilant about the merchants’ payment names and bank account numbers, and should only purchase travel products through official channels to avoid being cheated.

If members of the public suspect that their personal data has been swindled out of them, they may make enquiries or lodge complaints with the PCPD (“Personal Data Fraud Prevention Hotline”: 3423 6611 or email: communications@pcpd.org.hk).

Report on “A Study of the Collection of Personal Data by 10 Online Travel Platforms” (Chinese version only) can be downloaded from the website of the PCPD: 
https://www.pcpd.org.hk/english/resources_centre/publications/files/10_online_travel_platforms.pdf  

A 29-year-old Female Arrested for Suspected Doxxing of Another Woman Because of Relationship Entanglements

The PCPD arrested a Chinese female aged 29 in the New Territories on 15 November. The arrested person was suspected to have disclosed the personal data of the data subject without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim became acquainted with a man (the Man) and started an intimate relationship with him in 2021. In 2022, a female contacted the victim through a social media platform. She told the victim that the Man was her fiancé. The victim broke up with the Man after knowing that he was in a relationship with the arrested person.  Since March 2023, the victim has repeatedly received phone calls and messages from various service providers, as a result of which she learned that her personal data was disclosed to different service providers without her consent for making enquiries or registrations under her name for services relating to matchmaking, wedding gown, wedding banquet, financial planning, courses and emigration, etc. The personal data disclosed included the victim’s Chinese name, English name, email address, and mobile phone number, etc.

The PCPD reminds members of the public that they should not, owing to relationship disputes, harass others by disclosing their personal data. Such disclosure may constitute doxxing behaviour and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject—

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if—

1. The person discloses any personal data of a data subject without the relevant consent of the data subject—
   i.  With an intent to cause any specified harm to the data subject or any family member of the data
       subject; or
   ii. Being reckless as to whether any specified harm would be, or would likely be, caused to the     
      data subject or any family member of the data subject; and
2. The disclosure causes any specified harm to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means—

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

The PCPD Welcomes the Government’s Initiative to Extend the Facilitation Measures of the Standard Contract for Cross-boundary Flow of Personal Information Within the GBA to All Sectors

According to the Chief Executive’s Policy Address 2024, the facilitation measures of the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (GBA SC), piloted in the banking, credit referencing and healthcare sectors, would be extended to all sectors in Hong Kong.
 
As announced by the Digital Policy Office on 1 November, the facilitation measures of the GBA SC are extended to all sectors in Hong Kong with effect from 1 November.

 
The PCPD warmly welcomes the Government’s initiative. This will be beneficial to citizens as well as different businesses and organisations, and further promote the cross-boundary flow of personal information within the GBA, thereby building a “Digital GBA”. The PCPD is extremely grateful to the staunch support of the Cyberspace Administration of China (CAC) and the Cyberspace Administration of Guangdong Province in facilitating the cross-boundary flow of personal information within the GBA.

 
The GBA SC was formulated by the CAC, the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region and the PCPD, with a view to providing a mechanism that is compliant with the relevant requirements and facilitates the cross-boundary flow of personal information within the GBA.

 
To further understand the applicability of the GBA SC and the relevant contractual clauses, organisations may make reference to the “Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” issued by the PCPD in December 2023.

Please click here to download the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong).
 
Please click here to download the “Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)”.

MAINLAND CORNER

Highlights of the “Draft Measures for Labelling Content Generated by Artificial Intelligence”

《人工智能生成合成內容標識辦法（徵求意見稿）》的重點

While existing regulations in Mainland China such as the “Regulations on the Management of Algorithm Recommendations for Internet Information Services”, the “Provisions on the Administration of Deep Synthesis of Internet-based Information Services” and the “Interim Measures for the Management of Generative Artificial Intelligence Services” require the labelling of AI-generated content (AIGC), the specific labelling requirements have not yet been provided. To standardise the labelling of AIGC, the Cyberspace Administration of China released the “Draft Measures for Labelling Content Generated by Artificial Intelligence” (Draft Measures) for consultation on 14 September 2024. The public consultation period ended on 14 October 2024. This article provides an overview of the Draft Measures.

內地現有的法規，包括《互聯網信息服務算法推薦管理規定》¹、《互聯網信息服務深度合成管理規定》（《深度合成管理規定》）²以及《生成式人工智能服務管理暫行辦法》³等均有要求對生成式人工智能技術生成的內容進行標識，但並未就標識的細節提供具體要求⁴。為規範人工智能生成內容標識，國家互聯網信息辦公室（國家網信辦）在2024年9月14日發布《人工智能生成合成內容標識辦法（徵求意見稿）》（《標識辦法》）⁵。《標識辦法》的意見反饋時間已於2024年10月14日截止，重點摘錄如下：

規管對象

《標識辦法》主要規管對象是提供互聯網算法推薦服務、深度合成服務或生成式人工智能服務的網絡信息服務提供者⁶（下稱「服務提供者」）。《標識辦法》除了規管服務提供者，亦針對網絡信息內容傳播平台服務的服務提供者⁷及其用戶⁸，以及互聯網應用程序分發平台⁹作出了規定。

標識的種類

人工智能生成合成內容是指利用人工智能技術製作、生成、合成的文本、圖片、音頻、視頻等信息，而人工智能生成合成內容標識則包括顯式標識和隱式標識¹⁰：

• 顯式標識：在生成合成內容或者交互場景界面中添加的，以文字、聲音、圖形等方式呈現並可被用戶明顯感知到的標識。
• 隱式標識：採取技術措施在生成合成內容文件數據中添加的，不易被用戶明顯感知到的標識。

各類服務提供者及用戶的義務

《標識辦法》針對不同的服務提供者以及用戶的要求概括如下：

1. 人工智能生成合成服務提供者

顯式標識

• 若提供深度合成服務¹¹，需要在文本／音頻／視頻／場景的（如適用）起始、末尾、中間或圖片的適當位置添加文字提示或通用符號提示等標識，或在交互場景界面或文字周邊添加顯著的提示標識¹²。
• 若生成合成內容可供下載、複製、導出，服務提供者應當確保文件中含有滿足要求的顯式標識¹³。
• 可通過用戶協議明確用戶的標識義務和使用責任後，提供沒有添加顯式標識的生成合成內容，但要留存相關日誌不少於六個月¹⁴。

隱式標識

• 按照《深度合成管理規定》第十六條的規定，服務提供者須在生成合成內容的文件元數據中添加隱式標識，隱式標識包含生成合成內容屬性信息、服務提供者名稱或編碼、內容編號等製作要素信息¹⁵。

2. 提供網絡信息內容傳播平台服務的服務提供者以及其用戶

此類服務提供者須規範生成合成內容傳播活動，包括¹⁶：

• 檢驗文件元數據中是否含有隱式標識，如有，應在發布內容周邊添加顯著的提示標識以提醒用戶。
• 在生成內容的元數據中添加生成合成內容屬性信息、傳播平台名稱或編碼、內容編號等傳播要素信息。
• 提醒用戶主動聲明發布內容中是否包含生成合成內容。

用戶的責任︰

• 上傳生成合成內容時，應當主動聲明並使用平台提供的標識功能進行標識¹⁷。
  

3. 互聯網應用程序分發平台

• 在應用程序上架或上線審核時，核驗服務提供者是否按要求提供生成合成內容標識功能¹⁸。

內容標識的國家標準

《標識辦法》第十一條指出，服務提供者須按照有關強制性國家標準的要求進行標識。故此，國家網信辦等部門在2024年9月14日同時發布了《網絡安全技術 人工智能生成合成內容標識方法（徵求意見稿）》（《標識標準》）¹⁹，作為《標識辦法》的配套國家標準²⁰。《標識標準》規範了生成合成服務提供者和內容傳播服務提供者對人工智能生成合成內容開展的標識活動，為顯式標識和隱式標識的形式、內容及位置等提供更具體的規定。

違反《標識辦法》的法律責任

《標識辦法》指出，任何組織和個人不得惡意刪除、篡改、僞造、隱匿該辦法規定的生成合成內容標識，不得為他人實施上述惡意行為提供工具或服務，不得通過不正當標識手段損害他人合法權益²¹。若違反《標識辦法》的規定，未對生成合成內容進行標識造成嚴重後果的，將由網信等有關主管部門按照有關法律、行政法規、部門規章的規定予以處罰²²。

總結

《標識辦法》的發布標誌著中國邁出了完善人工智能治理制度的重要一步。《標識辦法》釐清了標識人工智能生成合成內容的方式，同時清晰界定了各持份者的責任和義務，有助管理、識別合成內容，促進人工智能安全、健康發展。

¹ 全文： https://www.gov.cn/zhengce/zhengceku/2022-01/04/content_5666429.htm

² 全文： https://www.gov.cn/zhengce/zhengceku/2022-12/12/content_5731431.htm

³ 全文： https://www.cac.gov.cn/2023-07/13/c_1690898327029107.htm

⁴ 見《互聯網信息服務算法推薦管理規定》第九條；《深度合成管理規定》第十六至第十八條；《生成式人工智能服務管理暫行辦法》第十二條。

⁵ 全文： https://www.cac.gov.cn/2024-09/14/c_1728000676244628.htm

⁶ 《標識辦法》第二條。然而，行業組織、企業、教育和科研機構、公共文化機構、有關專業機構等研發、應用人工智能生成合成技術，未向境內公眾提供服務的，則不適用《標識辦法》的規定。

⁷ 《標識辦法》第六條。

⁸ 《標識辦法》第十條。

⁹ 《標識辦法》第七條。

¹⁰ 《標識辦法》第三條。

¹¹ 該深度合成服務須符合《深度合成管理規定》第十七條第一款的情形，包括智能寫作、合成人聲、人臉生成、視頻生成及生成沉浸式擬真場景等等。

¹² 《標識辦法》第四條。

¹³ 同上。

¹⁴ 《標識辦法》第九條。

¹⁵ 《標識辦法》第五條。

¹⁶ 《標識辦法》第六條。

¹⁷ 《標識辦法》第十條。

¹⁸ 《標識辦法》第七條。

¹⁹ 全文： https://www.tc260.org.cn/upload/2024-09-14/1726290836419027596.pdf

²⁰ 《標識標準》的意見反饋時間已於2024年11月13日截止。

²¹《標識辦法》第十條。

²² 《標識辦法》第十三條。

RECOMMENDED TRAININGS

Practical Workshop on Data Protection Law

With the growing public awareness of and expectations for the protection of personal data privacy, it has become a norm for organisations to incorporate personal data privacy protection as part of their corporate governance responsibilities to gain customers’ trust and confidence. 

This workshop will examine the practical application of the PDPO at work by the sharing of real-life cases and providing practical advice. This workshop is particularly suitable for barristers, solicitors, in-house legal counsels, data protection officers and compliance officers.

Date: 4 December 2024 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Fee: $950/$760*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Solicitors, barristers, in-house legal counsels, data protection officers, compliance officers

Professional Workshop on Data Protection in Insurance

Insurance practitioners handle a large amount of customers’ personal data, including customers' names, telephone numbers, addresses, identity card numbers, etc. in their daily operation. Therefore, a proper understanding of the requirements under the PDPO is necessary. 

This workshop will examine core concepts of practical data protection compliance illustrated by specific scenarios to highlight potential problems and their resolution. Participants will also engage in discussion of real cases relating to the handling of personal data in different aspects of insurance work.

Date: 8 January 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Face-to-face

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Insurance practitioners, data protection officers, compliance officers, solicitors, advisers and other personnel undertaking work relating to the insurance industry

Professional Workshop on Personal Data Privacy Management Programme

With the ever-rising expectations of customers and stakeholders regarding organisations’ responsible use of personal data in recent years, the protection of personal data privacy should no longer be seen as purely a compliance issue. To build trust with customers and enhance their competitive and reputational advantages, organisations should develop and implement a comprehensive Personal Data Privacy Management Programme (PMP) to proactively embrace personal data privacy protection as part of their corporate governance responsibilities and apply it as a business imperative throughout the organisations. 

By attending this workshop, participants will understand the key components of a PMP, and learn how to continuously maintain and improve it for effective implementation in their organisations. 

Date: 15 January 2025 (Wednesday)

Time: 2:15pm – 4:15pm

Mode: Online

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices.

New Series of Professional Workshops on Data Protection from Feb to Mar 2025:

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

Join us now to keep up-to-date with the latest news and legal developments!

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.