Happy YEAR OF THE SNAKE!

May the Year of the Snake bring you excellent health, great prosperity and continuous success! 

Privacy Commissioner’s Office Reports on its Work in 2024 and

Publishes Investigation Findings on the Data Breach Incident of Oxfam Hong Kong

On 23 January, the PCPD reported on its work in 2024 and published the investigation findings of the data breach incident of Oxfam Hong Kong (Oxfam).

1. Complaint Cases

In 2024, the PCPD received 3,431 complaints, which represented a slight decrease of 4% when compared to 3,582 cases in 2023. Of these complaint cases, nearly 90% involved complaints against private organisations or individuals (3,101 cases), while the remaining 10% were against public organisations or government departments (330 cases).

2. Enquiries

The PCPD received a total of 18,125 public enquiries in 2024. The figure increased by 14% when compared to 15,914 cases in 2023. The PCPD received 1,500 public enquiries on average per month. Among the public enquiries received in 2024, 27% related to the collection and use of personal data (e.g. Hong Kong Identity Card (HKID card) numbers and/or copies). The other main types of enquiries were about the complaint handling policy of the PCPD (11%), the handling of personal data in employment cases (6%), access to and correction of personal data (6%) and the installation and use of CCTV (5%), etc.

In 2024, the PCPD received 1,158 enquiries relating to suspected personal data frauds, which represented an increase of 46% when compared to 793 similar enquiries in 2023.

3. Data Breach Incidents

The PCPD received 203 data breach notifications in 2024, with 67 from the public sector and 136 from the private sector. The figure represented an increase of nearly 30% as compared to 157 data breach notifications in 2023. 67 data breach notifications were received from schools and non-profit-making organisations in 2024 (constituting 33% of all data breach incidents).

The data breach incidents involved hacking, loss of documents or portable devices, inadvertent disclosure of personal data by email, post or fax, employee misconduct and system misconfiguration, etc. In 2024, there were 61 data breach incidents that involved hacking (constituting 30% of all data breach incidents). The figure was similar to that of 64 cases in 2023 (constituting 41% of all data breach incidents).

The PCPD initiated 400 compliance checks in 2024, which is comparable to the 393 compliance checks in 2023.

4. Anti-Doxxing Regime

The provisions criminalising doxxing acts under the Personal Data (Privacy) Ordinance (PDPO) came into effect on 8 October 2021. The amendments empower the Privacy Commissioner to carry out criminal investigations, institute prosecutions for doxxing-related offences and issue cessation notices to request the cessation of disclosure of doxxing messages.

Enforcement Actions in 2024

In 2024, the PCPD handled a total of 442 doxxing cases (including doxxing-related complaints received and doxxing cases uncovered by the PCPD’s proactive online patrols). The figure significantly dropped by 42% when compared to 756 cases in 2023. Among the aforesaid 442 doxxing cases, 335 of them were doxxing complaints received by the PCPD. The nature of disputes leading to the doxxing acts were mainly monetary disputes (46%), as well as family and relationship disputes (25%).

In the same period, the PCPD issued a total of 194 cessation notices to 20 online platforms to request the removal of 5,302 doxxing messages, with a compliance rate of over 96%. Other than individual doxxing messages, 58 doxxing channels were also successfully removed by the cessation notices.

The PCPD initiated 118 criminal investigations in 2024, and 40 cases were referred to the Police for further follow-up actions. As regards arrest operations, the PCPD arrested a total of 20 suspects. The means used by the suspected doxxers to dox the victims were mainly social media platforms and instant messaging apps (60%), and posters (20%).

Summary of Enforcement Actions under the New Anti-doxxing Regime

From the effective date (8 October 2021) of the relevant provisions to 31 December 2024, the PCPD handled a total of 3,326 doxxing cases. The PCPD also issued a total of 2,072 cessation notices to 53 online platforms to request the removal of 33,687 doxxing messages, with a compliance rate of over 96%. Other than individual doxxing messages, 250 doxxing channels were successfully removed by the cessation notices. The PCPD’s ongoing enforcement actions have greatly ameliorated the doxxing problem. In 2024, the number of doxxing cases uncovered by the PCPD’s proactive online patrols was 87, representing a significant drop of over 90% when compared to 1,134 cases in 2022 (i.e the first year after the commencement of the anti-doxxing provisions). 355 doxxing-related complaints were received by the PCPD in 2024, which represented a drop of over 40% (44%) when compared to the 630 complaints received in 2022.

From the effective date (8 October 2021) of the relevant provisions to 31 December 2024, the PCPD initiated 372 criminal investigations, and 103 cases were referred to the Police for further follow-up actions. As regards arrest operations, the PCPD arrested a total of 63 suspects in the same period (including three arrests made as joint operations with the Police). During the period, 41 prosecutions were made in respect of doxxing cases and there were 32 convictions.

The PCPD’s work on combatting doxxing acts has not affected the freedom of speech of members of the public, nor has it affected the lawful operation of online platforms in Hong Kong. The PCPD will continue to take resolute enforcement actions against doxxing acts to ensure that the personal data privacy of the public is adequately protected.

5. The Investigation Findings on the Data Breach Incident of Oxfam

The investigation arose from a data breach notification submitted by Oxfam to the PCPD on 13 July 2024, reporting that Oxfam had suffered from a ransomware attack which affected the information systems of Oxfam (the Incident).

The investigation revealed that the threat actor conducted brute-force attack, exploited the critical vulnerabilities in the firewalls of Oxfam (the Firewalls) to execute remote code and commands. The threat actor then obtained access to the Secure Sockets Layer Virtual Private Network (SSL VPN) command console and subsequently gained control of an IT tester account. After establishing a direct connection from the external network to Oxfam’s information systems via SSL VPN, the threat actor identified vulnerable servers within Oxfam’s network and gained administrator privileges in Oxfam’s Active Directory. They then performed lateral movement and intruded Oxfam’s servers and workstations and notebook computers.

On 10 July 2024, the threat actor deployed “DarkHack” ransomware in Oxfam’s information systems, resulting in file encryption and data exfiltration. A total of 37 servers and 24 workstations or notebook computers belonging to Oxfam were compromised in the Incident, which included (i) File server system; (ii) Donor database and its staging server for data migration; (iii) Oxfam Trailwalker website database; (iv) Human resources systems; and (v) Active directory server.

The investigation revealed that over 330 GB of data was exfiltrated from the information systems of Oxfam, which potentially affected around 550,000 data subjects, including donors, event participants, volunteers, programme partners, programme participants, programme consultants, former and existing staff members, job applicants and governance members. The personal data affected included names, spouses’ names, HKID card numbers/copies, passport numbers/copies, dates of birth, phone numbers, email addresses, addresses, credit card numbers, and bank account numbers (See Annex 1 for details).

Oxfam has notified the affected individuals of the Incident and implemented various organisational and technical improvement measures after the Incident to enhance the overall system security for the better protection of personal data privacy, such as implementing the recommendations on information security measures made by external consultants. Oxfam is also committed to update its IT policies to establish a comprehensive vulnerability management programme, including regular vulnerability scanning and penetration tests.

The PCPD thanked Oxfam for its cooperation and the provision of the information and documents requested in the investigation. Having considered the circumstances of the Incident and the information obtained during the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling found that the following deficiencies of Oxfam contributed to the occurrence of the Incident (See Annex 2 for details):-

1. Outdated Firewalls which contained critical vulnerabilities;
2. Failure to enable multi-factor authentication;
3. Lack of critical security patches of servers;
4. Ineffective detection measures in the information systems;
5. Inadequacies of the security assessments of information systems;
6. Lack of specificity of its information security policy; and
7. Prolonged retention of personal data. 

Privacy Commissioner Ms Ada CHUNG Lai-ling considered that Oxfam is a well-established organisation that consistently holds and processes a significant amount of personal data pertaining to different individuals. Consequently, stakeholders and the public have a reasonable expectation that Oxfam will allocate adequate resources to protect its information systems and uphold proper data security standards. However, the investigation found that Oxfam did not implement sufficient and effective measures to safeguard its information systems prior to the Incident. Oxfam had also failed to establish an effective mechanism for the timely deletion of some personal data that were retained longer than was necessary. These deficiencies contributed to the occurrence of the Incident and the situation was regrettable.

Based on the above, the Privacy Commissioner considered that Oxfam had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle (DPP) 4(1)  of the PDPO concerning the security of personal data.

In addition, the Privacy Commissioner found that Oxfam had not taken all practicable steps to ensure that personal data was not kept longer than was necessary for the fulfilment of the purpose for which the data was used, thereby contravening DPP 2(2) concerning the retention of personal data.

The Privacy Commissioner has served an Enforcement Notice on Oxfam, directing it to take measures to remedy the contravention and prevent recurrence of similar contraventions in future.

Please click here to refer to Annex 1 (the Categories of Data Subjects and the Types of Personal Data Affected in the Data Breach Incident of Oxfam) and Annex 2 (Deficiencies that Contributed to the Occurrence of the Data Breach Incident of Oxfam Hong Kong).  

Privacy Commissioner’s Office Launches
“Privacy-Friendly Awards 2025”

The PCPD is pleased to announce the launch of “Privacy-Friendly Awards 2025” (Awards). Enterprises, public and private organisations as well as government departments are invited to apply for the Awards. The Awards this year, with the theme of “Safeguarding Data Security: Marching towards a New Digital Era”, aim to recognise the commitment and efforts of organisations in the protection of personal data privacy, while encouraging them to implement good data governance and enhancing their awareness of protecting personal data privacy and data security.

Five specified “Privacy Protection Measures” are required to win the Awards. Participating organisations that have implemented designated “Privacy Protection Measures” will be eligible for a Privacy-Friendly Award from the four tiers of Outstanding Gold, Gold, Silver and Bronze Awards. Besides, three new special awards, namely the “Best AI Governance Award”, “Best Data Protection Officer Award” and “Best Data Breach Response Plan Award”, are introduced to commend organisations for their outstanding performance in various aspects of the protection of personal data privacy.

In addition to receiving trophies and certificates, awardees may also display the award logo on their official websites, online platforms and promotional materials, as well as enjoy a one-year free membership of the PCPD Data Protection Officers’ Club, and receive a specified number of complimentary passes to attend the professional workshops organised by the PCPD. Outstanding performers will also be invited to participate in publicity activities to showcase their achievements in the protection of personal data privacy.

Interested organisations should complete and submit the online application form and provide relevant supporting documents on the Awards website www.pcpd.org.hk/privacyfriendlyawards.html on or before 7 March 2025. The results of the Awards and details of the Awards Presentation Ceremony will be announced later.

Please click here to watch the promotional video.

The “Privacy-Friendly Awards 2025” is now open for application. Check out the details on the Awards website (https://www.pcpd.org.hk/privacyfriendlyawards/) and apply on or before 7 March 2025!

Interested schools, NGOs and SMEs are welcome to obtain further information by emailing training@pcpd.org.hk. Registration closes on 28 February 2025. 

PRIVACY 101

Balancing Act: Navigating Personal Data Privacy and Security in the Use of CCTV

Closed-Circuit Television (CCTV) is commonly used to monitor public places or communal areas of buildings for security purposes, as well as to oversee employees’ work activities and behaviours. The potential installation of on-board surveillance cameras in taxis, which aims at enhancing service quality and resolving disputes between drivers and passengers, has reignited discussions about the responsible use of CCTV.

Since CCTV may capture extensive images or information relating to individuals, its use should be properly controlled to avoid intrusion into an individual’s privacy. Here is a closer look at how the appropriate use of CCTV can balance privacy concerns and security needs.

Before installing a CCTV system, a data user should take the following steps:

• Decide whether there is a pressing need to install a CCTV system;
• Find out whether there is any less privacy-intrusive alternative other than using a CCTV system;
• Establish the specific purpose of the use of the CCTV system;
• Find out the concerns of the people being affected and address them;
• Decide whether it is necessary to carry out CCTV surveillance covertly; and
• Determine the scope or extent of the surveillance.

When installing a CCTV system, a data user should ensure that:

• The cameras are not installed in places where people are expected to enjoy privacy;
• The people affected are explicitly informed that they are under CCTV surveillance, the purpose of surveillance and the means to raise an enquiry;
• The personal data collected by the CCTV system is deleted as soon as practicable when the purpose of the surveillance is completed; and
• The effectiveness of the safeguards and procedures for the CCTV system is regularly reviewed.

To learn more about the responsible use of CCTV, please refer to Guidance on CCTV Surveillance and Use of Drones.

PRIVACY COMMISSIONER’S FINDINGS

Unfair Audio-recording of Conversations with a Subordinate by a Supervisor

The Complaint

The Complainant was an employee of a public organisation. His supervisor met with him twice to discuss his work performance. After the meetings, the Complainant learned that the meetings were audio-recorded and was dissatisfied with his supervisor's covert actions. He thus lodged a complaint to the PCPD.

Outcome

The Complainant’s work performance was the subject of discussion of the meetings. The audio-record of the meetings therefore constituted the Complainant’s personal data. The PCPD considered that the act of audio-recording the meetings was not unlawful. However, the supervisor failed to inform the Complainant of the audio-recording arrangement prior to the meetings. This amounted to unfair collection of the Complainant’s personal data and was in breach of DPP 1(2). In addition, the supervisor also failed to inform the Complainant of the purpose of collection of his personal data on or before he started to audio-record the meetings, hence violating DPP 1(3).

In response to the PCPD’s advice and to prevent the recurrence of similar incidents, the organisation established written guidelines, instructing all staff collecting personal data by means of audio-recording to make it clear to those present at the time of recording that recording would be made. It also reminded the supervisor that he must follow the said guidelines in future and included this incident in its employee training materials.

Regarding the incident, the PCPD had issued a warning to the organisation, requesting it to review the relevant measures regularly and to closely monitor its employees’ compliance with the said guidelines.

Lessons Learnt

Surreptitiously recording a conversation without the knowledge of the data subject may be considered by the data subject as unwelcome or even intrusive to personal data privacy. Although the PDPO does not require a data user to obtain the data subject’s consent before collecting his personal data, the data user must collect personal data in a fair and lawful manner. To avoid disputes, before audio-recording, the recording party should inform the data subject that the subsequent conversation will be recorded and the purpose of the recording.

TECH TALK

Responsible Drone Use: Embracing Advantages with a Mindful Approach to Privacy

Dubbed “unblinking eyes in the sky”, drones can be used in various ways that bring about significant social and economic benefits such as land surveying, predicting weather patterns, fighting fires as well as search and rescue operations. With reduced costs and enhanced capabilities, they are increasingly used in commercial operations and for hobby or recreational purposes.

However, drones equipped with cameras could add a new dimension to privacy concerns by virtue of their unique attributes. These include their mobility, the ability to remain airborne for a considerable period of time, and their capacity to gather information from vantage points and over a broad territory.

Drone users, therefore, should be mindful of the need to respect others’ personal data privacy in addition to adhering to relevant or necessary regulations. Here are some tips for responsible drone use:  

• Drones should be launched from a location as close as possible to the area they need to cover; 
• If recording is intended, the recording criteria (what, where and when to record) should be pre-defined to avoid over-collection of information, some of which may be related to individuals; 
• If images are transmitted through wireless means, encryption should be considered to avoid the adverse consequences of interception by unrelated parties; and
• If the drone has a recording function, access control should be considered to prevent the recording from falling into the wrong hands in the event the drones are accidentally lost.

WHAT’S ON

Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain the PCPD’s work in 2024

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000”, RTHK News’ “Hong Kong Today”, RTHK Radio 3’s “Hong Kong Today” and Now News’ “News Magazine” on 23 and 24 January, to explain the PCPD’s work in 2024 and the investigation findings on the data breach incident of Oxfam Hong Kong (Oxfam).

The PCPD received 203 data breach notifications in 2024, representing an increase of nearly 30% year-on-year. The Privacy Commissioner pointed out that there had been a rising trend of data breaches and hacking incidents worldwide in the digital age. To help enterprises strengthen their information security protective measures, the PCPD has already launched various publicity and educational activities, including the launch of the “Data Security” Package last year.

Separately, in 2024, the number of doxxing cases uncovered by the PCPD’s proactive online patrols was 87 and the number of doxxing-related complaints received was 355. The figures represented a significant drop of over 90% and 40% respectively when compared to those of 2022. This reflects the effectiveness of the PCPD’s work on combating doxxing acts.

Regarding the data breach incident of Oxfam (the Incident), the investigation revealed that several deficiencies of Oxfam contributed to the occurrence of the Incident, including outdated firewalls which contained critical vulnerabilities, ineffective detection measures of the information systems, prolonged retention of personal data, etc. The PCPD has served an Enforcement Notice on Oxfam, directing it to take measures to remedy the contravention and prevent recurrence of similar contraventions in future.

The interview by RTHK News’ “Hong Kong Today” can be listened here (54:31- 59:38) (Chinese only).
The interview by RTHK Radio 3’s “Hong Kong Today” can be listened here (14:26 – 18:46).
The interview by Now News’ “News Magazine” can be listened here (part 1, part 2) (Chinese only). 

Reaching Out to the Media – Privacy Commissioner Attends the 9^th Media Convergence Awards Ceremony

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 9^th Media Convergence Awards Ceremony cum the Annual Dinner of the Hong Kong Association of Interactive Marketing (HKAIM) and presented prizes to the winning media organisations on 23 January.

Organised by the HKAIM, the Media Convergence Awards aim to recognise local media organisations for their outstanding performance in utilising technology to transform and disseminate news and information in innovative ways.

Privacy Commissioner Attends the 6^th Anniversary Event of the Hong Kong News-Expo

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 6^th Anniversary Event of the Hong Kong News-Expo (HKNE) on 18 January. The Privacy Commissioner congratulated the HKNE and interacted with members of the media sector at the event.
 
The HKNE showcases the history and development of Hong Kong’s news media and fosters public recognition of the professionalism of the news media.

Privacy Commissioner Attends the Liaison Office’s Spring Reception

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 2025 Spring Reception hosted by the Liaison Office of the Central People’s Government in the Hong Kong Special Administrative Region (Liaison Office) on 17 January.
 
The Privacy Commissioner interacted with members of the offices of the Central People’s Government in Hong Kong, the HKSAR Government, the Legislative Council and different sectors of the community.

Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Remind the Public Beware of Scams

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000” on 17 January to elaborate on the enquiries relating to suspected personal data frauds received by the PCPD. The Privacy Commissioner reminded members of the public to beware of scams.

During the interview, the Privacy Commissioner said that the PCPD received 1,158 enquiries relating to suspected personal data frauds in 2024, which represented an increase of 46% when compared to 793 similar enquiries in 2023. This reflects that with the proactive publicity efforts by the PCPD and other organisations, the public awareness of fraud prevention has increased. Most of the enquiries received by the PCPD were related to telephone scams, in which fraudsters pretended to be law enforcement agencies, finance companies or customer service agents and swindled the victims out of personal data and/or money.

The Privacy Commissioner also noted that there were fraudulent recruitment advertisements on social media platforms advertising lucrative positions with high salaries to lure members of the public to apply. She reminded the public to be cautious of such recruitment advertisements and not to provide their personal data arbitrarily, so as to avoid falling into the trap of fraudsters and being deceived into carrying out fraudulent work outside Hong Kong.

Promoting the Development of Digital Economy – Privacy Commissioner Attends the “Summit on Promoting the Development of New Quality Productive Forces in the Digital Economy”

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the “Summit on Promoting the Flows of Data Elements and the Development of New Quality Productive Forces in the Digital Economy” organised by the Greater Bay Area International Information Technology Industry Association on 16 January, and exchanged views with stakeholders from various sectors on issues relating to digital economy and data governance.
 
With the theme of data-driven innovation and development of the digital economy, the Summit explored the effective utilisation of new quality productive forces in different industries.

Promoting Cross-Boundary Flows of Personal Information – Privacy Commissioner Speaks at the “Guangdong-Hong Kong-Macao Greater Bay Area Legal and Policy Forum 2025”

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the “Guangdong-Hong Kong-Macao Greater Bay Area Legal and Policy Forum 2025” organised by the School of Law, Centre for Public Affairs and Law and Public Law and Human Rights Forum of the City University of Hong Kong on 10 January. The theme of the Forum was “Law, Regulation, and Governance”. The Privacy Commissioner gave a presentation on the terms of the Standard Contract for Cross-boundary Flow of Personal Information Within the Greater Bay Area and explained the scope of application of the Standard Contract. The Privacy Commissioner also outlined the relevant requirements under the PDPO to attendees who came from the academic and legal sectors.

Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

Reaching Out to the Religious Sector – Privacy Commissioner Speaks at the “2025 Aggiornamento (Study Camp) for the Clergy”

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the “2025 Aggiornamento (Study Camp) for the Clergy” organised by the Catholic Diocese of Hong Kong on 8 January and delivered a thematic speech on “Tips to Collect and Handle Personal Data” to around 150 clergies.

During the event, the Privacy Commissioner elaborated on how to collect and handle personal data in compliance with the requirements of the PDPO and highlighted the importance of data security and AI security, while providing specific examples and practical advice to the participants. Manager (Corporate Communications) of the PCPD Ms Ruby LAM also shared with the participants some practical tips on how to protect personal data online.

Please click here for the presentation deck (Chinese only).

MEDIA STATEMENT

Fraud Enquiries Soar by Over 40%; the PCPD Offers Six Tips to Prevent Fraud

The PCPD received 1,158 enquiries relating to suspected personal data frauds in 2024, which represented an increase of 46% when compared to 793 similar enquiries in 2023. The PCPD also noted the emergence of various types of scams, all of which aimed at swindling citizens out of money and/or personal data. These include:  

1. Fraudulent Recruitment Advertisements Scams

• Fraudsters would take advantage of the victims’ desire to pursue work opportunities abroad or earn quick money by using fraudulent online recruitment advertisements to lure them into providing their personal data for engaging in unlawful activities. Some of them had even been lured to cities in Southeast Asia, where they were detained and forced to carry out fraudulent work.

2. Scams Using Instant Messaging Applications (Apps)

• Recently, scams involving the hijacking of accounts on instant messaging apps reappeared. The scammers hijacked the victims’ accounts and impersonated them to send messages to the contacts contained in their address books, aiming to swindle the victims out of money and/or personal data.

3. Scams by Counterfeit Customer Service Agents/Online Auction Platforms

• Fraudsters impersonated customer service agents of e-wallets or banks and fraudulently claimed that the victims’ insurance policies had expired and that monthly premiums needed to be paid. When the victims indicated that they did not have the relevant insurance policies, fraudsters would pretend to help them cancel the policy to avoid the deduction of premiums, and then enticed them to provide information on their bank accounts, the amount of money deposited, and their personal data. Finally, they would ask the victims to transfer all of their money to a designated account for “account unlocking”.
• Fraudsters first posed themselves as buyers on online auction platforms and claimed to have paid through the payment function of the relevant platforms. They then contacted the victims by email, posing as the platform, to solicit their personal data, online bank account names, passwords and one-time passwords, etc. in order to receive the payment, with a view to transferring the victims’ bank deposits.

4. SMS/Email Scams

• Fraudsters sent out phishing SMS, falsely claiming that victims’ reward points were about to expire under membership reward schemes. They induced the victims to click on the embedded hyperlinks, which led them to fraudulent websites to redeem rewards so that the fraudsters could obtain the victims’ credit card information and personal data.
• Fraudsters pretended to be government officials, government departments or public bodies and disseminated fake messages through instant messaging apps or fraudulent emails to deceive people for money and/or personal data.

5. Telephone Scams

• Fraudsters called victims in the form of pre-recorded voice messages (including Putonghua voice messages), falsely claiming that they were staff of courier companies or law enforcement officers from the Mainland and the victims were involved in criminal cases. They then forwarded the calls to other bogus Mainland law enforcement officers, who showed the victims forged wanted warrants. Fraudsters would then ask the victims to provide personal data (e.g. online banking usernames and passwords) or transfer money to designated bank accounts as guarantee money.

6. Scam Videos Using Artificial Intelligence (AI) Deepfake Technology

• Fraudsters manipulated public footages, used the photos or audio recordings of government officials or celebrities to produce videos using AI deepfake technology to deceive people into investing in fake investment schemes.
• Fraudsters obtained the biometric data of other people, such as their facial images and voice, through social media, video calls or online public footages, to create videos using deepfake technology and impersonated victims’ friends, relatives or colleagues, or pretended to be interested in developing a relationship with the victims, to swindle money and/or personal data.

7. Scams on Social Media Platforms

• Fraudsters created fake pages on social media platforms pretending to be selling Lunar New Year products, investment or travel agencies and advertised special offers, attracting victims to click on the hyperlinks to make enquiries in order to defraud them of their money and/or personal data.

As the Year of the Dragon draws to a close, Privacy Commissioner Ms Ada CHUNG Lai-ling appeals to members of the public and organisations to be aware of various forms of fraudulent tricks, particularly those involving fraudulent recruitment advertisements and AI deepfake technology, and offers six tips to safeguard personal data privacy:

1. Be vigilant: Think twice before providing any personal data, verify the purpose of collection of such data and whether it is mandatory to provide them. Do not disclose personal data to others arbitrarily, avoid clicking or scanning suspicious links and QR codes, and do not log into any suspicious websites;

2. Authenticate the identity of callers: Even if the caller makes a video call or can provide your personal data, if you are in doubt about their identity, you should verify the authenticity of the caller or relevant organisations through other contact methods;

3. Keep an eye on your accounts and transaction records: Regularly check online banking for any unusual log-in activities, unauthorised transfers or transactions in your bank accounts or credit cards;

4. Password protection: Change the passwords of online banking accounts from time to time and enable two-factor authentication (if available). Never share passwords with anyone;

5. Smart use of social media and instant messaging apps: Minimise the sharing of biometric data, such as portrait photos and videos, on social media platforms and instant messaging apps, and review the relevant default security and privacy settings; and

6. Fraud prevention information: Pay attention to the fraud prevention information published by the PCPD, the Police or relevant organisations. Share the information with friends and relatives (especially the elderlies and youngsters) to enhance their awareness of fraud prevention.

Anyone who suspects that his/her personal data has been leaked may make enquiries or lodge complaints with the PCPD (“Personal Data Fraud Prevention Hotline”: 3423 6611 or email: communications@pcpd.org.hk). If there is any suspicion of fraud on personal data which involves criminal offence(s), they should immediately report the case to the Police. Citizens may also visit “Scameter” (https://cyberdefender.hk/en-us/scameter/) to check suspicious phone numbers, email addresses and websites, etc.

The PCPD Publishes Investigation Findings on the Data Breach Incident of the Urban Renewal Authority and a Guidance on Cloud Computing

On completion of its investigations into the data breach incident of the Urban Renewal Authority, the PCPD published the investigation findings on 9 January. The PCPD also published a “Guidance on Cloud Computing” in parallel.

(1) Data Breach Incident of the Urban Renewal Authority (URA)
 
The investigation arose from a data breach notification submitted by the URA to the PCPD on 13 May 2024, reporting that the personal data of members of the public stored on a cloud platform by the URA could be accessed by any person without inputting any account or password (the Incident).
 
Background
 
The URA used the e-Form platform (the e-Form Platform) associated with the cloud platform ArcGIS Online to create two e-forms for the purposes of the briefing sessions on the property acquisition under the Nga Tsin Wai Road/Carpenter Road Development Scheme. The URA launched the e-forms on 2 May 2024 for owners, tenants and shop operators attending the briefing sessions to fill in information for registration. According to the URA, it had conducted multiple security checks during the creation of the e-forms. Upon receipt of the Police’s notification on 3 May 2024 that some of the data of the e-forms might be leaked, the URA immediately ceased using the cloud platform ArcGIS Online and deleted the personal data stored therein. The URA subsequently learned that the personal data of the persons who registered for attending the briefing sessions could be accessed by any person without logging into any account with password. Therefore it submitted a data breach notification to the PCPD on 13 May 2024.
 
The Incident affected the personal data of 199 owners and tenants who had replied to attend the briefing sessions. The affected personal data included telephone numbers, names of the contact persons and the details of their ownership or their correspondence addresses.
 
In response to the Incident, the URA conducted a joint investigation with the contractor which provided the e-Form Platform and came to understand that there were different versions of the software of the e-Form Platform. The new version has been available for download since July 2022. In particular, the default values concerning data sharing were different between the old and new versions. For the default values under the new version, it was only when users made a number of extra settings that the software would allow them to view the data input without having to log in. The software used by the URA to create the forms was, however, an old version that it had downloaded and installed earlier. Hence, the aforesaid default values of the new version, which strengthened the protection of users’ data, were not applied to the e-forms in question. On the other hand, the URA confirmed that as its staff did not have sufficient knowledge and understanding of the relevant versions of the e-Form Platform, when it tested the e-forms, the URA did not review the relevant data sharing settings in detail and did not conduct security testing on the relevant functions, leading to the occurrence of the Incident. The URA agreed that if the software used by the URA at the material time were the latest version of the e-Form Platform, the Incident would not have occurred.
 
Based on the information provided by the URA, after learning of the Incident, the URA notified the public immediately, endeavoured to ensure that there was no leakage of the personal data of citizens and minimised the impact on or inconvenience caused to members of the public. The URA also strived to learn from the Incident and implemented a series of organisational and technical improvement measures to establish a more robust privacy security framework and a corporate culture that values the protection of personal data to prevent the recurrence of similar incidents.
 
Investigation Findings
 
In the course of the investigation, the PCPD has conducted five rounds of enquiries with the URA and approached the contractor twice to obtain relevant information regarding the Incident. The PCPD thanked the URA and the contractor for their cooperation and the provision of the information and documents requested in the investigation. Having considered the circumstances of the Incident and the information obtained during the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling found that the following deficiencies of the URA were the main contributing factors of the occurrence of the Incident:-

1. Failure to update the software in a timely manner to ensure that the software used was the most updated version. The URA had not been taking any action to check whether the software of the e-Form Platform that it used was the most updated version, and had failed to update the software;
   
2. Lack of understanding of the software used to collect personal data, and failure to develop and conduct effective and comprehensive security tests for the use of the software, resulting in the omission of some key functions in the security check of the forms. In the end, the URA could not timely detect that data was open to public access, which eventually led to the occurrence of the Incident.

Based on the above, the Privacy Commissioner found that the URA had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP 4(1) of the PDPO concerning the security of personal data.
 
The Privacy Commissioner has served a warning letter on the URA, requesting it to take measures to enhance the protection of the personal data held by it in order to prevent recurrence of similar contraventions in future.
 
(2) “Guidance on Cloud Computing”
 
In the light of the growing popularity of cloud computing services, the PCPD has in parallel updated the Guidance on Cloud Computing (Guidance) to explain the relevant requirements of the PDPO that are applicable to cloud computing with a view to assisting organisations that use cloud computing in enhancing the protection of personal data privacy.
 
Taking into account the latest technologies and trends in cloud computing services, the Guidance provides recommended measures on various aspects for organisations to better protect personal data privacy, covering aspects such as service and deployment models, standard services and contracts as well as outsourcing arrangements. The key recommended measures are as follows:-

• Service and deployment models:
  • Cloud service providers may update their cloud services from time to time to offer new features or configurations. Therefore, organisations should take note of such updates and take corresponding actions, including updating the relevant software and/or adjusting the appropriate configurations;
    
  • Dedicated private clouds generally allow organisations to have more control and privacy than shared public clouds. Organisations intending to use shared public clouds should carefully consider the relevant responsibilities and arrangements in protecting personal data privacy, and take corresponding measures;
    
  • It would be more difficult for organisations that use Software as a Service (SaaS) in their service model to exercise direct control over the personal data for which they are accountable. These organisations need to assess the risks associated with such arrangements and mitigate them according to the actual circumstances;

• Standard services and contracts: If the standard security level or the personal data protection commitment made by a cloud service provider fails to meet the organisation’s requirements, the organisation should request customised services from the provider and negotiate contract terms that meet such requirements. Organisations should also find ways (such as audit reports or declarations) to verify the data protection and security measures adopted by cloud service providers;
  
  
• Outsourcing arrangements: If there is a sub-contracting arrangement, organisations should ensure that they obtain contractual assurance from the cloud service provider that the same level of protection and compliance controls are applicable to their sub-contractors;
  
  
• Others:
  • Logging: Retain the audit trails provided by cloud service providers and review the logs regularly to detect abnormal activities;
    
  • Appropriate user configuration: Organisations should thoroughly understand the functions of the configurations and ensure that their access to cloud services is correctly configured with reference to individual use cases;
    
  • Encryption in transit and at rest: Personal data should be encrypted when stored on the cloud, and organisations may wish to choose cloud service providers that offer encryption at rest in their services;
    
  • Enable Multi-factor Authentication; and
    
  • Erase data: An organisation should ensure that there are provisions in the contract requiring the erasure or return of personal data held by the cloud service provider to the organisation upon the organisation’s request, or upon completion or termination of contract.

Download the new “Guidance on Cloud Computing”:

https://www.pcpd.org.hk/english/resources_centre/publications/files/IL_cloud_e.pdf

MAINLAND CORNER

Highlights of the “Draft Practical Guidance of Cybersecurity Standards – Guidelines for Generative Artificial Intelligence Service Security Emergency Response”

《網絡安全標準實踐指南—生成式人工智能服務安全應急響應指南（徵求意見稿）》的重點

To implement the requirements of the “Interim Measures of the Management of Generative Artificial Intelligence Services”, and to provide guidance to generative artificial intelligence (GenAI) service providers and other relevant units to prepare for security emergency response, the National Technical Committee 260 on Cybersecurity of Standardization Administration of China released the “Draft Practical Guidance of Cybersecurity Standards – Guidelines for Generative Artificial Intelligence Service Security Emergency Response” (the Draft Guidance) for consultation on 18 December 2024.

The Draft Guidance provides recommendations on the classification and grading of GenAI security incidents, as well as management measures and technicalities for the entire emergency response process. The consultation period ended on 31 December 2024. This article provides an overview of the Draft Guidance.

為了貫徹落實《生成式人工智能服務管理暫行辦法》¹的要求，指導生成式人工智能服務提供者²等有關單位做好安全應急響應工作，全國網絡安全標準化技術委員會（網安標委）於2024年12月18日發布《網絡安全標準實踐指南——生成式人工智能服務安全應急響應指南（徵求意見稿）》（《徵求意見稿》）³。

《徵求意見稿》提出生成式人工智能服務安全事件⁴的分類和分級建議，以及整個應急響應過程的管理措施和技術方法。《徵求意見稿》的意見反饋時間已於2024年12月31日結束，重點摘錄如下：

常見生成式人工智能服務安全事件分類

《徵求意見稿》》按照網安標委於2023年5月發布的《信息安全技術 網絡安全事件分類分級指南》（《分類指南》）⁵分類方法，結合生成式人工智能服務特點，列出以下三類共十二種常見生成式人工智能服務安全事件類型：

A. 信息內容安全事件⁶

• 違法信息生成事件；
• 虛假信息生成事件；
• 煽動教唆信息生成事件；
• 權益侵害信息生成事件（例如生成的信息涉及侵犯私隱）；及
• 歧視性信息生成事件。

B. 數據安全事件⁷

• 數據洩露事件（例如個人信息外洩）；
• 數據篡改事件；及
• 數據投毒事件。

C. 網絡攻擊事件⁸

• 模型篡改事件；
• 拒絕服務事件；
• 漏洞利用事件；及
• 社會工程事件（例如誘導生成式人工智能服務生成個人私隱信息）。

生成式人工智能服務安全事件分級⁹

《徵求意見稿》提出，生成式人工智能服務安全事件應按照以下三個要素，並根據《分類指南》進行分級：

• 事件影響對象（包括生成式人工智能服務業務應用及數據）的重要程度 ；
• 業務損失的嚴重程度 ；及
• 社會危害的嚴重程度 。

綜合上述三個要素的級別，生成式人工智能服務安全事件可分為四個級別（由高到低分别為一級、二級、三級和四級），例子如下：

一級（特别重大事件）

• 由於黑客攻擊，某特別重要生成式人工智能服務的核心模型參數被惡意篡改，導致整個平台無法正常生成任何內容，服務完全癱瘓。
• 某文本類生成服務被誘導生成大量違反社會主義核心價值觀的內容，如散佈分裂國家、破壞民族團結的言論，這些內容被廣泛傳播，對社會穩定和國家安全造成了特別嚴重的影響。

二級（重大事件）

• 某重要生成式人工智能服務遭受DDoS攻擊，導致長時間服務中斷。
• 某重要文本類生成服務生成内容洩露大量用户的敏感個人數據。

三級（較大事件）

• 某重要生成式人工智能服務由於軟件錯誤等原因造成的短暫中斷。
• 某一般生成式人工智能服務生成內容包含誤導性的財經信息，並通過傳播影響市場穩定。

四級（一般事件）

• 某個用於生成氣象預警報告的一般生成式人工智能服務因基礎數據遭到部分篡改，低估了即將到來的暴雨的強度。雖然不會導致直接的災害，但可能影響到當地居民的提前準備工作，對公眾安全構成一定威脅。

生成式人工智能服務安全應急響應過程¹⁰

應急響應過程可分為應急準備、監測預警、應急處置及總結改進四個階段。《徵求意見稿》針對每一階段，提出了管理措施、技術方法及外部協同的例子。下文只列出部分例子：

《徵求意見稿》的附錄亦載有兩個案例，分別以歧視性信息生成事件以及虛假信息生成事件作例子，說明應急響應過程中的四個階段中每一階段的工作。

總結

《徵求意見稿》為生成式人工智能服務安全事件的分類分級，以至整個應急響應過程提供了清晰指引。生成式人工智能服務提供者宜細閱當中的建議，於《徵求意見稿》定稿後採取合適的管理措施和技術方法等，提高安全應急響應能力。

¹ 全文： https://www.cac.gov.cn/2023-07/13/c_1690898327029107.htm

² 根據《徵求意見稿》第3.1條，「生成式人工智能服務」是指「利用生成式人工智能技術提供生成文本、圖片、音頻、視頻等内容的服務」；《徵求意見稿》第3.2條則把「生成式人工智能服務提供者」定義為「以交互介面、可編程接口等形式提供生成式人工智能服務的組織或個人」。

³ 全文： https://www.tc260.org.cn/upload/2024-12-18/1734483139154029117.pdf

⁴ 根據《徵求意見稿》第3.4條，「生成式人工智能服務」是指「由於人為原因、惡意攻擊、模型的內在漏洞或缺陷等因素引起的，對生成式人工智能服務業務應用及其數據造成損害，對國家、社會、經濟造成負面影響的事件」。

⁵  詳見：https://std.samr.gov.cn/gb/search/gbDetailed?id=FC816D04FF0862EBE05397BE0A0AD5FA

⁶ 《徵求意見稿》第5.2.1條。

⁷ 《徵求意見稿》第5.2.2條。

⁸ 《徵求意見稿》第5.2.3條。

⁹ 《徵求意見稿》第6章。

¹⁰ 《徵求意見稿》第7章。

RECOMMENDED TRAININGS

Professional Workshop on Data Protection in Human Resource Management

Since job applicants, current and former employees may request access to their personal data kept by organisations from time to time, employers or human resource management professionals have to ensure compliance with the requirements of the PDPO when they collect and handle data of their employees. On the other hand, employers should meet public expectations to constantly protect and respect their employees’ personal data privacy. This workshop enables participants to learn how to handle different scenarios and strengthen their knowledge of data protection in human resource management.

Date: 12 February 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Face-to-face

(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Human resource officers, data protection officers, compliance officers, solicitors, administration managers, recruitment agents

Professional Workshop on Data Protection in Direct Marketing Activities

Organisations often use customers’ personal data to conduct direct marketing activities to promote products or services. These activities are governed by the PDPO. Organisations have the responsibility to ensure that their employees clearly understand and comply with the provisions on direct marketing under the PDPO, which also helps organisations maintain a positive reputation and demonstrate their corporate social responsibility. 

This workshop will explain in detail the requirements of the direct marketing provisions under the PDPO and provide participants with practical guidance on compliance and share conviction cases relating to direct marketing, aiming to help participants understand how to properly use customers’ personal data in direct marketing activities.  

Date: 26 February 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data protection officers, compliance officers, company secretaries, administration managers, IT Managers, solicitors, database managers and marketing professionals

New Series of Professional Workshops on Data Protection in Mar 2025:

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENTS

The PCPD Supports the Sports Law Mega Event 2025

The Law Society of Hong Kong is presenting a ground breaking Mega Event, the first of its kind dedicated to discussions about the interface among sports, law and business against the backdrop of "One Country, Two Systems, and Three Jurisdictions". The PCPD is pleased to be one of the supporting organisations of this event.

It will take place from 20 to 23 February 2025 (Thursday to Sunday) and consist of three sub-events: the Sports Law Conference, the 15^th Recreation and Sports Night, and the 9^th Guangdong-Hong Kong-Macao Lawyers Sports Meet.

Please click here for registration. For more details and the latest updates, please click here to visit the Mega Event website.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.