Skip to content

Media Statements

Media Statements

Date: 1 December 2015

PCPD Initiates Compliance Check on VTech’s Data Leakage Incident

(1 December 2015) The Office of the Privacy Commissioner for Personal Data (“PCPD”) has commenced a compliance check on the data leakage incident of VTech Learning Lodge (“VTech”).

The Privacy Commissioner for Personal Data, Mr Stephen Wong, said, “VTech indicated today that they would notify the PCPD formally about this data leakage incident, which appears to have disclosed data of 5 million customers accounts and related children’s profiles worldwide. There is nevertheless no indication on the number of Hong Kong customers affected. PCPD’s compliance check against VTech is to ascertain whether VTech had taken appropriate steps to safeguard personal data before the leakage happened; and what kinds of remedial actions are adopted, after the data leakage, to avoid the occurrence of similar incidents. PCPD will inform VTech of the findings upon completion of the compliance check and make recommendations with a view to assisting VTech to comply with the Personal Data (Privacy) Ordinance (“Ordinance”) and protecting the personal data of its customers.”

While it is not a statutory requirement for a data user (such as commercial enterprises and other organisations) to notify the PCPD of a data leakage incident concerning the personal data held by him, he is advised to do so as a good practice for proper handling of such incident.

As the compliance check has just commenced, the PCPD is prohibited from offering any comments, at this stage, on whether there are any contraventions or violations of the law. Generally speaking, the security of personal data on websites is governed by the Data Protection Principle 4 (Data Security Principle), which provides that a data user needs to take practical steps to safeguard personal data against unauthorised or accidental access, processing, erasure, loss or use.

If there is a non-compliance with the Data Protection Principles, the Privacy Commissioner may serve an enforcement notice to direct the data user to remedy the contravention and prevent its re-occurrence. Contravention of an enforcement notice is an offence which would attract a maximum fine of HK$50,000 and imprisonment for 2 years. If the offence continues after the conviction, the data user is liable to a daily penalty of $1,000.

In the case of hacking, if a hacker gains unauthorised access to and subsequently discloses the personal data unlawfully, he may be liable to commit an offence under Section 64 of the Ordinance. Section 64 provides that it is an offence if a person discloses any personal data obtained without consent from data users (e.g. organisations which collect and store personal data), with an intent -

  1. To obtain gain whether for the benefit of the person or another person; or
  2. Where the disclosure causes psychological harm to the data subject (regardless of the intent), he is liable on conviction to a fine of $1,000,000 and imprisonment for 5 years.

In addition, the hacker may be liable to contravene the Data Protection Principle 1 (2) in collecting the personal data by unlawful or unfair means.

- End -