Skip to content

Media Statements

Media Statements

Date : 26 January 2016

Upward Trend in Privacy Complaints Sees Need for Personal Data Protection and Respect amongst Individuals and Organisations 

(26 January 2016)  The Office of the Privacy Commissioner for Personal Data ("PCPD") received a record number of complaints in 2015. There was a rising trend in the number of enquiries and complaints in relation to the use of information and communications technology (“ICT”). A number of data leakage incidents occurred during the year amounting to a contravention of data security principle.

2. Mr Stephen Kai-yi Wong, Privacy Commissioner for Personal Data ("Commissioner") briefed today (26 January 2016) the major work accomplished by the PCPD in 2015, “Privacy complaints reach a record high in 2015, indicating an increase in public awareness on personal data privacy protection. The rapid development of ICT, the use of big data and cloud computing will further change the ways that individuals’ personal data is collected, retained and used. The recent data leakage incidents involve voluminous personal data and are largely attributed to the internet security issues. I appeal to all businesses and organisations to ensure the proper handling and disposal of personal data collected, and to take all practical steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use.”

3. Mr Wong continued, “Hong Kong was the first jurisdiction in Asia to have a dedicated piece of legislation on personal data privacy 20 years ago. To maintain as an international business centre with free flow of information, Hong Kong should keep up with the development and changes in the privacy landscape with a view to bringing our data protection policies and regulations up to date, as well as striking the right balance. Comparative researches and analyses will be our priorities in 2016 considering also the fact that the European Commission has agreed on a comprehensive data protection reform on 15 December 2015 to introduce the General Data Protection Regulation for strengthening the online privacy rights in the digital age. We will closely monitor the progress, and maintain close liaison with overseas privacy enforcement authorities.”

4. The highlights of the PCPD's achievements in 2015 are outlined as follows:

Enquiries
5. In 2015, the PCPD received a total of 18,456 enquiries, representing an increase of 7% as compared with 17,328 enquiries in 2014. They were mainly concerned with data access requests (14%), employment (12.7%), use of personal data in direct marketing (11.9%), and collection / use of Hong Kong identity card numbers or copies (6.5%).

6. There was an increase of 18.8% in internet related enquiries from 611 cases in 2014 to 726 cases in 2015, mainly relating to cyber-profiling, mobile apps and cyber-bullying.

Complaints
7. During the same year, the PCPD received a record high of 1,971 complaints, which represented an increase of 16% as compared with 1,702 complaints in 2014.

8. Of the complaints received, 74% were made against the private sector (1,461 cases), 11% against the public sector / government departments (210 cases) and 15% against individuals (300 cases).

9. Among the private sector organisations, the financial sector received the most complaints (390 cases), followed by property management (156 cases) and telecommunications (115 cases).

10. Regarding the nature of the complaints, 40% related to the use of personal data without the consent of data subjects (786 cases), 37% to the purpose and manner of data collection (722 cases), 13% to data security (252 cases) and 8% to data access/correction requests (156 cases).

Use of Information and Communications Technology ("ICT")
11. Over the past few years, the PCPD has seen an upward trend in ICT-related privacy complaints, and received a record high of 241 complaints in 2015, representing an increase of 17%, as compared with 206 cases in 2014.

12. Common privacy disputes arose from the use of mobile apps and social networking websites (161 cases), the disclosure or leakage of personal data on the Internet (85 cases), and cyber-bullying (22 cases).

Electioneering
13. A total of 115 electioneering-related complaints were received, the majority (106 cases) of which related to the 2015 District Councils Election registered in the fourth quarter of 2015. Most of the complainants objected to their personal data having been used in electioneering activities without their consent.

14. The PCPD updated its Guidance Note on Electioneering Activities in August 2015 to provide candidates and their election agents with practical guidance on compliance with the requirements under the Personal Data (Privacy) Ordinance ("the Ordinance").

Compliance Checks and Self-initiated Investigations
15. 98 data breach incidents affecting 871,000 Hong Kong individuals were reported to the PCPD in 2015, as compared with 70 incidents involving 47,000 individuals in 2014. These incidents involved the loss of documents, hacking, inadvertent disclosure of personal data by fax, email or post, and system failure.

16. The PCPD completed 284 compliance checks and 76 self-initiated investigations in 2015, as compared with 217 checks and 102 investigations in 2014.

Inspection
17. During the year, the PCPD conducted an inspection of a travel operator in view of the vast amount of travellers’ personal data it collected and retained. The purpose of the inspection was to assist the Commissioner in making recommendations to the travel industry with a view to promoting compliance with the provisions of the Ordinance.

Investigation Reports

18. The Commissioner published two investigation reports in 2015 (five in 2014). These reports covered:-

  1. 59 “blind” recruitment advertisements ("Blind Ads") placed in major advertising platforms soliciting personal data of job applicants but without revealing the employers’ identities; and
  2. Excessive and unfair collection of fingerprint data by a fashion trading company for safeguarding office security and monitoring staff attendance.
19. The investigations into Blind Ads were a continuation of a similar operation in 2014. The Commissioner was pleased to find that the recruitment media have played an instrumental role in reducing the number of Blind Ads (from 3.45% (311 cases) in the 2014 survey to 0.46% (59 cases) in the 2015 survey) and commended them in the report accordingly.

 

Enforcement Action
20. In 2015, the PCPD issued 17 warnings and 67 enforcement notices to organisations as compared with 20 warnings and 90 enforcement notices in 2014. The number of the enforcement notices served in connection with the investigation of Blind Ads had dropped from 69 in 2014 to 57 in 2015.

Prosecution
21. During the same period, 30 cases were referred to Police for criminal investigation and prosecution (20 in 2014), of which 28 cases related to contraventions involving the use of personal data in direct marketing (17 in 2014).

22. The total number of prosecutions in 2015 was six (one in 2014). A case relating to contraventions involving the use of personal data in direct marketing, as well as another one relating to the disclosure of personal data of a data subject which was obtained from a data user without the data user’s consent, are now under trial.

Direct Marketing
23. In 2015, the PCPD received a total of 2,201 direct marketing related enquiries (2,385 in 2014). On the other hand, 322 direct marketing related complaints were received last year, which represented an increase of 16% as compared with 277 cases in 2014.

24. Since the penalty level of the offence was raised under the revised direct marketing regulatory regime which took effect on 1 April 2013 under the Personal Data (Privacy) (Amendment) Ordinance, as of 31 December 2015, a total of 53 cases were referred to Police for criminal investigation and prosecution. There were four convictions in 2015:

September 2015
First conviction case
A telecommunications service provider failed to comply with customer’s opt out request to cease using his personal data in direct marketing Fined HK$30,000
September 2015
Second conviction case
A storage service provider used the personal data of a customer in direct marketing without taking specified actions and obtaining his consent Fined HK$10,000
November 2015
Third conviction case
A body check service company failed to comply with customer’s opt out request to cease using his personal data in direct marketing Fined HK$10,000
December 2015
Fourth conviction case
A person provided personal data, which was obtained in a social function, to a third party for use in direct marketing without taking specified actions and obtaining consent. Fined HK$5,000

Legal Assistance Scheme
25. The Legal Assistance Scheme commenced on 1 April 2013. Under the scheme, the PCPD may provide assistance to a person who has suffered damage by reason of a contravention under the Ordinance by a data user and intends to institute proceedings to seek compensation from the relevant data user. The PCPD received 16 new applications for legal assistance in 2015. Together with three applications brought forward from 2014, the PCPD handled 19 applications in 2015. Of these applications, nine were rejected, four were withdrawn by the applicants and six are being considered. Legal proceedings are expected to commence in respect of one approved case brought forward from 2014.

Promotion and Public Education
26. During the year, a total of 20 large-scale promotional and education activities were organised to cater for the various needs of the individuals (including students) and organisations, reaching over 260,000 participants, and representing an increase of more than 80% as compared with 2014’s figure. 276 workshops, seminars and talks on specialised topics were conducted engaging a broad range of stakeholders, with a total of 18,700 participants (increased by 26% from 2014) from over 450 organisations.

27. The PCPD also made use of the online training platform to help stakeholders be familiar with how to interpret and apply the Ordinance in a cost-effective manner. Apart from a module dedicated for the small and medium sized enterprises, three ICT-related courses were also launched in the fourth quarter of 2015.

28. A major strategic focus of the PCPD in 2015 was promoting and ensuring the compliance with the provisions of the Ordinance by stakeholders in the mobile apps industry. In January 2015, the PCPD launched a privacy awareness campaign with the theme “Developing Mobile Apps: Privacy Matters”. The campaign was co-organised by 10 leading trade associations and supported by 10 professional and academic institutions in the field of ICT. 13 activities were held in 2015 reaching more than 2,400 participants. In addition, the PCPD organised the International Conference on Big Data from a Privacy Perspective in June 2015, attracting over 250 professionals across the globe to attend.

29. A survey of public attitudes on personal data privacy revealed that awareness of privacy rights of individuals and public trust in the PCPD were generally high. A new TV Announcement in the Public Interest entitled “Stay Smart. Mind Your Digital Footprint” was launched in the end of November, calling on members of the public to go online vigilantly, with intent to nourish a culture of protecting their own and respecting others’ personal data. The website pcpd.org.hk has become an important channel for the PCPD to reach out to the community with its growing wealth of data protection information. The website won the Silver Award (Website Stream) in the Web Accessibility Recognition Scheme 2015 and the “Government Standard of Excellence” in 2015 Web Awards for Outstanding Achievement in Web Development.

30. The PCPD issued 18 guidance notes and information leaflets in 2015 covering a wide range of topics such as children’s online privacy, mobile apps development, using social networking and smartphone, and cloud computing.

Major Incidents in 2015

Data Leakage Incidents
The PCPD initiated investigations into some major data leakage incidents in 2015, including:

31. Contactless Credit Cards

The PCPD initiated investigations into the possible personal data leakage involving the contactless credit cards issued by   a number of banks in November 2015.

32. Websites and Computer Networks
  1. Data leakage incident of VTech Learning Lodge –
    This data leakage incident appeared to have disclosed data of 5 million parents and over 6.6 million related children’s profile worldwide. The PCPD initiated a formal investigation into this incident as it is a Hong Kong based company. The incident involved a large number of persons and it included children’s personal data. In accordance with the international practice and cooperation arrangement, the PCPD has kept privacy enforcement authorities in other jurisdictions informed of the progress.
  2. Security Vulnerability of SanrioTown Website –
    Sanrio Digital (HK) Limited, a Hong Kong company that operates the SanrioTown website, announced in December 2015 that the personal data (credit card or other payment information is not included ) of up to 3.3 million members of SanrioTown website could have been publicly accessible owing to a security vulnerability. The PCPD initiated a formal investigation into this incident.
  3. Malware detected in the electronic payment system of Hyatt Hotels Corporation ("Hyatt") –
    Hyatt Hotels Corporation, headquartered in Chicago of the United States, notified the PCPD about this data breach incident in late December 2015. Hyatt found malware that targeted payment card data used at Hyatt-managed locations worldwide, including the three hotels located in Hong Kong. The PCPD commenced a compliance check on this incident as it involved the credit card information of individuals and companies in Hong Kong.


Children’s Privacy
33. In 2015, the PCPD expressed concerns about the incident of the alleged unconsented uploading of video clips of secondary school students online, as it involved youngsters and their rights to privacy in the cyber world. The PCPD undertook a formal investigation into the complaints and is in the process of screening and drafting of the report.

34. Results of a study, which was published in May 2015, revealed a lack of knowledge and awareness on children’s privacy among parents and teachers. The PCPD published the “Children Online Privacy – Practical Tips for Parents and Teachers” leaflet, and revamped the “Children Privacy” thematic website (www.pcpd.org.hk/childrenprivacy) in December.

35. In December 2015, the PCPD announced the results of the study of 45 local website and mobile applications targeting at children, and published a Guidance Note on “Collection and Use of Personal Data through the Internet – Points to Note for Data Users Targeting at Children for organisations”.

Telephone Deception
36. Last year, the PCPD received over 300 enquires and complaints in relation to telephone deception. The most common ways were found to collect personal data through:

  1. Random phone calls or electronic messages;
  2. Phone calls or follow-up meetings from callers who could specify the full names or surnames of the receivers;
  3. Both of the above, and the real intention of the callers was to defraud the receivers of their money. The PCPD referred cases involving fraud to the Police for criminal investigation.
37. The PCPD organised 10 public talks on telephone deception, and staged a public education roadshow with an exhibition vehicle shuttling among 20 locations in Hong Kong to enhance public awareness on personal data protection.


Strategic Focus for 2016
38. The Hong Kong privacy landscape has been evolving rapidly in the past years. In 2016, the PCPD will keep pace with the global developments in the protection of personal data, take proactive steps to strike the balance between privacy protection and free flow of information, and respond positively to meet the challenges ahead. Strategic focus will be placed on:

  1. Comparative researches and analyses
    The European Commission agreed on the data protection reform on 15 December 2015 and will introduce the General Data Protection Regulation for strengthening the online privacy rights. The PCPD will monitor the progress. The PCPD will also conduct researches on topics such as big data and internet of things in response to the challenges generated by the use of ICT in the digital age.
  2. Promoting good practices
    The PCPD will continue to promote Privacy Management Programme ("PMP") and encourage organisations to embrace personal data privacy protection as part of their corporate governance responsibilities. In order to further assist the organisations to implement the PMP in an orderly way, the PCPD cooperates with the Government, by engaging an external consultant, to assist the government departments to formulate, review, implement and enhance their PMPs. Experience gained from this approach will also be beneficial to the companies in private sector for implementing the PMP. The PCPD will also launch a recognition scheme to award those organisations that adopt good practice.
  3. Public Education Campaigns
    The PCPD will launch a large-scale TV programme in partnership with RTHK to mark its 20th Anniversary of the establishment. 
  4. Support to the Commencement of operation of the Electronic Health Record Sharing System ("System")
    To support the government in the commencement of operation of the System in March 2016, the PCPD will exercise its functions and powers under the Ordinance in relation to personal data in the System. The PCPD will publish information leaflets on personal data privacy in relation to the System for the reference of both the citizens and the healthcare providers.

 

- End -