Date: 22 August 2018
Privacy Commissioner Completed Compliance Check on
Facebook and Cambridge Analytica Incident
Subsequent to earlier media reports on the suspected misuse of Facebook account holders’ personal data, the Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) has completed a compliance check. In view of the public concern about the incident, the Privacy Commissioner reports on the findings of the follow-up work below.
According to the information obtained in the compliance check:
the office of Facebook in Hong Kong (Facebook HK) did not control the collection, holding, processing or use of all the data of Facebook’s Hong Kong account holders, which was controlled by Facebook Ireland Limited (Facebook Ireland). Facebook Ireland also claimed that its third party application (app) developer had not disclosed the personal data of Facebook’s Hong Kong account holders to Cambridge Analytica and its parent company.
at present, there is no evidence showing that Facebook’s account holders in Hong Kong were involved in the incident.
As data users (i.e. controllers), social media or social network service operators must comply with the relevant requirements and Data Protection Principles of the Personal Data (Privacy) Ordinance (Ordinance) if they control the collection, holding, processing or use (including disclosure and transfer) of personal data in Hong Kong or exercise such control from Hong Kong. Facebook HK did not control the collection, holding, processing or use of data of its Hong Kong account holders, so Facebook HK could not be regarded as “data user” under the Ordinance. Although Facebook Ireland was the “data user” of Facebook’s Hong Kong account holders, no account holders in Hong Kong complained to the office of the Privacy Commissioner for Personal Data that they had been affected. The relevant regulatory provisions in the Ordinance are therefore not applicable in this incident.
Privacy Commissioner Stephen Kai-yi WONG stresses, “Although there is no evidence showing that Facebook’s operation in Hong Kong has contravened the PDPO, Facebook as a global social media leader must be accountable to the account holders of all the countries and regions (including Hong Kong) by adopting measures to safeguard their personal data privacy. According to the international media reports on the inquiries of the Cambridge Analytica incident and Facebook’s responses, Facebook could have done better, and the incident fell foul of public expectations.”
The Privacy Commissioner states that building trust with account holders is vital to social media operators. Improper processing or inadequate protection of data causes not only deflection of customers, but also the damage of goodwill and public confidence. The Privacy Commissioner also states that the Cambridge Analytica incident serves to remind social media operators and app developers/operators to be more stringent in the use and handling of personal data collected. The Privacy Commissioner further recommends that social media operators should adopt measures to nurture the culture of “protect and respect personal data privacy”:
to embrace data protection as part of their corporate governance responsibilities;
to place the notification of such policies conspicuously on their websites or apps;
to use contractual or other explicit means to restrict the access and use of users’ data by third parties, and must obtain users’ authorisation.