The office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) received a record-high number of data breach notifications in 2018, with a number of large-scale data breach incidents arousing wide public concern. A more than two-fold increase in the number of complaints in relation to the use of information and communications technology (ICT) was also recorded. Amongst them, complaints related to the disclosure or leakage of personal data on the Internet had increased substantially. Both figures reached record highs in recent years. In view of the rapid development of information technology and the evolution of the global data privacy landscape in recent years, the PCPD is in the process of reviewing the Personal Data (Privacy) Ordinance (the Ordinance) while proactively promoting privacy management accountability mechanism and data ethics so as to build trust amongst the stakeholders, thereby creating a win-win situation.
2. Summing up his office’s work in 2018 in a media gathering held today (31 January 2019), Mr Stephen Kai-yi WONG, the Privacy Commissioner, said, “2018 was a significant year of data privacy protection for the privacy enforcement authorities globally and locally. The EU General Data Protection Regulation (GDPR) came into effect, bringing about significant changes to the global privacy regulation framework and landscape. In addition, a number of large-scale data breach incidents happened, indicating that enhancing data security has now become a pressing task for organisations. Public concern about personal data privacy had also increased as a result.
3. “Organisations must constantly bear in mind the fact that personal data belongs to the individuals, and hence there is sufficient legal and ethical basis to control the entire life cycle of personal data. Therefore organisations have both statutory and ethical responsibilities to safeguard and handle the personal data collected properly. Organisations that amass and derive benefits from personal data should not ditch their mindset of conducting their operations to meet the minimum regulatory requirements only. They should also be held to a higher ethical standard in data stewardship so as to build a trust basis with stakeholders in the contemporary data driven economy.
4. “In 2019, the PCPD will continue to enforce the law fairly and step up its educational and publicity efforts, and at the same time advocate the introduction of privacy management accountability and data ethical standards in organisations, complementing the regulatory framework, so as to foster a culture of protect, respect privacy and personal data control. In addition to our role as enforcer and educator, we will facilitate according to the law organisations including the Government on initiatives involving personal data privacy, including making recommendations on the review of the Ordinance.”
The highlights of the PCPD's performance in 2018 are outlined as follows:
Data Breach Notifications, Compliance Checks and Compliance Investigations
5. In 2018, 129 data breach incidents were reported to the PCPD, representing an increase of 22% as compared with 106 incidents in 2017. The data breach incidents involved hacking, system misconfiguration, the loss of documents or portable devices, inadvertent disclosure of personal data by fax, email or post, etc.
6. The PCPD took the initiative to conduct 289 compliance checks and four compliance investigations in 2018, as compared with 253 compliance checks and one compliance investigation in 2017, representing 14% and three-fold increases respectively.
7. In December 2018, the PCPD released an inspection
report on the personal data system of private tutorial services industry, and made a number of recommendations for the industry to consider.
8. In 2018, the PCPD received a total of 16,875 enquiries, which represented an increase of 8% as compared with 15,594 enquiries in 2017. The enquiries mainly related to the collection / use of personal data (e.g. Hong Kong Identity Card numbers or copies) (32%), employment (10%), and use of personal data in direct marketing (6%).
9. Internet-related enquiries had decreased by 13%, to 923 cases in 2018 from 1,057 cases in 2017. They were mainly concerned with cyber-profiling, mobile apps and cyber-bullying.
10. In 2018, the PCPD received 1,890 complaints
, representing a 23% increase when compared with the 1,533 complaints
11. Of those 1,890 complaint cases:
71% were made against the private sector (1,334 cases), 12% against the public sector / government departments (220 cases) and 17% against individuals (327 cases);
in terms of the nature of the complaints, 27% related to the use of personal data without the consent of data subjects (816 cases), 24% related to the purpose and manner of data collection (735 cases), 16% related to the data security (482 cases) and 5% related to data access / correction requests (157 cases).
12. The PCPD completed 1,751 complaint cases in 2018 and conducted 92 investigations into the complaint cases. Among those completed cases, 844 cases were accepted for further handling. The PCPD attempted to resolve disputes between the data subjects and the parties being complained against by conciliation as an effective dispute resolution alternative. Among those involved in the contravention of the Ordinance, the PCPD would advise them to take remedial actions in the course of conciliation or investigation so as to prevent the recurrence of similar irregularities in future. Since those parties being complained had followed the PCPD’s advice and taken appropriate remedial actions, issuing of enforcement notices was not warranted. During the year, we made recommendations to the parties being complained in 686 cases, reminding them to take remedial actions, or encouraging them to establish good practice in personal data protection.
13. Among the private sector organisations being complained, the financial industry received the highest number of complaints (241 cases, which were mainly about data collection, such as unfair collection of personal data by finance companies), followed by the property management sector (166 cases, which were mainly about the use of personal data, including disclosure and transfer, such as posting notices with personal data by owners’ corporations) and the transportation sector (166 cases, which were mainly about data security, including 139 cases on Cathay Pacific Airways data leakage incident).
Use of ICT
14. In 2018, the PCPD received 501 ICT-related complaints, representing a more than double increase (111%) as compared with 237 cases in 2017. Common issues (there may be more than one issue involved in a complaint) in this category included the disclosure or leakage of personal data on the Internet (270 cases), the use of social networking websites (156 cases), the use of mobile apps (96 cases) and cyber-bullying (59 cases).
15. It is noteworthy that the number of complaints about the disclosure or leakage of personal data on the Internet in 2018 (270 cases) increased more than threefold (315% increase) versus 65 cases in 2017. The outbreak of the data breaches during the year involving large-scale IT systems had probably aroused public concern about online personal data protection.
Use of CCTV and Drones
16. In 2018, the PCPD received 101 complaints relating to CCTV, as compared with 197 complaints in 2017. Three cases were related to drones (no related cases received in 2017).
17. During the year, the PCPD discussed with related government departments on the public consultation on regulation of unmanned aircraft systems and made recommendations in relation to privacy protection.
Direct Marketing (DM)
18. In 2018, the PCPD received 181 DM-related complaints, comparable to 186 cases in 2017. The complaints were mainly about the use of personal data for DM without obtaining the data subject’s consent, or data users failing to observe the data subject’s opt-out request.
19. Two cases that were referred to the Police for criminal investigation had resulted in convictions:
A supermarket used the personal data of a data subject in DM without obtaining the data subject’s consent. (The first conviction for the offence of section 35E(1))
A telecommunication company failed to comply with the requirement from the data subject to cease to use her personal data in DM
Fined HK$10,000 in respect of each charge; HK$20,000 in total
20. During the year, the PCPD discussed with related government departments on the government’s proposal to introduce a statutory Do-not-call Register to enhance the regulation of person-to-person telemarketing calls. Recommendations in relation to privacy protection were made by the PCPD.
Enforcement Action and Prosecution
21. Sixteen warnings were issued in 2018. As mentioned above, since those parties being complained had followed the PCPD’s advice and taken appropriate remedial actions, issuing of enforcement notices was not warranted during the year.
22. Six cases were referred to the Police for criminal investigation and prosecution. All of these cases were related to the use of personal data in DM. The total number of prosecution cases in 2018 was two, all of which concerned also the use of personal data in DM.
Legal Assistance Scheme
23. The PCPD’s Legal Assistance Scheme may provide assistance to a person who has suffered damage by reason of a contravention under the Ordinance and intends to institute proceedings to seek compensation from the data user at fault. In 2018, the PCPD processed nine applications for legal assistance. Of these applications, three were granted with legal assistance, three were rejected, and the remaining three cases are being considered.
The Administrative Appeals Board (AAB) Cases
24. A total of 12 appeal cases were received last year. Of these cases, 11 appeals were against the Privacy Commissioner’s decision of not carrying out or terminating a formal investigation. The remaining one appeal was against the Privacy Commissioner’s decision of not serving an enforcement notice after the investigation.
25. A total of 21 appeals were concluded in 2018, 18 of which were dismissed by the AAB and one was withdrawn by the appellant. One appeal was allowed and one was partly allowed. Over 90% of the appeals were eventually dismissed by the AAB or withdrawn by the appellants.
International and Mainland Connections
26. With its respectable role in Asia, the PCPD took part in different regional and international forums last year, sharing its experience and exchanging insights in data protection. For example, the PCPD has been the executive member of the International Conference of Data Protection and Privacy Commissioners (ICDPPC), the Global Privacy Enforcement Network (GPEN) and the Asia Pacific Privacy Authorities (APPA). In APPA, the PCPD is the convenor of its Technology Working Group. The PCPD also participated in a number of conferences both in the mainland and overseas in 2018 to share experience and build connections with our working partners, such as:
APEC Electronic Commerce Steering Group Data Privacy Subgroup Forum
Mainland, Hong Kong and Macao Legal Seminar: Legal Issues on Belt and Road Initiative and the Bay Area Development
Cross Strait Four Regions Young Lawyers’ Forum
27. The PCPD believes that the free flow of information and the effective protection of personal data in Hong Kong are the city’s "unique and irreplaceable" attributes.
28. In 2018, the PCPD issued 39 media statements, responded to 184 media enquiries and conducted 92 media interviews. Topics that were of media interest during the year included data breach incidents or hacking activities (44.2%), the incident involving monitoring and recording of Legislative Council Members’ locations in the LegCo Complex and snatching of a government official’s mobile phone (14.7%), and CCTV/drones and DM/person-to-person telemarketing calls (9.8%).
Promotion and Public Education
29. Before the occurrence of any contraventions, the PCPD actively liaises with the industry representatives and organisations to enhance their awareness of compliance and accountability. In 2018, the PCPD conducted 421 professional workshops, talks, seminars and meetings with stakeholders, with a total of 33,543 participants from over 570 organisations, which involved 68,402 total training man-hours. The number of in-house seminars organised upon invitation was 123, the highest number ever, with a total of 18,672 total training man-hours recorded. In addition, the Privacy Commissioner was invited to speak and share views on the latest development of data privacy protection, data ethics stewardship values and models, as well as development of a privacy management programme, at 228 presentations, seminars, talks and meetings with stakeholders in 2018, amounting to 37,512 total training man-hours. During the year, the PCPD published and revised five publications, including guidelines, booklet and annual report, to assist organisations to understand how to comply with personal data protection legislations, adopt best practices on privacy management, and to provide practical tips on privacy protection to children, etc.
30. In 2018, a total of 18 promotional and education programmes were organised to meet the various needs of individuals (including students and the elderly) and organisations, reaching 262,145 participants, the highest number ever. Promotion of personal data privacy towards children and the youth has always been one of the PCPD’s priorities. Last year, 106 schools joined the 2018 “Student Ambassador for Privacy Programme” and became our school partners, with over 60,000 participants, being the highest number ever since the Programme was launched. The PCPD also organised a privacy campaign for primary school students, which consisted of school talks and parent-children colouring and comic competitions, attracting over 94,000 participants to join the activities. In addition, 16 educational talks to senior citizens were held in collaboration with elderly-serving non-government organisations to help senior citizens beware of potential risks in data privacy. These talks were attended by 1,225 elderly people. For the business sector, the PCPD continued to enhance the information provided on its website for different industries as well as small-and-medium enterprises (SME) to raise their awareness of privacy issues. An industry-specific campaign for SMEs was launched in 2018 to provide all-round support to the SMEs in protecting personal data of customers and staff. The PCPD also established a dedicated SME hotline and an email inbox, organised talks and launched a radio drama for SME named “Get to know more about personal data protection”.
31. The PCPD continued to strengthen and improve the information provided on its website (PCPD.org.hk) and two thematic websites, “Be SMART Online” and “Children Privacy”. During the year, a new “EU General Data Protection Regulation” section and a mini-website “Elderly Corner” were developed.
Awards and Recognitions
32. Two PCPD staff members received Individual Awards for Officers of Public Organisations in The Ombudsman’s Awards 2018 for their outstanding performance in handling enquiries and complaints.
33. The PCPD was awarded “Manpower Developer” in the “Government Department, Public Body and NGO” category by the Employees Retraining Board for PCPD’s outstanding achievements in manpower training and development.
34. The PCPD website (PCPD.org.hk) together with its four thematic website or mini-websites (“Be SMART Online”, “Children Privacy”, “Think Privacy! Be SMART Online” and “Elderly Corner”) won the Gold Awards by the Website Stream in the Web Accessibility Recognition Scheme 2018/19.
Key Personal Data Privacy Issues and Major Initiatives in 2018
35. Legitimacy of Data Processing Project
The Privacy Commissioner commissioned a consultancy to conduct the “Legitimacy of Data Processing Project” for the purposes of achieving ethical and fair processing of personal data when carrying out advanced data processing activities (e.g. artificial intelligence and machine learning etc.) while balancing the interests of all stakeholders. Over twenty organisations in Hong Kong from various sectors, covering banking, insurance, telecommunications, healthcare services, transportation, etc., participated in the project by providing comments and feedback on the draft project deliverables. The research report titled “Ethical Accountability Framework for Hong Kong, China” was released in October 2018. It recommended that organisations should implement an ethical data governance system and uphold three data stewardship values, namely respectful, beneficial and fair, enabling advanced data processing activities to benefit all stakeholders.
36. “European Union General Data Protection Regulation 2016”
In view of the EU GDPR that came into force on 25 May 2018, the PDPC issued the “European Union General Data Protection Regulation (GDPR) 2016” booklet in April 2018, aiming at raising awareness amongst organisations/businesses in Hong Kong of the possible impact of the new regulatory framework for data protection in the European Union, as well as comparing some of the major requirements with those set out in the Ordinance.
During the year, the PCPD has received three complaints allegedly related to the GDPR
37. Incidents of Monitoring and Recording Legislative Council Members’ Locations in the LegCo Complex and snatching a Government official’s mobile phone
During the year, a Legislative Council Member challenged the monitoring and recording of Members’ locations in the LegCo Complex in possible contravention of the Ordinance. What followed was an incident of snatching a government official’s mobile phone. The PCPD made prompt responses to the incident, and leveraged public concern over the said incident to enhance the public’s understanding on the provisions of the Ordinance.
38. Participation in the Privacy Sweep Exercise relating to “Privacy Accountability”
The PCPD participated in the global Privacy Sweep of the GPEN for the sixth consecutive year. The theme for the 2018 Privacy Sweep was “Privacy Accountability”. Eighteen privacy enforcement authorities (including the PCPD) around the world participated in this exercise. The PCPD invited companies from different industries to participate in this exercise for a better understanding of the implementation of privacy accountability mechanism in these companies, so as to assess the implementation status in different sectors. The GPEN is now consolidating the results submitted by the participating privacy enforcement authorities, and is expected to publish a report in the first quarter of 2019.
39. Promotion of the Privacy Management Programme (PMP)
The PCPD issued a revised Best Practice Guide on Privacy Management Programme (the Guide) in 2018, which aims at assisting organisations in constructing a PMP. The Guide is a “2.0 version” of the 2014 issue, with practical recommendations provided to organisations, and more concrete examples, charts, templates of questionnaire and checklist for reference.
Since the launch of the PMP in 2014, the Government of the Hong Kong Special Administrative Region, together with more than 30 companies from insurance, telecommunications and other sectors have pledged to implement PMP. The Government and the PCPD subsequently engaged a consultancy firm to facilitate the implementation of PMP in three Government bureau and departments, namely the Constitutional and Mainland Affairs Bureau, the Hongkong Post and the Environmental Protection Department, and to prepare PMP operations manual. The three operations manual were completed in 2018. The PCPD together with the consultancy firm organised workshops to assist Government bureaux and departments to develop their own PMP according to their operational needs.
The Privacy Commissioner will continue to organise seminars and professional workshops on PMP to help organisations prepare their own PMP manual and construct a comprehensive programme.
Strategic Focus for 2019
40. In 2019, the PCPD will:
Continue to enforce the law fairly, promote and educate all stakeholders about personal data protection;
Continue to engage organisations (especially the SMEs) in promoting compliance in protecting personal data and implementing the privacy governance mechanisms and data ethics;
Strengthen the working relationship with the mainland and overseas data protection authorities to handle cross-jurisdiction data contravention incidents, and explain the newly implemented rules and regulations on data protection of other jurisdictions to the local stakeholders for compliance with the requirements, and the free flow of information and privacy protection being one of Hong Kong’s unique and irreplaceable attributes;
Facilitate according to the law organisations including the Government on initiatives involving personal data privacy, including making recommendations on the review of the Ordinance; and
Issue guidance on “Fintech” and “de-identification” and publish a booklet on major personal data regulations in the mainland for industries and members of the public.
Pursuant to section 36 of the Ordinance, the Privacy Commissioner may carry out an inspection of any personal data system used by a data user for the purpose of making recommendations relating to the promotion of the compliance with the provisions of the Ordinance.
The 1,890 complaints included 139 complaints related to the incident of leakage of passengers’ personal data by Cathay Pacific Airways.
The 1,968 complaints relating to the reported loss of laptops containing personal data of election committee members and electors by the Registration and Electoral Office in 2017 have been taken out.
The complainants of all three cases have citizenship of EU countries. One of them related to the accuracy of the complainant’s personal data held by the organisation, and the other two related to data security.