Skip to content

Newspaper Column

PCPD in Media

Your personal information is not safe when you shop online -- Privacy Commissioner's article in South China Morning Post (September 2023)

Globally, the use of social media and online shopping platforms is experiencing a meteoric rise. According to Forbes, the number of social media users worldwide has hit a record high of 4.9 billion this year, and it is expected that almost 21 per cent of retail purchases this year will take place online.

The prevalence of online services, however, comes with data security risks that cannot be overlooked. According to a report released by the Hong Kong Computer Emergency Response Team Coordination Centre in May, during the first quarter of the year, there were more than 5,000 data security incidents in the city, 2,804 of which were phishing attacks.

With the proliferation of cybersecurity threats, as evidenced by data scraping (which involves the extraction of data, including personal information, from the internet using automated processes) and the ransomware attacks to which numerous multinational companies have fallen victim, the ever-growing complexity of the digital landscape calls for a more cautious approach to data security and the use of online services.

In today’s digital era, it only takes the touch of a finger to purchase groceries online, like a post, or share your live location. However, almost every tap or swipe performed during those actions involves giving away your personal data, such as your browsing history, purchase transactions and, sometimes, credit card details.

This data is valuable, allowing online companies to provide you with personalised content and advertisements. As you go about your daily routine, you may be sharing more personal data than you realise.

In a recent report, the Office of the Privacy Commissioner for Personal Data compared the privacy settings of 10 online shopping platforms and found all of them tracked users’ activities, including their location, browsing history, transaction history and device information.

It may come as a surprise that all of them also transferred users’ personal data to third parties, including not only advertising and promotion partners but also external service providers.

Similarly, our 2022 report reviewing the privacy settings of 10 of the commonly used social media platforms found that all of them collected users’ location data (including both their precise and coarse locations), and most retained users’ credit card details. The risks underlying the convenience of online experiences, including the potential malicious use of personal data, data leaks or data scraping, cannot be overlooked.

The above reports reveal that social media and online shopping platforms collect a considerable amount of data from their users. The more information you provide to these platforms, the greater the risk to your personal data privacy.

For example, hackers who have used data scraping to obtain your personal data, including your financial credentials, may expose them on the dark web, sell them to other cybercriminals, or even manipulate them for identity theft. The adverse consequences that may follow can be alarming.

Giving away personal data to social media and shopping platforms can be perilous, given the increasing reports on data scraping, digital fraud, identity theft and other threats. This calls for closer scrutiny of our approach to data security and strengthening our defences against potential data breaches and cyberattacks.

In August, my office issued a joint statement with 11 other data privacy protection authorities around the globe to urge social media platforms and websites to be aware of their responsibilities and privacy protection obligations in safeguarding personal data from unlawful data scraping.

As co-chair of the Global Privacy Assembly’s International Enforcement Cooperation Working Group, Hong Kong’s Office of the Privacy Commissioner for Personal Data has strongly advocated the promulgation of a set of global expectations and principles on privacy protection. The joint statement is just one example of this effort.

Operators of social media and online shopping platforms must prioritise the protection of users’ personal data by establishing clear policies and procedures on data governance and data security.

The popularity and profitability of the services which they offer should not be at the expense of eroding users’ data privacy. The operators of social media and online shopping platforms should be acutely aware of and assume responsibility for protecting their users’ privacy. In addition to accountability, platforms should also enhance transparency, including on how they collect, use or transfer data, along with the kind of data collected and used.

For users of such platforms, before you click on “Pay” or “I Agree” to the terms and conditions of a website or mobile application, think twice about giving away your personal data.

While registering an account and allowing platforms to collect your personal data, browsing histories and location data may appear harmless at first glance. However, users should be aware of the risk that such data may become digital breadcrumbs for other companies to profile you and track your activities for marketing purposes. The data could also end up in the hands of fraudsters, for sale on the dark web, or used for a targeted cyberattack or even identity theft.

As the age-old maxim goes, prevention is better than cure.