Skip to content

Speeches, Presentation & Articles

Speeches, Presentations & Articles

"Use of Social Media and Instant Messaging Apps – A Personal Data Privacy Perspective " -- Privacy Commissioner's article contribution at Hong Kong Lawyer (April 2021)

The use of social media, including instant messaging apps, is very much part of everyday life for Hongkongers. However, such use also poses risks to the personal data privacy of the users. With reference to the “Guidance on Protecting Personal Data Privacy in the Use of Social Media and Instant Messaging Apps” newly issued by my office (the PCPD), this article looks at some of those risks and the precautions that one may take to help mitigate the risks.

While the use of social media and instant messaging apps is prevalent nowadays, it also carries with it inherent yet non-negligible risks to one’s privacy in relation to personal data.

Privacy Risks

According to a survey conducted by the PCPD last year, 77% of a population of over 1,200 respondents interviewed in Hong Kong had an account with a social media platform, and 48% used that platform daily. In addition, 93% of the respondents used smartphones, of which 98% installed instant messaging apps.

It is interesting to note that among those who had installed instant messaging apps, 77% were aware that those apps had access to the contact information on their phones. Notwithstanding that, 35% of the respondents considered such access as privacy invasive, and 34% considered it as serious invasion of privacy.

It is also noteworthy that slightly over half of those who had an account with a social media platform would only share personal photos and personal opinions with friends (54% for both). Over a third of the respondents never shared personal photos (34%) nor personal opinions (38%).

Although most of the social media platforms and instant messaging apps provide their services for free, it is important for the users to know, and recognise, that almost invariably they are giving up or sharing their personal data, including information on their online behaviour and browsing habits, etc., to the relevant platforms or apps in return for the use of the services. In essence, personal data has been monetised upon registration or in the course of user activities and such data is collected, used and often shared by the service providers with others for various purposes, including targeted advertising. The ability of platforms to track one in the cyberworld might creep one out. However, businesses know exactly where to place their advertisements through the data they collect from the end users, from their digital footprints.

Social media users who excessively share information like photos, stories of everyday life, locations and opinions may easily, and unwittingly, disclose more personal data than they anticipate. Tagging friends to posts or photos may end up sharing other people’s personal data without their knowledge or consent. These kinds of innocuous data, when pieced together, can be used to profile the users. The data may even be used for cyberbullying, doxxing and perpetuating frauds.

Against this background, it is not surprising, therefore, for some tech giants to enhance the transparency of their policy for data collection, for some to pull the plug on tracking cookies and for others to push back on how much apps can collect by giving users the option to turn off online tracking, or explicitly agree to what data each app can collect, and switch it on and off at will.

Some Possible Means to Protect Personal Data

In the light of the privacy risks outlined above, the PCPD has issued the “Guidance on Protecting Personal Data Privacy in the Use of Social Media and Instant Messaging Apps” recently. I urge users of social media and instant messaging apps (collectively called “social media” below) to exercise greater vigilance when they are navigating online.

Before signing up for a new social media account, users should take steps to understand how the relevant platform handles their personal data by examining its privacy policy. It is advisable, for example, for a social media account to be linked to an email account dedicated to the social media, separate from the user’s main email accounts, such as the email account for banking purposes. Users should avoid submitting sensitive data like details of residential addresses and dates of birth, if possible.

Upon signing-up an account, users should examine the default privacy settings and modify them as appropriate. For example, it is desirable for them to limit the extent to which their personal data is publicly visible, the access right of the platform to the users’ data, such as the use of facial recognition, location tracking and cross-platform tracking. Users should also be mindful of whether they should allow others to “tag” them in photos or posts.

Whenever there are any changes in the privacy policy or the terms of service, it is advisable for users to clearly understand the relevant changes, and if the changes involve any change in the kinds of personal data to be collected from the users, and in the use or sharing of the data. Such understanding is essential for users to make a well-informed and voluntary decision as to whether or not to accept the changes.

As a matter of respect for other people’s privacy, social media users should be cautious about tagging other people in photos or sharing information about other people. Users should think twice before posting any information, bearing in mind that once data leaves their devices, it leaves their control – even things shared narrowly has the potential to be forwarded and disseminated widely.

In terms of security, social media users must not assume that other users are necessarily real people who match their online descriptions. They should be vigilant about online scams that come in the form of unsolicited benefits, or hyperlinks that request people to log-in or provide personal data. If they use a public or shared computer to log-in to their social media accounts, they should not allow the browser to remember their passwords and must remember to log out after use.

If social media users find themselves tagged in photos or posts against their will, they should follow the available options of the platforms to “untag” or “remove” themselves from the photos or posts. If possible, they may consider asking the persons who shared those photos or posts to delete them.

If they discover that sensitive or inappropriate information about themselves has been shared on social media, they can request the platform operators to take it down, possibly through the feature of “report improper contents”.

Finally, if users no longer wish to use a particular social media platform, they should delete or terminate their accounts, usually by following the steps for “termination”, “deletion” or “deactivation” of the account.

For more detailed advice, please read the “Guidance on Protecting Personal Data Privacy in the Use of Social Media and Instant Messaging Apps” newly issued by the PCPD, which is accessible on our website at: