Skip to content

PCPD e-Newsletter

Facebook Youtube

Watch out for the peril lurking in those free, innocent-looking public USB charging ports.  It could drain your bank account.

In the hustle and bustle of daily modern life, one of the most despairing moments is having a dying phone, which seems to have put our lives on hold. To enhance convenience for both city dwellers and tourists, there is growing ubiquity of USB charging stations in places such as airports, cafes and public transportation. However, before rushing to charge our phones, we should always be aware of “juice jacking”. A malicious hacker could secretly steal your personal information and sensitive data, or even take full control of your device.

“Juice jacking” is a type of cyber-attack which intrudes in the victim's mobile phone or other smart device through a malware on the USB charging port. By connecting to this counterfeit public charging hub, the malware infects the victims’ devices and then opens a door for a hacker to steal data in the phone including stored passwords, files and bank accounts, or install malware onto the victim's devices.

Consider the following to protect your device from “juice jacking”: 
- Verify the power source
- Bring your own charging cable and adaptor
- Use a USB Data Blocker or USB Datablocking cable
- Use a portable power bank

Charging Your Phone Using a Public USB Port? Beware of 'Juice Jacking'

The Use of Information on Social Media for Tracking Potential Carriers of COVID-19 (26 February 2020)

Read media statement

Response to Media Enquiry on the Collection of Personal Data when a Group Assists Members of the Public for Voter Registration (20 February 2020)

Read media response (Chinese version only)

Suspected Theft of OGCIO Mobile Phones (19 February 2020)


Read media statement

Masks and Police Officers' Car Registration Numbers (14 February 2020)

Read media statement

Free Online Seminar - An Overview of Personal Data (Privacy) Ordinance  (New!)

The PCPD has created a new online seminar on the Personal Data (Privacy) Ordinance to help the public to acquire knowledge of the Ordinance anywhere and anytime.

Attend the seminar now

Self-training Module on Protection of Personal Data for Small and Medium Enterprises (SME)

This one-stop training module offers a convenient channel for SME to grasp the essentials of the Personal Data (Privacy) Ordinance online. With real-life examples and interactive quiz, SME can build their own privacy plan through this online portal.

Start now

Data Security Tips for Remote and Mobile Working

When you need to work from home or anywhere outside office, portable storage devices such as USB flash memories or drives and notebook computers provide a convenient means to store and transfer data.  However, privacy could easily be compromised if the use of these devices is not supported by adequate data protection policy and practice. 

Read publication

The European Commission backtracks on plans to ban facial recognition

The European Commission came under fire for ruling out a moratorium on facial recognition, as the bloc's new strategy for data and artificial intelligence governance was unveiled.

Read more

Corporations shouldn't be allowed to own your personal data at all

If we really want to solve the problem of Internet privacy, we have to engage in a paradigm shift in how we think about it, and give the user complete ownership and control over his or her data.

Read more

Data privacy: What consumers want businesses to know

A recent report reveals that consumers want companies to provide trust and to offer them control over their data - 84% of consumers will take their business elsewhere if they don't trust how a company is handling their data, and 85% said they wish there are more companies that they could trust with their data.

Read more

Big data plays major role in epidemic control

Telecommunications carriers are using big data analysis to help fight the novel coronavirus outbreak, by leveraging the data pool of China's billion-plus smartphone users.

Read more

Q: When customers place orders via a mobile app, can the organisation use the customers' personal data to send marketing information to them without seeking customers' consent?

A. Yes
B. No

The correct answer is B.

Data collected from customers who place orders via mobile apps can be used only for handling purchase orders. If organisations intend to use the data to send marketing information, they must obtain their customers’ prior consent, and the data can be used only for the classes of products or services agreed to by the customers.

Q: If an organisation engages an outsourcing agent to develop or operate a mobile app, which of the following is the appropriate policy for personal data retention?

A. Adopt contractual or other means to require the outsourcing agents to delete the personal data under specified circumstances and within a specified period.
B. Allow the outsourcing agents to decide how long they can keep the personal data.
C. Allow the outsourcing agents to keep the data in their servers permanently.

The correct answer is A.

If organisations engage outsourcing agents to handle personal data on their behalf, they should adopt contractual or other means to prevent the personal data from being kept by outsourcing agents longer than is necessary.

Extended Reading:
Best Practice Guide for Mobile App Development

Data Protection Principle 1 – Collection of personal data

Excessive collection of personal data for the purposes of preparing car insurance quotation

The Complaint

The complainant intended to purchase a car insurance policy and sought a quotation via a car dealer. The complainant was requested by the car dealer to submit an insurance application form and his identification documents. The car dealer claimed that this was the requirement of the insurance company to provide a quotation. The complainant took the view that the car dealer and the insurance company had collected excessive personal data from him for the purposes of preparing a quotation.

The car dealer stated that being an intermediary, it always followed the company’s instructions in collecting customers’ personal data. The insurance company stated that only basic information of the vehicle was required for preparing a quotation. The insurance company believed that the car dealer had mistakenly handled a request for quotation as an application for insurance.


The PCPD considered that for the purposes of providing an insurance policy quotation, it was unnecessary for the insurance company to obtain a completed application form and identification documents from the complainant. Although the insurance company attributed the incident to the car dealer’s failure to adhere to its policy in handling a request for quotation, it did not extricate its liability (being the principal) in relation to the car dealer’s acts in this case.

After the PCPD’s intervention, the insurance company undertook to enhance its communications with the car dealer and provide regular training to its staff, so as to ensure that quotation enquiries were properly dealt with. The car dealer also confirmed that it had made clarification with the insurance company on the procedures for seeking quotations and the insurance company had provided written guidelines to its staff to follow.

Extended Reading:
Enforcing Data Protection - PCPD 2018 - 2019 Annual Report (p.66-67)

Doing Business Online

Operating businesses and offering services online is especially popular when people do not prefer social contact for public health considerations. Conducting such transactions often involves the collection and transmission of personal data through the Internet.  How do you make sure your organisation complies with the Personal Data (Privacy) Ordinance while doing business online?

Learn more

Complaint Case Notes

Summaries of the outcome of selected complaint cases are provided in this section to let you learn more about the application of the Personal Data (Privacy) Ordinance in different situations.

Learn more

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.