How scandal put the spotlight on privacy

PUBLISHED : Tuesday, 19 October, 2010, 12:00am
UPDATED : Tuesday, 19 October, 2010, 12:00am

For 13 years Octopus enjoyed a reputation of being the world's smartest smart-card system.

Having started off as a public transport stored-value card, it quickly expanded into a debit card, a credit card and an access card with aspirations of becoming an all-in-one social security card for mainland residents. However, in the middle of all this growth, its tentacles became entangled in the controversial issue of privacy protection.

Over the past 20 years, the sharing of personal data between companies, including banks and credit card issuers, has become more prevalent, as anyone with a mobile phone will testify, having received 'cold calls' from telemarketing sales staff peddling products from bank loans to insurance policies. But when Octopus Cards was caught in the spotlight for selling cardholders' data to its partners, the issue erupted into a full-blown scandal.

While many blamed the company for mishandling the situation, others said the public's unrealistically high expectation of the private consortium, jointly owned by the city's five major transport operators, was the key to the problem. One thing is certain: public awareness about privacy has been raised.

As the world's most used smart card, there are more than 11 million Octopus transactions every day. The company's management saw opportunities in possessing such a huge amount of data about Hongkongers' travel and spending patterns.

In 2002, Eric Tai Yung-muk, chief executive of Octopus Cards at the time, said the company needed to explore new business opportunities to maintain sustainable growth. The card now enables small cashless payments to be made in more than 3,000 outlets including groceries, fast-food chains and vending machines; you can book leisure facilities and get access to residential and commercial buildings.

The technology was so successfully deployed that Octopus Cards won contracts in Dubai, Auckland and the Netherlands for use in public transit operations.

In 2006, the card tapped into the mainland market when launched in four retail outlets in Shenzhen. Earlier this year, the company formed a joint venture with Digital China Software, a Beijing-based spin-off of personal computer giant Lenovo Group. They plan to bid to provide the so-called citizen cards, in 10 mainland cities, that manage everything from official identification to pension payments, worker injury compensation and childbirth insurance.

The company's interest goes beyond the card itself to what it holds within - information. As the Hong Kong Monetary Authority disclosed, Octopus Cards applied in 2003 to expand its business into insurance selling, but the application was turned down. It did not give up. In the same year, the company hired a consultancy firm to explore possible uses of its database. Despite the consultants warning that overuse of customer information may affect the company's reputation, Octopus Cards eventually entered into contracts with six companies, passing on cardholders' personal data including names, phone numbers and dates of birth to them for a return of some HK$44 million in five years.

When this became public knowledge, it led to a credibility crisis. Prudence Chan Bik-wah, the company's chief executive who denied selling the data when the scandal first erupted, was forced to step down. MTR, the company's de facto largest shareholder, apologised for lax supervision and promised to bring the company back to its core business.

Some people blamed the scandal on the company's ambitious expansion. Wong Kwok-hing, a lawmaker who first investigated the issue, described Octopus Cards as a kid who fell on the wrong side of the track.

But financial analyst So Wai-man said there was nothing wrong about diversification. 'Octopus Cards is a private corporation, and private businesses always look for chances to expand. Even though they sold private data, they didn't do it illegally. The problem actually lies with a mismatch in expectations; the public expected the Octopus Cards to behave like a public utility, but it really is a profit-making private company.'

The chairman of the Hong Kong Direct Marketing Association, Eugene Raitt, said data sharing between companies was extremely common and benefited companies and consumers. He said consumers should be told about their rights, and ways to exercise them, so they do not see data sharing as an unethical conspiracy.

Long tentacles

20m cards issued since 1997

95% of the population aged 16 to 65 use them

11m transactions a day

HK$100m worth of daily transactions

50,000 card readers installed by retail outlets