• Sat
  • Dec 27, 2014
  • Updated: 12:44pm
NewsHong Kong

Watchdog pulls plug on Do No Evil app over 'serious invasion' of privacy

After complaints, personal data commissioner warns developer that its Do No Evil app poses a 'serious invasion' of personal privacy

PUBLISHED : Tuesday, 13 August, 2013, 5:40pm
UPDATED : Wednesday, 14 August, 2013, 11:15pm

The company behind a smartphone application that allows public access to a database of more than two million records of litigation and bankruptcy cases has received a warning after it was found to have "seriously invaded" personal data privacy.

The Privacy Commissioner for Personal Data (PCPD) found mobile app Do No Evil had supplied sensitive personal data - including names of litigants, partial identity card numbers, addresses, claims amounts and company directors' data - to users without voluntary consent.

More than 200,000 requests for data access had been made since the app went online last year, the privacy watchdog said.

The app, with 40,000 users, sources information from Glorious Destiny Investments (GDI), which collates information from the millions of pieces of information about litigation, bankruptcy and company directorships from sources such as the Judiciary, the Official Receiver's Office, and the Companies Registry Gazette. The PCPD said this act was a threat to personal privacy.

Privacy commissioner Allan Chiang Yam-wang said the case highlighted a common misconception that personal data collected from the public domain was open to unrestricted use.

"I must make clear that personal data obtained from the public domain is still subject to regulation of the [Personal Data (Privacy)] Ordinance, otherwise consequences will be dire," he said. Data Protection Principle 3 of the Ordinance restricts use of personal data for anything other than the original purpose unless voluntary consent of the subject of the data is obtained.

The app has been pulled from Apple's app store and a separate request has been sent to Google, following an enforcement notice to the company on July 31.

The PCPD said it had received 12 complaints and more than 60 inquiries regarding the app's intrusion of personal data privacy.

The app enables users to search an individual's litigation and bankruptcy data simply by inputting a name as a search criterion, which the PCPD said posed further risk of breaching personal data privacy. "The risk is that users would not know how the app developer handles private data access," said deputy commissioner Lavinia Chang Yu-ming. "Without the user even knowing, the app could be giving away a lot of sensitive data."

Chiang said that without oversight and regulation, GDI could not ensure security of the data collected ... And they could store this data in their system indefinitely. "It is obvious that GDI's activities are purely for commercial purposes and not in the public interest," he said.

Sino Dynamics Solutions, which developed Do No Evil, said it was "strange" how the app was the only one targeted by the PCPD. "Hong Kong is a free society. We are only providing information readily accessible to the public and we are accurate," spokesman Alex Kong said. He said plans to develop apps to facilitate company and land searches would now be scrapped.

GDI said it was disappointed in the commissioner's decision, but stopped supplying Sino Dynamics on August 7. It still runs D-Law, its own online data search service.

Lawmaker James To Kun-sun said as long as an app developer can prove its users are conducting searches for legitimate reasons, such an app should be legal. He advised developers to insert preconditions of use into the app.



For unlimited access to:

SCMP.com SCMP Tablet Edition SCMP Mobile Edition 10-year news archive



This article is now closed to comments

The Privacy Commissioner has overstepped the mark here (again - he also did so re David Webb's data base). These data are publicly available so how can this be a serious invasion of privacy? All the app is doing is making it easier for people to search the public data bases. The purpose of use of the data is not specified but if the data are publicly available then it must be the data subject's legitimate expectation that his data will be - publicly available.
The other comments made are quibbles which either don't stand up under the Personal Data (Privacy) Ordinance or can be addressed very easily by the relevant data user.
Totally agree: the Privacy Commissioner and his cronies have again misinterpreted the letter and spirit of the PDPO.
The laws are always playing catch up. It seems the real issue is that the PDPO is outdated and failed to foresee that individual public records would be used for novel, unexpected, and potentially abusive purposes if it were convenient to do so. The ease of access to information today presents new challenges to individual privacy that would have been unheard of thirty years ago. To be fair, convenient access to individual public records is not necessarily the issue, but rather the potential for abuse leading to a violation of privacy. The provision of individual public records should be solely undertaken by the government instead of private/commercial parties to ensure stringent control on the data.
To these ends, it would seem appropriate to review the PDPO and related ordinances with respect to: a) a prohibition on the reproduction and dissemination of individual public records; b) an introduction of a time limit on the intention of individual public records; c) a review on the fee schedule for access to individual public records to ensure the fee to access is sufficiently high to deter/prevent abuse of information; d) an introduction of controls to the access of information based on the sensitivity of the information requested, the purpose for the information request, and the identity of the requesting party.


SCMP.com Account