image

City Weekend

Hong Kong’s data privacy pioneer lowers his guard

In 1996 he became the city’s first privacy commissioner, now Stephen Lau reflects on how data protection has changed over the years and the biggest challenges that lie ahead

PUBLISHED : Saturday, 05 November, 2016, 11:00am
UPDATED : Saturday, 05 November, 2016, 11:00am

In today’s fast-moving digital environment, it’s hard to imagine a time when data privacy wasn’t a hot topic issue.

Yet that was the case when Stephen Lau Ka-men stepped into his role as Hong Kong’s first Privacy Commissioner for Personal Data from 1996 to 2001, a period when the city was just being introduced to the importance of online privacy and the protection of personal information.

“It was a really new concept. The law was written in such a way to promote the awareness of personal data privacy,” said Lau, who is now 72 and serving as a senior adviser at PricewaterhouseCooper’s Consulting and personal data and privacy adviser for the B4B Big Data for Business Challenge.

“It [was only] in the last few years that they amended the law and made the penalties harsher ... actually prosecuting individuals and organisations that have breached the law.”

Be vigilant, Hong Kong privacy commissioner urges as study reveals websites collect loads of young people’s personal data

With the advent of big data, social media, mobile and other technological advancements, the protection of personal data has become a crucial yet challenging task in Hong Kong. The Office of the Privacy Commissioner for Personal Data received a record number of complaints last year, with the majority related to the collection and use of personal data. A total of 1,971 complaints were filed, about 16 per cent more than in 2014, and 322 were about direct marketing.

In July last year, the watchdog urged the government to implement tighter controls over personal information that is publicly available. After surveying the 10 most commonly used public registers, they found that only the electoral register had legislative safeguards against data misuse and that all 10 were available online. Of 82 post-2001 laws related to public registers the office reviewed, only 32 define how such data can be used and the purposes of publication.

Speaking to the Post, Lau reflects on the biggest changes and trends surrounding data privacy and provides some useful tips on how to better protect our digital privacy.

What are some of the biggest changes and trends that have affected personal data privacy in the past decade? Big data is one of the changes that only happened in the past few years. [Before] you would provide data because you want certain services. The company will then use the data to administer that service. Now, it goes beyond that. For the first time in technological advancement, we have certain attributes that led to a big data evolution.

Firstly, computers are getting faster. Secondly, storage is getting bigger and cheaper. Thirdly, software technology has advanced.

Take a bank, for example. You [provide] data to open an account, and they create a record on the computer of your information. It’s a very structured record. Every customer will have a record, and when necessary you can process it. With software technology, we can now process not just structured data, but also unstructured data like videos, articles or pictures. We can use algorithms to analyse both structured and unstructured data, combine them together, and find correlations and trends regarding a certain subject.

That’s what big data is all about. They can then try to enhance the quality of service to you and create more business at the same time. You can gather information on your customers and analyse it for trends. It’s nothing personal, not individual, therefore the data you use is de-identified. If you’re looking for specifics about a person [however], then you have to be a bit careful because you are using their personal information.

Can you recall any significant local events that marked the rise of personal data privacy? In Hong Kong, the most critical event that really created attention had to do with Octopus. A few years ago, there was a loyalty programme for the Octopus card and the organisation actually sold the data of the companies to banks and insurance companies for gain [in 2011]. That was really detrimental to people’s confidence and actually infringed on the law. It was very severe, and the CEO had to resign.

We do actually have a very comprehensive law, and it has what’s known as the universal data protection principle. Even though the law has been around for 20 years, people were still slowly understanding what it means.

Why is personal data privacy so important? What are the main concerns?

The personal data privacy issue has to do with technology, and technology is moving very, very fast. Laws are always lagging behind technology and there are always enhancements and amendments required.

On a global basis, people are concerned about the government. The government collects more personal data than anybody else. If you want an identity card, a passport ... you will provide personal data. With so much data collected, people are concerned about the back rooms of the government, what they do with [the information].

Secondly, people are also worried about commercial organisations. If they collect data for a certain purpose, how can I be sure that they are not using it for any other purposes, for example direct marketing?

The law has certain exemptions [when it comes to personal data protection] including the detection and prevention of crime. For example, the authorities can go to your bank and ask to look at your records on suspicion of fraud, or money laundering. The bank, because of this exemption, will provide your data to the government after consideration. It’s a kind of balance. There are a number of exemptions such as crime, tax evasion and also surveillance or research. As long as the results do not identify any individual, you can also use data for research purposes that might be different from the original purpose of collection.

What do you think about the balance between the privacy of citizens and security in Hong Kong? The government in Hong Kong, I think, is responsible. The law covers both the public as well as the private sector. The Privacy Commissioner for Personal Data can actually make a case against the government if it believes that it is not complying with the law. We have a law that helps us have checks and balances on the government.

As technology changes, there are more cases in which personal data might not be used properly

The government in Hong Kong is a fair one, and they may use the data for other purposes [if] it has to do with an exemption like national security. In general, I think we are OK with that. It does not mean that there are no issues though. Complaints to the privacy commissioner have been going up and up. This is not necessarily because we have more cases, but because people are more aware of their rights. As technology changes, there are more cases in which personal data might not be used properly.

What about the rise of social media and the way we share information? How can we ensure that our privacy is protected? Social media is a different kind of animal. There is a balance between you and social media. I would advise everybody who uses social media to think twice before you press the button and submit personal data of yours or other people. You need to think with the premise that once you submit the data to the internet, that data will be there forever, and could be accessible. Think about that question and if you still want to press the button, it’s up to you.

Social media is also now no longer just a media for interpersonal communication. It’s also a [platform] for criminals ... who might want to approach you. It is also being used legitimately, for example by human resources departments and executive search.

What advice do you have for the public to strengthen their personal data privacy? Be careful about what you put on social media, especially young people. Also be aware of people coming into your smartphone. You should have some preventative measure. As far as your phone is concerned, locking your phone [with a passcode] is the minimum you should do to protect yourself. It would also be good to have some virus protection software to protect against invasion by others.

I also never open any files. You get lots of emails and messages ... opening files is how a virus can come in. I think that messaging encryption would definitely help. It’s causing a headache to the government officials who are going after terrorism, but that’s the other side. Nowadays, people always talk about how privacy is dead. At the end of the day, everybody is doing a balance or a trade. The important thing is that in this current technological world, you have a choice. When in doubt, ask.