When private is not private: the data dangers to beware of online
Web users have been urged to be vigilant about their personal data as the privacy commissioner warns prosecutions for misuse are rarely successful
Hongkongers have been urged to be extra vigilant when it comes to protecting their personal data after it was revealed that less than five per cent of cases concerning data privacy forwarded to police by the privacy commissioner last year led to prosecution.
In 2016, 112 cases were passed on to police for criminal investigation by the Office of the Privacy Commissioner for Personal Data. Of these, 109 concerned the use of personal data in direct marketing. But only three cases (4.5 per cent) resulted in convictions. The watchdog received 16,180 inquiries last year, a 12 per cent drop from 2015.
Privacy Commissioner Stephen Wong Kai-yi has subsequently urged Hongkongers to step up their efforts to self-regulate.
He said young people particularly were often too relaxed about giving out their personal details, particularly in relation to social media apps.
“We should read the privacy terms carefully and review privacy settings from time to time,” he said. “It is also crucial for us to respect others’ privacy by asking the relevant persons before uploading or sharing their personal information.”
Last summer, the privacy watchdog announced it was undergoing an 18-month review of its data privacy laws, with a view to updating them according to technological developments and bringing them in line with European regulations.
It has urged the government to implement tighter controls on personal information that is publicly available. It also has the power to intervene if it believes the government, as Hong Kong’s biggest collector of data, has been misusing the information or has been negligent with it.
The city’s main privacy law, which relates to personal data such as an individual’s Hong Kong identification card or fingerprints, is the Personal Data (Privacy) Ordinance. It came into force on December 20, 1996 and consists of six basic principles:
● Personal data must be collected for a lawful purpose.
● Data users must ensure the data held is accurate and up to date.
● Unless personal data is used with the prescribed consent of the data subject, the data must not be used for any purpose other than the one mentioned at the time the data was collected.
● Data users must take appropriate security measures to protect personal data.
● Data users must publicly disclose the kind (not the content) of personal data held by them and their policies and practices on how they handle personal data.
But these rules only apply to Hong Kong, so the watchdog does not have the power to initiate checks on personal data use outside the city. So in the instance of an epidemic of telephone scams involving mainland con artists in 2015, the commissioner was unable to obtain extra information about the alleged culprits from the mainland authorities.
Anyone who breaches data protection principles may receive an enforcement notice from the privacy commissioner’s office. If this is ignored, the accused may be liable for a fine or could even face prison. If the victim can provide evidence that they have suffered damage, including injury to feelings, as a result of the violation, then they may pursue civil action against the wrongdoer in order to obtain compensation. Those who breach data protection laws and subsequently ignore enforcement notices face fines of HK$50,000 and imprisonment for two years. This fine increases to HK$100,000 if there is continual failure to acknowledge the instructions in an enforcement notice.
Article 14 of the Hong Kong Bill of Rights also stipulates that “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on honour or reputation”.
There are exemptions however; for instance, if the authorities suspect you to be guilty of fraud or money laundering, then they can legitimately ask your bank for access to your records as part of their investigation. The government also has the power to access certain information about you in cases where national security is at risk.
Simon Deane, partner at law firm Deacons, said he thought Hong Kong’s privacy laws were generally speaking acceptable, but he did not always agree with the way the commissioner was applying the laws.
He said, for example, that sometimes the privacy commissioner appeared to be relying upon legal concepts based on European or possibly Australian law to emphasise an individual’s right to privacy (such as an individual’s “reasonable expectation of privacy”), particularly in relation to personal data that is lawfully in the public domain, even though these laws do not apply in Hong Kong.
“It is not so much the law, it is the agencies that are perhaps overstepping the mark,” he said.
“My feeling is, if information is lawfully publicly available, such as when it appears on a government register or in judicial publications, then that means it is public and no one should expect it not to be available to everybody.”
In 2016, the following issues raised major privacy concerns:
● Pokémon Go; the app requires the user to activate their location and camera.
● The collection and integration of users’ personal data by three mobile apps with “call-blocking” functions.
● CCTV in businesses, homes and on transport, particularly taxis; there was a trial scheme to install CCTV cameras in taxis carried out by the Association of Taxi Industry Development. There was also outrage after a taxi driver uploaded a photo of a breastfeeding mum. He was subsequently arrested and cautioned for accessing computers with criminal or dishonest intent, and he removed the photo. The privacy commissioner said the case could not be investigated further because the woman’s identity could not be established and nobody had lodged an official complaint.
Meanwhile, more than half of Hong Kong’s population – about 4.4 million people – are Facebook users. When you sign up for a Facebook account, you agree to share your information with the company, and it shares this information with third parties.