The sex-photos scandal involving Edison Chen Koon-hei probably started it all.
In early 2008, the city was rocked by circulation on the internet of sexually explicit nude photographs of the singer-actor with female celebrities. The blatant betrayal of privacy marked a turning point in Hongkongers' awareness of privacy issues.
In the few years since there have been more high-profile breaches, including the for-profit sale of the personal data of Octopus card users. As a result, the privacy watchdog is feeling the strain of fielding an increasing number of complaints. There's been a big upsurge in the number of complaints about direct marketing and the unauthorised transfer of data," said Lavinia Chang Yu-ming, deputy privacy commissioner for personal data.
"People are getting direct marketing calls from god knows where, and from businesses that they've never heard of."
The Office of the Privacy Commissioner for Personal Data said it was under pressure to work with less, as extra funding allocated to it had not matched a greater workload.
The work is never ending. Just two weeks ago, AS Watson's supermarket chain ParknShop came under fire for collecting the partial identity card numbers of the members of its loyalty programme, and unclearly stating by whom, and for what purpose, the data it gathered would be used. The privacy watchdog slammed the practice in a report.
It received 1,507 complaints between April last year and March this year, compared with 834 in the same period in 2007-2008.
Belinda Pui, a spokeswoman for the office, said the challenge was particularly onerous despite a staffing increase to 70 - compared with 40 in 2007 - because of the pervasive use of the web and other communication technology. The office further attributed the growth in public awareness to high-profile celebrity photo scandals involving Chen, TVB actor Vincent Wong and others.
The Octopus card fiasco in 2010 did not help, either. The card issuer was found to have sold the data of almost two million card users to third parties for a profit of HK$44 million, drawing ire from people frustrated with direct marketers.
The pressure is set to grow as the government looks to enforce amendments to the privacy ordinance next year. The law will make companies responsible for telling data providers clearly what information they are gathering, how that information will be used and who can see it.
Recent investigations by the commission, including the ParknShop row, show businesses are still getting up to speed with changes. AS Watson said it had not passed on any customer data to any third party, or to any firm under its parent group Cheung Kong. The privacy body said it was discussing details of the enforcement with the company.
Starting next year, the maximum fines for violating the ordinance will rise from HK$50,000 to HK$1 million. While the penalties reflect how seriously the government is taking data privacy issues, they remain lower than those of Europe.
Under new regulations now before the European Parliament, a company could be fined 2 per cent of its global revenue for data privacy violations, said Mark Parsons, partner and privacy specialist at law firm Freshfields Bruckhaus Deringer.
In Hong Kong, people are still unaware of how to protect their personal data and what recourse they have to stop the junk calls, snail mails and e-mails.
"Every day, even every minute … I get a lot of calls from banks asking me to borrow money; credit card companies … sometimes asset management and insurance companies as well," said Chris Chan, an investment banker in his 30s.
Chan, a member of the Park N Shop loyalty scheme, admitted he was unlikely to read the small print on the application forms.
Parsons advises individuals to look carefully over the terms and conditions of membership programmes to make sure they are willing to share this information.
For those already on the receiving end of pesky marketers, he says, a person has the right to ask a company what information they have on him, and to remove him from their marketing list. If they do not stop direct mailing as soon as they receive such a request, or respond to an access request within 40 days, they will have broken the law.