The company behind a smartphone application that allows public access to a database of more than two million records of litigation and bankruptcy cases has received a warning after it was found to have "seriously invaded" personal data privacy.
The Privacy Commissioner for Personal Data (PCPD) found mobile app Do No Evil had supplied sensitive personal data - including names of litigants, partial identity card numbers, addresses, claims amounts and company directors' data - to users without voluntary consent.
More than 200,000 requests for data access had been made since the app went online last year, the privacy watchdog said.
The app, with 40,000 users, sources information from Glorious Destiny Investments (GDI), which collates information from the millions of pieces of information about litigation, bankruptcy and company directorships from sources such as the Judiciary, the Official Receiver's Office, and the Companies Registry Gazette. The PCPD said this act was a threat to personal privacy.
Privacy commissioner Allan Chiang Yam-wang said the case highlighted a common misconception that personal data collected from the public domain was open to unrestricted use.
"I must make clear that personal data obtained from the public domain is still subject to regulation of the [Personal Data (Privacy)] Ordinance, otherwise consequences will be dire," he said. Data Protection Principle 3 of the Ordinance restricts use of personal data for anything other than the original purpose unless voluntary consent of the subject of the data is obtained.
The app has been pulled from Apple's app store and a separate request has been sent to Google, following an enforcement notice to the company on July 31.
The app enables users to search an individual's litigation and bankruptcy data simply by inputting a name as a search criterion, which the PCPD said posed further risk of breaching personal data privacy. "The risk is that users would not know how the app developer handles private data access," said deputy commissioner Lavinia Chang Yu-ming. "Without the user even knowing, the app could be giving away a lot of sensitive data."
Chiang said that without oversight and regulation, GDI could not ensure security of the data collected ... And they could store this data in their system indefinitely. "It is obvious that GDI's activities are purely for commercial purposes and not in the public interest," he said.
Sino Dynamics Solutions, which developed Do No Evil, said it was "strange" how the app was the only one targeted by the PCPD. "Hong Kong is a free society. We are only providing information readily accessible to the public and we are accurate," spokesman Alex Kong said. He said plans to develop apps to facilitate company and land searches would now be scrapped.
GDI said it was disappointed in the commissioner's decision, but stopped supplying Sino Dynamics on August 7. It still runs D-Law, its own online data search service.
Lawmaker James To Kun-sun said as long as an app developer can prove its users are conducting searches for legitimate reasons, such an app should be legal. He advised developers to insert preconditions of use into the app.