Michael Hui King-man from the Consumer Council warns against data privacy breaches. Photo: David Wong

Watchdog slams e-payment service providers over user data storage and privacy issues

Some e-wallet companies found to be keeping personal information of customers for up to seven years; one stores data permanently

Josh Ye

Published: 11:00pm, 17 Oct 2016

Why you can trust SCMP

Some e-wallet service providers risk breaching Hong Kong’s privacy laws, with one storing personal data permanently, the Consumer Council revealed yesterday.

The latest report of the consumer watchdog showed that the personal data of Alipay customers was stored permanently, while Bank of Communications, O!ePay and TNG Wallet would retain such information for six to seven years.

An Alipay spokeswoman, however, said only a small portion of users’ records was kept permanently in case there was a need to track down money-laundering suspects. The seven-year retention period for most of its users’ data was also in accordance with requirements in Hong Kong.

First five companies licensed to offer stored value facilities in Hong Kong

TNG Wallet said it also kept customer records for six years to meet the same standard established by the Hong Kong Monetary Authority.

Other payment service providers, such as Apple Pay and WeChat Pay, have not provided detailed information on how long data their customer data is retained.

Alipay, which launched its Hong Kong dollar services last week, is the largest online payment platform on the mainland and a unit of Ant Financial Services Group, an affiliate of Chinese e-commerce giant Alibaba Group Holding. New York-listed Alibaba owns the South China Morning Post.

Council member Michael Hui King-man said the Personal Data (Privacy) Ordinance states that “personal data should not be kept longer than is necessary”. Hui also added companies should not retain data of users whose accounts had been deactivated.

He warned that consumer rights could be severely jeopardised if the information were passed on to unauthorised entities.

According to the Privacy Commissioner for Personal Data, there are two ordinances in place which require service providers to erase the personal data of users when it is no longer needed, but there is no stipulated period of retention.

Octopus e-wallet lagging rival technology, Hong Kong Apple users say

The statutory body said it has “initiated a compliance check into the permanent retention of customers’ data”, with regards to Alipay’s case.

Alex Kong, the chief executive of TNG Wallet, said only its premium services require users to provide personal data, such as transactions exceeding HK$25,000 annually.

“For our most basic services where the transaction amount is capped at HK$25,000 per year, users are not even required to provide any personal information besides their phone numbers,” he said.

“As a result, many of these transaction records do not contain any personal information.”

The council further warned that mobile payment services involving Quick Response (QR) code and near field communication (NFC) technology both have safety risks.

“Users who scan a phishing QR code can be led to malicious websites or download viruses which can result in personal data being stolen," Hui said.

As for NFC, Hui said personal data or transaction details could also be stolen if the user’s device was connected to a fake NFC reader.

Post