The Office of the Privacy Commissioner for Personal Data (“PCPD”) published two reports on 1 June 2023, namely (1) an investigation report entitled “Unauthorised Access to Credit Data in the TE Credit Reference System” and (2) a report entitled “Privacy Protection in the Digital Age: A Comparison of the Privacy Settings of 10 Online Shopping Platforms”. 

The first report was published by the Privacy Commissioner for Personal Data (“Commissioner”) under section 48(2) of the Personal Data (Privacy) Ordinance (Cap. 486) (“Ordinance”) following an investigation into a complaint. The second report was the result of the PCPD’s review of the privacy settings of 10 online shopping platforms commonly used in Hong Kong given the growing importance of online shopping for consumers.  

This article summarises the recommendations from the two reports and considers their implications for data users and subjects. 

Investigation Report on the “Unauthorised Access to Credit Data in the TE Credit Reference System”

This report stems from a complaint made by a member of the public to the PCPD claiming that his credit data in the TE Credit Reference System was accessed several times by various money lending companies although he had never applied for any loan from them. The complainant was worried that the TE Credit Reference System lacked sufficient security measures to protect his personal data so that money lending companies were able to access his credit data without his consent. The TE Credit Reference System is operated by Softmedia Technology Company Limited (“Softmedia”). As of December 2022, it contained credit data of about 180,000 data subjects and was used by over 500 money lending companies.

Data protection principle 4(1) of the Ordinance provides that all practicable steps shall be taken to ensure that any personal data (including data in a form through which access to or processing of the data is not practicable) held by a data user is protected against unauthorised or accidental access, processing, erasure, loss, or use. Data protection principle 2(2) provides that all practicable steps must be taken to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data is or is to be used. As a result of its investigation, the Commissioner found that Softmedia contravened data protection principle 4(1) and data protection principle 2(2).

In particular, the Commissioner identified deficiencies in Softmedia’s personal data security measures, namely (i) failing to take practicable steps to protect and monitor personal credit data from unauthorised access, processing or use; (ii) failing to implement a robust password policy or set expiration dates for passwords; and (iii) prolonged retention of credit records of borrowers who had made full repayments more than 5 years ago, which unnecessarily exposes the borrower’s personal data to risks of data breach. 

As Softmedia was found to have contravened data protection principles, the Commissioner served an enforcement notice on Softmedia and directed it to take remedial actions and prevent the recurrence of contraventions. 

The Commissioner further notes in the report that given the importance of credit data, the fact that the operation and management of the TE Credit Reference System is neither regulated by any industry code nor the relevant laws of the financial sector is far from satisfactory. The Commissioner recommends that laws, regulations, guidelines, industry codes or licensing systems should be enacted or published to regulate and supervise such credit reference databases. 

The report also contains other recommendations directed at operators of credit reference databases, including (i) adoption of a “Personal Data Privacy Management Programme” through which personal data privacy protection can be incorporated into the organisation’s data governance responsibilities; (ii) appointment of a data protection officer who is tasked with overseeing compliance with the requirements under the Ordinance and implementing of the Personal Data Privacy Management Programme; (iii) appointment of an independent compliance auditor to regularly conduct compliance audits on the mechanism and means of providing credit reference services; and (iv) adoption of heavier penalties for contravention to deter future violations by money lending companies.

Whilst a breach of a data protection principle per se does not constitute an offence under the Ordinance, the Commissioner has extensive powers of inspection and investigation under the Ordinance and, as in this case, may serve an enforcement notice in case a person is found to be in breach of a data protection principle. Failure to comply with an enforcement notice constitutes an offence and the data user will be liable to a fine of HK$50,000 and an imprisonment for 2 years upon conviction. 

Report on “Privacy Protection in the Digital Age: A Comparison of the Privacy Settings of 10 Online Shopping Platforms” 

The PCPD evaluated the privacy settings of 10 popular online shopping platforms in Hong Kong, namely, Baby Kingdom – BKmall (“BKmall”), Carousell, eBay, Fortress, HKTVmall, JD.COM, PlayStation App (“PlayStation”), Price.com.hk, Samsung and Taobao, and released the report as well as a leaflet on “Tips for Users of Online Shopping Platforms” on 1 June 2023.

In the report, the PCPD observes that:

• All 10 online shopping platforms have formulated privacy policies and state in their privacy polices that they transfer personal data of users to third parties e.g. business partners, affiliates or related companies, advertising and promotion partners, and external service providers;
• All 10 online shopping platforms track users’ activities including location information, browsing history, transaction history and device information;
• All 10 online shopping platforms (except BKmall, Price.com.hk and Taobao) have set a minimum registration age of 18, however only PlayStation and Samsung collect users’ dates of birth to verify that they meet the age requirement while eBay and HKTVmall only require users to confirm that they have reached the age of 18 during registration;
• BKmall, Carousell, Fortress and Samsung allows users to indicate whether they accept advertising or promotional messages during the registration process. Similarly, eBay, HKTVmall, PlayStation and Price.com.hk provide such options but the default setting is “agreed”. Taobao allows users to activate or deactivate “Personalised Recommendations” in the “Account Settings” section after registration. However, JD.COM neither provides such an option during registration nor displays any message seeking relevant consent from users; and
• All 10 online shopping platforms allow users to delete their user accounts. Carousell, eBay, JD.COM and Price.com.hk provide users with clearer means for account deletion.

The report also contains the following recommendations to operators of online shopping platforms:

1. Appoint a data protection officer to monitor compliance with the PDPO and devise a “Personal Data Privacy Management Programme”;
2. Allow users to shop as guests and only collect necessary personal data to process transactions;
3. Provide users with an option for using personal data in direct marketing; 
4. Provide users with secure payment methods e.g. trusted third-party payment platforms;
5. Provide a clear, comprehensive and easy-to-understand privacy policy to increase readability;
6. Ensure the reliability of third-party service providers regarding privacy protection and information security;
7. Increase transparency in tracking users’ activities by informing users how their activities are tracked and the purposes of tracking;
8. Adopt “Privacy by Design” and “Privacy by Default” when designing online shopping platforms, this includes setting all privacy-related options to protect user privacy by default;
9. Provide more privacy setting control options, including non-registration login method, preferences for receiving messages, user tracking options, transaction record and search record deletion, etc; and
10. Provide an easy means for users to delete accounts.

The Commissioner urges users to be cautious while using online shopping platforms and offers various tips to users on how to protect their privacy in the leaflet. For protecting personal data privacy, users should (i) only provide the minimum amount of personal data required; (ii) ensure the direct marketing settings are based on personal needs; (iii) use reliable third-party payment platforms; (iv) read the platform’s privacy policy; (v) adjust privacy settings to delete unnecessary tracking functions; and (vi) delete any unused accounts to avoid risks of identity theft and data leakage. For a safe online shopping experience, it is advised that users should (i) verify the authenticity of the platform; (ii) use strong passwords and avoid using public Wi-Fi for transactions; (iii) “stop and think” before clicking; and (iv) immediately report to the Police or contact the PCPD if there is suspicion of fraud.

Notably, the PCPD took initiative to review privacy policies and settings of a number of e-commerce retailers and publish their findings. This serves to remind companies and data users to be vigilant on their personal data management and to ensure that they have an appropriate privacy policy in place that aligns with the data protection principles under the Ordinance to avoid being named and shamed. Failure to do so could attract negative publicity and possibly result in complaints and investigations. 

Conclusion

The investigation report reminds us that it is important for data users to take all practicable steps to protect personal data and prevent it from unauthorised access, and to keep personal data for no longer than is necessary for the purpose for which it is or is to be used. The report on the privacy settings of online shopping platforms reminds data users to be vigilant on their personal data management and to ensure that they have an appropriate privacy policy in place that aligns with the data protection principles under the Ordinance. 

It is advisable for data users to review their personal data management practice, consider the PCPD’s recommendations, and review their privacy policy to ensure that adequate procedures are put in place to safeguard personal data collected by them. Users of websites and online shopping platforms would benefit from taking on board the timely and useful tips by the PCPD to better protect their personal data and to avoid identity theft and data leakage. 

Pan Tsang and Juno Guo

 

For specific advice on data privacy and related matters in Hong Kong, please contact:-
Pan Tsang | pan_tsang@robertsonshk.com | +852 2861 8487