LCQ16: Protection of personal data collected by social media platforms
It has been reported that a data analytics and political consulting firm in the United Kingdom (UK) was recently found to have allegedly harvested, through a psychological quiz mobile phone application (App), the Facebook account data of the users of the App as well as such data of their friends, and used the data to help the firm's clients to influence the outcome of the 2016 Presidential Election of the United States and the UK Brexit referendum. The number of Facebook users affected is as high as 50 million. The incident has aroused concerns about whether the privacy of users of social media platforms (such as Facebook, WhatsApp and Instagram) is adequately protected and whether the data in their accounts will be misused. In this connection, will the Government inform this Council:
(1) whether it knows the number of complaints received by the Office of the Privacy Commissioner for Personal Data (PCPD) in each of the past five years about the personal data in social media accounts having been misused; among such complaints, of (i) the first three types with the highest number of complaints by complaint nature, and their respective numbers, as well as (ii) the number of those complaints relating to electoral activities;
(2) whether it knows if PCPD has gained an understanding from Facebook's office in Hong Kong on whether the company has, in the light of the aforesaid incident, stepped up the protection for Hong Kong users' personal data in their Facebook accounts, including strengthening its examination on those Apps which are connected to Facebook, so as to ascertain if such Apps have intruded on users' privacy; if PCPD has, of the details; if not, the reasons for that;
(3) whether it will consider enacting dedicated legislation to regulate the collection of and protection for users' account data by social media platforms so as to protect users' privacy and prevent misuse (including sale) of such data; if so, of the legislative timetable; if not, the reasons for that;
(4) whether it has plans to raise the awareness of members of the public of protecting their own privacy when using social media; if so, of the details; if not, the reasons for that; and
(5) as PCPD has in recent years received quite a number of complaints about the use of personal data in electoral activities without the data subjects' consent, and it has become increasingly common for candidates of elections to use social media platforms for conducting their electioneering campaigns, whether the authorities will step up the regulation of activities of using social media platforms to influence election outcome (e.g. posting advertisements); if so, of the details; if not, the reasons for that?
Having consulted the Office of the Privacy Commissioner for Personal Data (PCPD), our consolidated reply to the question raised by the Hon Kenneth Lau is as follows:
(1) The numbers of complaints received by the PCPD that were related to personal data in social media accounts being misused in the past five years are as follows:
|Total number of cases*||The first three types of complaints with the highest number of complaints and their respective numbers|
|Collection of personal data||Use of personal data||Security of personal data|
*As a case may involve more than one allegation, the total number of different allegations may be more than the total number of cases. Of the aforementioned complaint cases, a total of two cases involved election-related activities.
(2) Having learnt of the suspected misuse of personal data of Facebook users, the PCPD immediately commenced compliance check on Facebook Hong Kong in respect of the incident to gain a thorough understanding of the case, such as whether Hong Kong users were affected, and whether Facebook has disclosed data of Hong Kong users to other third-party application developers. Meanwhile, the PCPD liaised with privacy protection authorities of various countries and regions (including the United States) to learn about the latest information relating to the incident in different parts of the world. Furthermore, the PCPD learnt that Facebook publicly expressed in recent United States congressional hearings that a series of remedial and improvement measures would be taken to enhance the protection of users' privacy. The PCPD will closely monitor the remedial and improvement measures of Facebook and their effectiveness.
(3) and (4) The Personal Data (Privacy) Ordinance (Ordinance) is a piece of principle-based and "technology neutral" legislation. While the development of information technology (IT) or online social media is evolving, as long as the relevant technology or media involves the collection of personal data, the requirements of the Ordinance as well as the relevant Data Protection Principles will have to be complied with. The PCPD will continue to keep in view personal data privacy issues arising from the development of IT and social media, and will conduct enforcement actions, compliance checks and education, etc. in accordance with the Ordinance.
To enhance public awareness on protecting personal data privacy when using social media, the PCPD published the information leaflet "Protecting Online Privacy - Be Smart on Social Networks" to explain to the public the privacy risks involved in the use of social media platforms. The PCPD has also through its own website as well as a specifically established thematic website "Be SMART Online", and through the broadcast of a publicity video titled "Think Privacy! Be Smart Online: Privacy check-up at social media", publicised information related to the protection of personal data privacy. The PCPD will continue to remind the public to protect their personal data and of the proper use of social media through education and promotional activities, as well as by providing timely responses to latest privacy issues and matters of concern through the mass media.
(5) Candidates' election campaign on social media is already subject to the regulation of the relevant electoral legislation. If a candidate places advertisements on social media, and such advertisements are for the purpose of promoting or prejudicing the election of a candidate or candidates at the election, the advertisements may become election advertisements (Note 1), and the expenses incurred may become election expenses (Note 2).
In accordance with the Electoral Affairs Commission regulations on electoral procedures, a candidate needs to make available a copy of each of his/her election advertisements, and the relevant information/documents including publication information, permission or consent in relation to the election advertisements for public inspection by posting it onto the Central Platform or Candidate's Platform, or by providing its hard copy to the Returning Officer.
In accordance with section 37 of the Elections (Corrupt and Illegal Conduct) Ordinance (ECICO), a candidate needs to lodge an election return setting out his/her election expenses. The aggregate amount of such election expenses shall not exceed the maximum amount of election expenses prescribed by law.
Besides, a candidate may have engaged in illegal conduct under section 26 of the ECICO if he/she publishes a materially false or misleading statement of fact about the candidate or candidates with whom the candidate is associated, or about another candidate or other candidates, for the purpose of promoting the election of the candidate or candidates with whom the candidate is associated; or prejudicing the election of the other candidate or candidates.
Note 1: In accordance with section 2 of the ECICO, “election advertisement”, in relation to an election, means -
(a) a publicly exhibited notice; or
(b) a notice delivered by hand or electronic transmission; or
(c) a public announcement made by radio or television or by video or cinematographic film; or
(d) any other form of publication, published for the purpose of promoting or prejudicing the election of a candidate or candidates at the election.
Note 2: In accordance with section 2 of the ECICO, "election expenses", in relation to a candidate or group of candidates at an election, means expenses incurred or to be incurred, before, during or after the election period, by or on behalf of the candidate or group for the purpose of -
(a) promoting the election of the candidate or group; or
(b) prejudicing the election of another candidate or group, and includes the value of election donations consisting of goods and services used for that purpose.
Ends/Wednesday, April 25, 2018
Issued at HKT 14:30
Issued at HKT 14:30