LCQ18: Protection of online privacy
(1) whether it knows if the Office of the Privacy Commissioner for Personal Data (PCPD) has, upon review of the new terms, found the new terms to be in breach of the Personal Data (Privacy) Ordinance (Cap. 486) and related codes of practice/guidelines;
(2) given that the PCPD has written to FB and put forward some recommendations (including providing users who do not agree to the new terms with viable options that enable them to continue to use its service), whether it knows if the PCPD has received a reply; if the PCPD has, of the details;
(3) whether it has studied if the App's users in the UK and the EU not being affected by the new terms is attributable to the better protection provided by the privacy protection legislation in those places; if it has studied and the outcome is in the affirmative, whether it will, by making reference to such legislation, amend Cap. 486, in order to enhance the privacy protection for members of the public; if it will not, of the reasons for that and the alternatives available; and
(4) whether it knows if the PCPD has examined whether the messaging applications, social platforms and online media websites commonly used in Hong Kong have collected users' personal data excessively; if the PCPD has, of the details; if not, the reasons for that?
In response to the question raised by the Hon Elizabeth Quat, having consulted the Office of the Privacy Commissioner for Personal Data (PCPD), the response is as follows:
(1) and (2) Given the wide usage of the messaging application mentioned in the question by the general public in Hong Kong, and the keen concerns about the privacy issues arising from the new terms on the sharing of personal data concerned, the PCPD has earlier sent a letter to that messaging application's United States headquarters, and maintained proactive communications with their representatives, while providing the following four suggestions:
- clearly explain to users the arrangements for the sharing of personal data under the new terms, and the personal data involved and the use of other data;
- delay the deadline of consideration by users, giving ample time for users to consider;
- since not all users using the messaging application have at the same time opened the social network accounts under question, it is therefore worthy to consider not to apply the new terms to those users; and
The PCPD has earlier received the preliminary reply from the company; following on this, the PCPD will find out further details from the company, and request the company to provide more details to the public to alleviate public concerns. The PCPD will continue to pay close attention to the developments, so as to further assess whether the company has contravened the relevant requirements under the Personal Data (Privacy) Ordinance (PDPO).
(3) The PCPD is currently communicating with the representative from the company in a proactive manner. At this stage, the PCPD still does not have sufficient information to comment whether the United Kingdom and the European Union users are affected by the new terms, and whether this is relevant to those areas' respective privacy laws. That said, in light of the rapid development of the global privacy landscape (such as the implementation of the General Data Protection Regulation of the European Union), the PCPD will consider issuing guidelines on the personal data privacy problems of which the public should be aware when using social networks.
(4) Currently, the PCPD disseminates information from time to time, to explain to the public the privacy problems of which to be aware when using social networks, for example, the "Protecting Online Privacy - Be Smart on Social Networks" information leaflet (www.pcpd.org.hk//english/resources_centre/publications/files/SN2015_e.pdf). Moreover, upon receiving complaints and enquiries, the PCPD will review the collection, holding, processing, use or disclosure of personal data by relevant data users on online social networks, messaging applications, Internet media, etc., to ensure data users comply with the requirements of the PDPO and the Data Protection Principles. In future, the PCPD will strengthen the proactive patrolling work in this aspect, so as to further protect the privacy rights of the general public.
Ends/Wednesday, January 27, 2021
Issued at HKT 15:55
Issued at HKT 15:55