LCQ18: Protection of online privacy

     Following is a question by the Hon Elizabeth Quat and a written reply by the Secretary for Constitutional and Mainland Affairs, Mr Erick Tsang Kwok-wai, in the Legislative Council today (January 27):
 
Question:
 
     WhatsApp is a mobile application (the App) widely used by Hong Kong people for instant messaging. The App has recently issued a notice to its users requesting them to indicate whether they agree to the updated terms of service and privacy policy of the App (new terms), which include the following provision: the user agrees to share his/her user information with Facebook (FB), which is the owner of the App, and FB's subsidiaries. In the event that the user has not indicated his/her consent by the deadline, he/she will not be able to continue using the App. A large number of users of the App have criticised that the new terms undermine the protection for their privacy, and that the App's de facto forcing its users to accept the new terms is an abuse of its market power. Although the person-in-charge of the App has subsequently indicated that the new terms will only apply to business accounts and deferred the relevant deadline, the concerns of users are still not assuaged. On the other hand, the App's users in the United Kingdom (UK) and the European Union (EU) are not affected by the new terms for the time being. In this connection, will the Government inform this Council:
 
(1) whether it knows if the Office of the Privacy Commissioner for Personal Data (PCPD) has, upon review of the new terms, found the new terms to be in breach of the Personal Data (Privacy) Ordinance (Cap. 486) and related codes of practice/guidelines;
 
(2) given that the PCPD has written to FB and put forward some recommendations (including providing users who do not agree to the new terms with viable options that enable them to continue to use its service), whether it knows if the PCPD has received a reply; if the PCPD has, of the details;
 
(3) whether it has studied if the App's users in the UK and the EU not being affected by the new terms is attributable to the better protection provided by the privacy protection legislation in those places; if it has studied and the outcome is in the affirmative, whether it will, by making reference to such legislation, amend Cap. 486, in order to enhance the privacy protection for members of the public; if it will not, of the reasons for that and the alternatives available; and
 
(4) whether it knows if the PCPD has examined whether the messaging applications, social platforms and online media websites commonly used in Hong Kong have collected users' personal data excessively; if the PCPD has, of the details; if not, the reasons for that?
 
Reply:
 
President,
 
     In response to the question raised by the Hon Elizabeth Quat, having consulted the Office of the Privacy Commissioner for Personal Data (PCPD), the response is as follows:
 
(1) and (2) Given the wide usage of the messaging application mentioned in the question by the general public in Hong Kong, and the keen concerns about the privacy issues arising from the new terms on the sharing of personal data concerned, the PCPD has earlier sent a letter to that messaging application's United States headquarters, and maintained proactive communications with their representatives, while providing the following four suggestions:
 

  • clearly explain to users the arrangements for the sharing of personal data under the new terms, and the personal data involved and the use of other data;

 

  • delay the deadline of consideration by users, giving ample time for users to consider;

 

  • since not all users using the messaging application have at the same time opened the social network accounts under question, it is therefore worthy to consider not to apply the new terms to those users; and

 

  • consider providing to users who have not chosen to accept the new terms and privacy policy a workable plan to continue to use the messaging application.

     Subsequently, the PCPD noted the company announced on January 15, 2021 that it had extended the deadline for users to accept its new terms of service and privacy policy from February 8 to May 15, and stated that it would provide further information and explanation to users within this timeframe.

     The PCPD has earlier received the preliminary reply from the company; following on this, the PCPD will find out further details from the company, and request the company to provide more details to the public to alleviate public concerns. The PCPD will continue to pay close attention to the developments, so as to further assess whether the company has contravened the relevant requirements under the Personal Data (Privacy) Ordinance (PDPO).
 
(3) The PCPD is currently communicating with the representative from the company in a proactive manner. At this stage, the PCPD still does not have sufficient information to comment whether the United Kingdom and the European Union users are affected by the new terms, and whether this is relevant to those areas' respective privacy laws.  That said, in light of the rapid development of the global privacy landscape (such as the implementation of the General Data Protection Regulation of the European Union), the PCPD will consider issuing guidelines on the personal data privacy problems of which the public should be aware when using social networks.
 
(4) Currently, the PCPD disseminates information from time to time, to explain to the public the privacy problems of which to be aware when using social networks, for example, the "Protecting Online Privacy – Be Smart on Social Networks" information leaflet (www.pcpd.org.hk//english/resources_centre/publications/files/SN2015_e.pdf). Moreover, upon receiving complaints and enquiries, the PCPD will review the collection, holding, processing, use or disclosure of personal data by relevant data users on online social networks, messaging applications, Internet media, etc., to ensure data users comply with the requirements of the PDPO and the Data Protection Principles. In future, the PCPD will strengthen the proactive patrolling work in this aspect, so as to further protect the privacy rights of the general public.