OPINION: Bounty hunting for data

Data privacy in Hong Kong upheld by Privacy Commission: major company fined for breach.

They say “data is the new oil” as it's the fuel which keeps business machinery humming. It's not an exact analogy. Maybe data is the “new electricity.”

Less than a century ago, any large company had an executive who monitored the electrical supply. The equivalent of today's CIO, this employee's job was to ensure that the enterprise had a steady and working electrical current flowing through its facility. This was no easy feat: electrical supplies in cities were so unstable that few owned electric-powered clocks: they stopped/started so often that their time-readings were worse than useless—they were misleading.


Electricity kept production machines going and provided safe lighting for nighttime work. But load-balancing was in its infancy and Elon Musk-sized batteries were science fiction. Electric power needed strict management.
Nowadays, data is what flows and keeps things running. But personal data has privacy restrictions, as some firms are finding out in courtrooms across the globe.

Personal data is valuable
In decades-past, demographics were key to advertising. Advertisers wanted to know as much about their targeted audience as possible. But means of data-gathering were primitive.


Nowadays, half of Hong Kong spends their free time blasting personal information across various social media. And, the more information on a person's buying habits, likes/dislikes, payment methods etc, the better. Do the likes of Google and Facebook want to be siloed fiefdoms of collected data? I think not.


Needless to say, sharing of personal data among firms is a sensitive issue. Would you like a list of every location you visited, every meal you ate, every person you met splattered all over your LinkedIn page, for example? How about your medical records? Most people understand the need for privacy and discretion.


But data is relentless. A computer can't tell that your email with the sensitive work documents is mistakenly addressed to your competitor instead of your boss, so it sends the email anyway. Data will reveal patterns of behavior we ourselves are unaware of. And when it comes to privacy, this is a problem.

Data privacy in Hong Kong
In mid-2010, according to Wikipedia, Hong Kong's Octopus card hit the headlines for data privacy invasion. “Despite Octopus' claims to have never sold data, a former employee of the CIGNA insurance company claimed CIGNA purchased records for 2.4 million Octopus users,” said Wikipedia. On July 20th 2010, “Octopus acknowledged selling customers' personal details to Cigna and CPP, and started an internal review of their data practices.”


The breach hit mainstream global media. “In a Wall Street Journal article titled “Hong Kong's Cashless-Payment Operator Under Fire,” reporter Jeffrey Ng wrote: “the operator of a Hong Kong cashless payment system has come under fire after it reversed itself and admitted to selling the personal data of nearly two million customers to business partners, sparking public demands for better regulation of how personal information is handled.”


According to the Hong Kong Standard newspaper, Roderick Woo, Privacy Commissioner for Personal Data at the time, said on a radio program: "If the Octopus company is found to have violated the Personal Data (Privacy) Ordinance, we'll require it to take the appropriate remedies immediately.”
The timing was unfortunate because Woo's term as PCPD was about to expire. But the Privacy Commission remains active, and in the early days of 2018, they acted on a complaint from a Hong Kong citizen and fined a major Hong Kong supermarket chain for using a customer's private data without consent

Fined for violating data privacy
On January 2, the Privacy Commission issued a press statement. “PARKnSHOP (HK) Limited (the Company) was convicted today at the Tuen Mun Magistrates’ Court...for using the personal data of a data subject in direct marketing without obtaining the data subject’s consent,” said the statement. “The Company pleaded guilty to the charge and was fined HK$3,000.”


“Three thousand HK dollars? It may be less than an hour's charge for the lawyer that the company hired,” said Charles Mok, Legislative Councillor, IT Constituency. “The court should fine a punitive damage at a higher level so as to serve as a more effective warning message to the trade.”

“Many commercial enterprises in HK are not well aware of their legal responsibilities when it comes to complying with the law when handling personal data,” said Mok. “This kind of enforcement will help heighten their awareness, but the punishment for such infringements is woefully low.”It's an absurd amount, but does it set a legal precedent? This is a question all data-gathering firms in the HKSAR need to consider.