***********************************************************
Following is a question by Dr Hon Priscilla Leung and a written reply by the Secretary for Commerce and Economic Development, Mr Gregory So, in the Legislative Council today (January 20):
Question:
Some instant messaging applications (IMAs) for smart phones (such as WhatsApp) which require registration by mobile phone numbers before use allow users to set up messaging groups without any proof that consent of data subjects has been obtained before they are added to such groups. Some members of the public have lodged complaints with me that upon joining a tour group, the tour escort set up a messaging group which included all tour group members, resulting in disclosure of their mobile phone numbers to other tour group members without their consent and thus infringement on their privacy. Moreover, some members of the public have, from time to time, been included in messaging groups set up by strangers for sending promotional messages (e.g. information about tutorial services and property developments), thus suffering great nuisances. In this connection, will the Government inform this Council:
(1) of the number of complaints received by the authorities in each year since 2012 about disclosure of personal data of data subjects without their prior consent to a third party via IMAs, and the follow-up actions taken for such complaints; among those complaints, the number of those substantiated;
(2) of the number of complaints received by the authorities in each year since 2012 about unsolicited electronic messages being sent through IMAs, and the follow-up actions taken for such complaints; among those complaints, the number of those substantiated, and the number of Hong Kong telephone numbers involved;
(3) whether it will review if the existing provisions of the Unsolicited Electronic Messages Ordinance (Cap. 593) are adequate for regulating the sending of unsolicited electronic messages through new messaging channels; and
(4) whether it has issued guidelines to civil servants as well as staff of public organisations, and carried out publicity and public education work, in order to raise awareness about the privacy issues relating to IMAs; if it has, of the details; if not, the reasons for that?
Reply:
President,
With respect to the Member's questions, a consolidated reply incorporating information from the Commerce and Economic Development Bureau, the Constitutional and Mainland Affairs Bureau and the Innovation and Technology Bureau is as follows:
(1) Between 2012 and 2015, the Office of the Privacy Commissioner for Personal Data (PCPD) received a total of 49 complaints about disclosure of personal data via instant messaging applications (IMAs) to a third party without the prior consent of the data subject. The annual figures are as follows:
Year No. of Complaint Cases
---- ----------------------
2012 2
2013 6
2014 18
2015 23
Total 49
After PCPD's screening and handling, 25 of the above cases were not pursued as the complainants did not provide evidence, did not agree to disclosing his/her identity to the party complained against, withdrew the complaint, or the substance of the complaint was beyond the scope of the Personal Data (Privacy) Ordinance (Note: under the Personal Data (Privacy) Ordinance, personal data is information which relates to a living person, can be used to identify that person, and exists in a form in which access to or processing is practicable); six cases were closed in the absence of a prima facie case of contravention; 15 cases were resolved through conciliation during PCPD's preliminary enquiry; and two cases were resolved through conciliation during formal investigation. As at January 15, 2016, there was one case in the process of screening.
(2) The Unsolicited Electronic Messages Ordinance (Cap. 593) (UEMO) regulates the sending of commercial electronic messages (CEMs), for example fax messages, emails, short messages, pre-recorded telephone messages, etc. In general, CEMs refer to electronic messages which advertise or promote products or services. The UEMO adopts a "technology-neutral" principle in regulating the sending of CEMs, including commercial short messages sent via IMAs (e.g. WhatsApp Messenger).
Using IMAs to set up groups to facilitate the sending of messages does not necessarily constitute a contravention of the UEMO, as it depends on whether the messages concerned are of a commercial nature, as well as the purposes and the actual content of the messages. Between 2012 and 2015, the number of reports received by the Office of the Communications Authority (OFCA) on suspected contraventions of the UEMO in relation to messages sent via IMAs and the number of such reports found substantiated are as follows:
Year No. of reports No. of reports
received substantiated (Note)
---- -------------- --------------------
2012 214 17
2013 259 17
2014 547 26
2015 664 6
(Note: reports in respect of which OFCA has sent advisory letters, warning letters or enforcement notices to senders after investigation)
Of the reports on suspected contraventions of the UEMO in relation to messages sent via IMAs, OFCA does not have the breakdown of the numbers of reports involving telephone numbers registered inside or outside Hong Kong. Nevertheless, according to OFCA's investigation experience, the vast majority of the reports involve WhatsApp messages sent via telephone numbers registered in Hong Kong.
Upon receipt of a report, OFCA will conduct a follow-up investigation. In general, if the sender of the message concerned is found to have contravened the sending rules of CEMs as stipulated in Part 2 of the UEMO, OFCA will issue an advisory letter or a warning letter to the sender. If OFCA is of the view that the contravention will likely continue or be repeated, OFCA will exercise the powers delegated by the Communications Authority (CA) to issue an enforcement notice to the sender concerned. According to the UEMO, in respect of sender's non-compliance with the sending rules of CEMs, the CA can take prosecution action if the sender contravenes an enforcement notice.
In light of the growing number of reports concerning messages sent via WhatsApp Messenger in recent years, OFCA has brought the situation to WhatsApp Inc.'s attention and referred the phone numbers of the senders concerned in reported cases for the company to follow up as appropriate, including terminating the use of its services by the related phone numbers. Furthermore, OFCA has written to WhatsApp Inc. a number of times, suggesting it to improve its programme design so as to prevent potential spamming by WhatsApp users. In April 2015, WhatsApp Inc. subsequently introduced a new "Report Spam and Block" feature which allows users to report suspected spammers to the company direct. According to OFCA's records, after referring the phone numbers of senders under complaint to WhatsApp Inc., OFCA has not received further contravention reports concerning the phone numbers of the related senders. The number of reports concerning messages sent via WhatsApp Messenger has also decreased substantially in recent months after WhatsApp Inc.'s introduction of the aforementioned new feature. OFCA will keep in view the situation.
(3) As mentioned above, the UEMO adopts a "technology-neutral" principle in regulating the sending of CEMs, including commercial short messages sent via IMAs.
Irrespective of whether the CEMs are sent by new messaging channels, if their senders are found to have contravened the sending rules of CEMs as stipulated in the UEMO, OFCA will issue advisory letters or warning letters to them. From past experience, most senders under complaint are willing to take remedial actions to improve their sending of CEMs after OFCA has approached them. Therefore, we have no plan to review the UEMO in this respect.
(4) The Government attaches great importance to protecting personal data. Within the Government, the Office of the Government Chief Information Officer (OGCIO) has formulated a comprehensive set of information security policies and guidelines. All government staff are reminded to comply with the code of practice for using various Internet services. OGCIO has also made the security guidelines on protecting mobile phones and using mobile applications available to the general public through the "Cyber Security Information Portal" (www.cybersecurity.hk), including matters for attention when using social networking websites and IMAs.
To strengthen the awareness and knowledge of personal data protection in the public and private sectors and among the general public, the OGCIO has made available in the "Cyber Security Information Portal" a hyper link to the relevant guidelines (Note: the relevant guideline is available at: www.pcpd.org.hk/english/resources_centre/publications/files/leaflet_smartphones_e.pdf) on protecting personal data privacy published by PCPD. Furthermore, the OGCIO invited the PCPD to conduct two seminars on personal data protection for the departmental IT security officers of government bureaux and departments in 2015, and uploaded the seminar materials in the Government intranet for reference by all bureaux and departments.
PCPD has been promoting to members of the public and organisations an awareness in protecting and respecting personal data privacy in the use of information technology through different channels, including organising activities such as roadshows and seminars, setting up thematic websites, as well as reminding mobile application developers about matters to note in relation to protection of personal data privacy.
Ends/Wednesday, January 20, 2016
Issued at HKT 15:25
NNNN
