In relation to the three mobile apps with the “call blocking” function that are suspected of collecting and integrating users’ phone books into a database for public access, the Privacy Commissioner for Personal Data, Hong Kong (“Privacy Commissioner”), Mr Stephen Kai-yi WONG, has already approached the relevant overseas data protection authorities for follow-up actions pursuant to international cooperation arrangements, and will continue to closely monitor the development of the situation. He also highlighted the simple steps that the public may follow to submit their opt-out requests.
- Many users might have permitted the apps to collect and use their phone books when they downloaded those apps, without being aware that such permission would also allow the apps to upload and integrate their phone book data to a publicly available database. Without obtaining prior consent of those individuals in the phone book, the users’ provision of their phone books to the apps in this circumstance may have breached the Data Use Principle. Members of the public should carefully read the Personal Information Collection Statement of the apps, and always remember to obtain the consent from those individuals in the phone books before allowing the apps to access them.
- However, the previous experience of the Office of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”) revealed that it would be difficult for the PCPD to collect sufficient evidence and take enforcement action, if those individuals listed in the phone books were unwilling to hold the users accountable for the misuse of their personal data.
- Although the Personal Data (Privacy) Ordinance (“Ordinance”) provides for an exemption where the personal data is held for the management of one’s “personal, family or household affairs”, such exemption is not applicable if the users agree to offer their phone books to the app developers / operators for compiling a database for commercial purposes.
- In general, individuals or organisations that control the collection, holding, processing or use (including disclosure and transfer) of the personal data shall comply with the requirements under the Ordinance and the six Data Protection Principles.
- Both the app developers / operators and individual users, should ensure such disclosure or transfer of personal data will not form a new purpose (i.e. not for the purpose other than the original collection purpose or its directly related purpose), unless prior voluntary and explicit consent is obtained from the data subject concerned.
- Even if the personal data is available in the public domains, such as the Internet, any subsequent collection, integration and analysis of the personal data which is different from the original collection purpose, may contravene the Data Protection Principles, in particular when the personal data is used for compiling phone number databases for public use on a fee.
- It appears that the three app developers / operators are corporations registered outside Hong Kong (in Israel, Sweden and the Mainland). As the Ordinance has no extraterritorial jurisdiction, the most effective way is to liaise with overseas personal data protection authorities for follow-up actions pursuant to international cooperation conventions.
The Privacy Commissioner also urges the public to be in control of their own personal data. If they do not permit the apps concerned with the current incident to retain or use their personal data, they may follow the procedures offered by two of the app developers / operators to remove or unlist their personal data being held:
- Website of ‘Sync.Me’: https://sync.me/optout/
- Enter the name, email and mobile number
- Press the button next to ‘I’m not a robot’
- Then press ‘Submit’
- Website of ‘Truecaller’: https://www.truecaller.com/unlist
- Enter the mobile number (with Hong Kong area code: +852)
- Press the button next to ‘I’m not a robot’
- Then press ‘Unlist’
‘Sync.Me’ and ‘Truecaller’ claim that the requested personal data will be removed or unlisted from the publicly available database in 24 hours after the receipt of a request.
The PCPD is exploring further follow-up actions, including:
- Strengthening cross-border and international cooperation, such as intelligence sharing, with overseas personal data protection authorities;
- Advising app stores to consider removing the apps from the stores if they find or suspect any inadequate privacy protection of the apps;
- Strengthening the communications with related government departments and other stakeholders in order to address the rapidly changing, cross-sectoral and cross-border privacy landscape in a smart city;
- Enhancing the promotion and education of members of the public and the app developers / operators to protect and respect personal data privacy. Members of the public should always be in control of their own personal data and be vigilant before downloading an app, i.e. not merely considering the convenience but also their own and others’ personal data privacy rights.
For more practical guidance and tips on personal data protection, please visit our ‘Be Smart Online’ thematic website at: www.pcpd.org.hk/besmartonline/
SOURCE: Office of the Privacy Commissioner for Personal Data