[ Octopus Holdings Pty. CEO Resigns After Privacy Breach ]
A major privacy breach has unfolded in Hong Kong, with revelations a popular cashless payment operator has made millions selling personal information of thousands of clients without their consent, but some observers are saying the fiasco is just the tip of the iceberg.
Information surfaced last month that Octopus Holdings Pty. had sold two million personal data records to six insurance companies, without obtaining the users’ direct consent.
According to the company’s CEO Prudence Chan, the sales brought HK$44 million in revenue, reported Bloomberg.
The Octopus Cards, essentially a cashless rechargeable facility, were introduced in 1997 as an easy one-stop-shop option for payments.
They are used by millions of Hong Kong residents to purchase everything from public transport tickets, to groceries, food at fast food stores and parking. Some even use the cards to access apartment buildings—all with the swipe of one plastic card.
The system handles an average 11 million financial transactions each day, estimated to be worth about HK$100 million, Wall Street Journal reported.
The Government holds a 20 per cent share of Octopus Holdings Pty. The majority shareholder is the central transit authority, the MTR, with a 57 per cent stake.
Octopus came into the spotlight in June, after a public survey revealed that more than 90 per cent of the respondents said they hadn’t read the personal information statements when they provided data to apply for Octopus services, reports Bloomberg.
The survey results were picked up by then Privacy Commissioner Roderick Woo, who launched an investigation. Woo has since been replaced by new Commissioner, Mr. Allan Chiang Yam-wang, who took office in August.
While still in office, Woo pushed for greater protection of private data, urging the government to introduce stringent regulations for the technologically-infected metropolis.
In September 2009 Woo recommended more than 50 amendments to the current privacy bill in a document known as the Personal Data Review.
Among the recommendations was a clause that would curb “irresponsible dissemination of leaked personal data.”
He also recommended making such actions an offence “if a person obtains personal data without the consent of the data user and discloses the personal data so obtained for profits or malicious purposes.” However, in a Government Consultation paper on Woo’s proposals, some recommendations were rejected outright and the rest amended, but none, to date, have been legislated.
Privacy Laws Need Change
The Octopus data leak has sparked public outrage over privacy laws in Hong Kong, with many voicing concern that their private information is being exposed and there are few laws to protect them.
Assistant Professor of Politics and Public Administration at the Chinese University of Hong Kong, Dr. Wilson Wong, said that currently the highest penalty for privacy infringement is a fine of a few thousand HK dollars, which is an insufficient deterrent for large multi-million enterprises.
“The Hong Kong government should completely review the regulations,” said Wong, speaking at the weekly public forum in Hong Kong’s Victoria Park on Aug. 1.
Dr. Wong said that there has only been one case of monetary penalty due to privacy infringement. This indicates that little attention has been paid to sensitive data handling, considering that privacy breaches have been on the rise in Hong Kong, he said.
Member of the Legislative Council Emily Lau believes the current laws fail to protect citizens and leave them exposed to information abuse.
“We have reasons to believe that, a lot of citizens’ information is being abused; therefore, I call on the government to not take summer break; start working [to investigate] as soon as possible,” said Ms. E. Lau , while speaking at the August 1 forum.
Other lawmakers demanded that the large companies change the methods of data collection, calling for a more transparent process.
Chairwoman of the Liberal Party, Miriam Lau, agreed that using customers’ information for marketing purposes is commonly done, but it should be the informed choice of every customer.
“The Octopus Card is really absurd. First it’s the way they collect the information, making use of customer’s ignorance about the regulations,” said Ms. M. Lau.
“[They] lead the customers to believe that they are giving away their personal information for the awards only, and they are collecting more information than needed, and what’s more ridiculous is that they are selling the information. This is unacceptable,” she said.
According to the existing Privacy laws outlined in the 1996 document known as “The Ordinance” it is against the law to use personal data for direct marketing, unless the individual has been informed.