• ADG Consultants

Practice Note: Handling unlawful disclosure of personal data at online discussion forum

Updated: Aug 3, 2019



Background


The Privacy Commissioner for Personal Data (“PCPD”) has recently published a statement regarding the PCPD’s decision of referring 430 cases of those suspected disclosure of personal data at online discussion forums and instant messaging platforms to the Hong Kong Police Force (“HKPF”) under section 64 of the Personal Data (Privacy) Ordinance (“PDPO”) to conduct further criminal investigations and seeking legal advice from the Department of Justice to determine whether to initiate prosecution against those involved. [1]


The cases received by the PCPD mainly involved disclosure of name and photos, and other personal data including HK ID card number, date of birth, family status, occupation and job title. These personal data were published on online discussion forums and social media platforms, and a special team was set up by the PCPD to “proactively” search for web links that might link to posts that may contravene s.64 of the PDPO.


Lodging a complaint


Under s.37 of the PDPO, an individual or a relevant person on behalf of an individual may make a complaint to the PCPD about an act relates to personal data of an individual and may be a contravention of a requirement under the PDPO.


To formally lodge the complaint to the PCPD, the complainant may fill in the PCPD’s complaint form (OPS001) with supporting evidence(s).


According to the Complaint Handling Policy of the PCPD, the complaint should provide his or her name, correspondence address for contact, and proof of identity. In addition, the complainant must specify the identity of the party complained against and produce sufficient information in support of his or her allegation.


The PCPD will then decide whether there are reasonable grounds to believe that there may be contravention of a requirement under the PDPO, and decide to conduct a compliance check or commence an investigation into the matter.


As a result of an investigation, if the PCPD is of the opinion that the relevant data user is contravening a requirement under the PDPO, the PDPO will have the discretionary power to serve on the data user an enforcement notice under s.50(1) of the PDPO directing the relevant data user to take such steps and/or measures to remedy and if appropriate, prevent any recurrence of the contravention.


Recent case


Aurum (Data Governance) Consultancy (“ADG”) was recently retained, and successfully resolved, in a case where the Client’s name, user names of social media and photos were collected without the Client’s consent, and the personal data were unlawfully posted on one of the online discussion forums. The breach has caused the leak of the Client’s sensitive personal data and psychological harm.


ADG was instructed to act on behalf of the Client to lodge a complaint to the PCPD, and assisted the Client’s legal team in its civil action. Due to the difficulty of tracing and ascertaining the identity of the perpetrator, the PCPD decided it would be inviable for ADG to seek an enforcement notice, and an enquiry was filed instead. The online forum’s post was deleted within a day after the concerted effort made by ADG and the Client’s legal team.


The case also goes to show the difficulty of lodging a complaint to the PCPD in cyber-bullying cases, where the perpetrator’s identity will usually be difficult to ascertain, and thus, making enforcement notice inviable as the PCPD will not be able to serve it directly on the perpetrator.


The other difficult aspect of cyber-bullying cases is that perpetrator often uses technology, such as blockchain, to “back-up” data subject’s personal data, making the loss a permanent one, and causing irreparable damage to the data subject.


For more information regarding how to handle unlawful disclosure of personal data at online discussion forum, please contact ADG at info@aurumconsultancy.co or Tel: +852 3725 4806.

[1] ‘Criminal Investigation Procedures Commenced on 430 Cases of Online Disclosure of Personal Data in Accordance with the Law’, Media Statements, PCPD, 26 July 2019


© 2020 by Aurum (Data Governance) Consultants Ltd