ªÀµûÂù»y¹D¡G¬F©²À³­×­qªk¨Ò«OÅ@­Ó¤H¨pÁô Government should make amendments to the ordinance to protect the privacy of the public

¡½¦­«e°ê®õ¤Î´äÀs¯èªÅ¬ù940¸U¦W­¼«È­Ó¤H¸ê®Æ³Q¤£·í¨úÄý¡C ¸ê®Æ¹Ï¤ù

¡½Jeffrey Tse (ywc_jeffrey@hotmail.com)

­ì¤å

¥ßªk·|©ó¥»¤ë14¤é°Q½×°ê®õ¤Î´äÀs¯èªÅ¬ù940¸U¦W­¼«È­Ó¤H¸ê®Æ³Q¤£·í¨úÄý¤@¨Æ¡A¦h¦Wij­û§åµû°ê®õÁô¿f¨Æ¥ó¡A¨Ã­n¨D·í§½ºÉ§Ö­×§ï¨pÁô±ø¨Ò¡A¥[­«»@«h¡C

­»´ä¤H¯À¨Óª`­««O»Ù¨pÁô¡AÀHþӮɥN©M¬ì§Þµo®i¡AÀHþÓ­Ó¤H¸ê®ÆªºµL§Î»ù­È¶V¨Ó¶V°ª¡A¥ø·~¡B¾÷ºc¦bÀò¨ú¡B¨Ï¥Î«È¤á­Ó¤H¸ê®Æ®É¥~¬ªªº­·ÀI¤]¶V¨Ó¶V°ª¡C

¥»´ä¡m­Ó¤H¸ê®Æ¡]¨pÁô¡^±ø¨Ò¡n¤w¥Í®Ä22¦~¡A±ø¤å©úÅã¹L®É¥BªýÀ~¤O¤£¨¬¡A¶¡±µ¥O¨pÁô¥~¬ª¨Æ¥óÀW¥Í¡C¬F©²¦³¥²­n»P®É­Ñ¶i­×§ïªk¨Ò¡A§ó¤Á¹ê¦³®Ä«O»Ù¥«¥Á¨pÁô©M§Q¯q¡C

¦b²¾°Ê´¼¯à®É¥N¡A­Ó¤H¸ê®Æ¤é¯q¦¨¬°·¥¨ã»ù­Èªº¤j¼Æ¾Ú¸ê®Æ¡C¾Ö¦³¤j¶q«È¤á­Ó¤H¸ê®Æªº¯èªÅ¡B¹q°T©M¦UÃþªA°È¥ø·~¡A¦ÛµM¦¨¬°¶Â«Èµs¨ú­Ó¤H¸ê®Æ¥H¨D¤£ªk§Q¯qªº¹ï¶H¡C¨pÁô±M­û¤½¸p¥h¦~ªº¤u§@³ø§iÅã¥Ü¡A2017¦~¸p¤è±µÀò106©v¾÷ºc¥~¬ª­Ó¤H¸ê®Æ¨Æ¬Gªº³q³ø¡A¸û2016¦~¤W¤Éªñ¨â¦¨¡C¤µ¦~¦Ü¤µ¡A°£¤F°ê®õ¨Æ¥ó¥~¡A¤w¥ý«á¦³Áa¾î¹C¡B¤j¯è°²´Á¡B­»´ä¼eÀWµ¥¥ø·~ªº«È¤á¸ê®Æ³Q¶Â«Èµs¨ú¡CÃþ¦ü¨Æ¥óÀWÁcµo¥Í¡AºVÅT­Ó¤H¸ê®Æ«O»ÙªºÅT«GĵÄÁ¡C

¦ý¥»´ä¤w¦æ¨Ï22¦~ªº¡m­Ó¤H¸ê®Æ¡]¨pÁô¡^±ø¨Ò¡n¡A³WºÞ¤£ÄY¡B»@«h¼eÃP¡A³QÃÕ¬°¡uµL¤ú¦Ñªê¡v¡C¹ï©ó¾÷ºc¬ªÅS«È¤á¸ê®Æ¡A¥Ø«e¥»´äªk¨Ò¨ÃµL­n¨D±j¨î³q³ø¡A¥u¦³¬ÛÃö«ü¤Þµ¹¾÷ºc¡C

·íµM¡A¨pÁô±M­û¤½¸p½Õ¬d«áı±o¦³¥²­n¡A¥i¹ï¾÷ºcµo¥X°õ¦æ³qª¾¡A¤£¿í¦u°õ¦æ³qª¾ÄݦD¨Æ¸o¦æ¡A¦ý³Ì°ª»@´Ú¥u¬O´ä¹ô5¸U¤¸¤ÎºÊ¸T¨â¦~¡C¦p¦¹»´·Lªº»@«h¡A©úÅã»P­Ó¤H¸ê®Æ¥~¬ª³y¦¨ªº·l¥¢¤£¬ÛºÙ¡C

2010¦~7¤ë¡A¤K¹F³q¤½¥q³Q´¦µo±N197¸U¦W¡u¤é¤é½à¡v«È¤áªº¸ê®Æ°â¤©6¶¡¤½¥q¡A±q¤¤Àò§Q4,400¸U¤¸¡A¨Æ«á¨pÁô±M­û¤½¸pµô©w¤K¹F³q¤½¥q¹H¤Ï¨pÁô±ø¨Ò¡A¦ý¨ÃµLµo¥X°õ¦æ³qª¾©Î§@¥ô¦ó³B¤À¡C¨Æ¥ó¤£¤F¤F¤§¡C

¡m­Ó¤H¸ê®Æ¡]¨pÁô¡^±ø¨Ò¡n©ó1996¦~¥Í®Ä®É¡A·í®É¤¬Ápºô­è­èµo°b¡A§óµL´¼¯à²¾°Ê³q°T¡A®Ú¥»Ãø¥H·Q¹³¤¬ÁpºôªA°È©M¹q¤l¤ä¥IªA°È¦³¤µ¤Ñªº´¶¤Î¡CÀHþÓ¥ø·~¡B¾÷ºcªñ¦~¦¬¶°­Ó¤H¸ê®Æªº¼Æ¶q¥H´X¦ó¯Å¼Æ¤W¤É¡A¬ªº|¨Æ¥ó¤@¦Aµo¥Í¡Aªk¨Ò¹L®É¡BºÊºÞÄY­«¤£¨¬ªº°ÝÃD¨³³t´c¤Æ¡C¦]¦¹¡A¥»´ä¥²¶·°Ñ¦Ò¨ä¥L¥ý¶i¦a°Ïªº°µªk¡A¦]À³¹ê»Ú»Ý­n¾A®É­×ªk¡C

¼Ú·ù¤µ¦~´N³q¹L¤F¡m³q¥Î¼Æ¾Ú«O»Ù±ø¨Ò¡n¡]GDPR¡^¡A´N¥~¬ª³q³ø¡B¸ê®ÆÂಾ¡B¥[­«»@«hµ¥½Ñ¦h¤è­±ÄY®æ³WºÞ¡A¥ô¦ó¦b¼Ú·ù³]¥ß©Î¥Ø¼Ð¨ü²³¬O¼Ú·ù¤½¥Áªº¥ø·~§¡¨ü³WºÞ¡C¤@¥¹µo¥Í¬ªº|¨pÁô¨Æ¥ó¡A³Ì°ª»@«h¬O¥ø·~¥þ²yÀç·~ÃBªº4%©Î2,000¸U¼Ú¤¸¡A¥H¸û°ªªÌ¬°·Ç¡C

«O»Ù­Ó¤H¨pÁô¡A´N¬O«O»Ù¥«¥Á§Q¯q¡A¥«¥Á¹ï¦¹¦³±j¯P¶D¨D¡C´Á«Ý¬F©²Å¥¨ì¥«¥Áªº©IÁn¡A¶¶À³¥Á·N¡AºÉ§Ö´N­×¨Ò´£¥X«Øij¡A¨Ã¿Ô¸ß¤½²³·N¨£¡A°ô¶ëªk¨Òº|¬}¡A¬°¥«¥Áªº¨pÁô¦w¥þ§â¦nªk«ßÃö¡C

¡]¼ÐÃD¬°½s¿è©Ò¥[¡^

¡]ºK¿ý¦Û­»´ä¤å¶×³øªÀµû 15-11-2018¡^

Ķ¤å

Lawmakers accused Cathay Pacific Airways of a cover-up as the Legislative Council (Legco) discussed the commercial flight giant's massive passenger data breach at a November 14 meeting. The data leak affected about 9.4 million Cathay Pacific and Cathay Dragon customers. During the meeting, legislators have also demanded the authorities to review the current privacy laws as soon as possible to introduce heavier penalties.

Privacy protection has always been paramount to the people of Hong Kong. However, as the value of personal data grows over time due to technological advancement, enterprises and institutions now face a greater risk of data leaks when obtaining and using the personal information of their customers.

Hong Kong's Personal Data (Privacy) Ordinance has been in force for 22 years. Its provisions are clearly outdated and insufficient as a deterrence, thus indirectly leading to the frequent data leak incidents. The government must keep pace with changing circumstances and make amendments on the ordinance, so as to protect the privacy and interests of the public more effectively.

In the era of mobile intelligence, personal data is becoming increasingly valuable as part of the big data.

The aviation, telecommunications and other tertiary sector industries that gather a large amount of customer data naturally became the target of hackers, who would steal personal information for illegal purposes.

According to the Office of the Privacy Commissioner for Personal Data (PCPD) Annual Report 2016-17, 106 data breach incidents were reported to the Office in 2017, which represented approximately a 20 per cent increase as compared with 2016.

Apart from Cathay Pacific, a number of companies including WWPKG, Big Line Holiday and Hong Kong Broadband have already fallen victim to customer data breach incidents so far in 2018. The frequent occurrence of data security incidents has sounded the alarm on privacy protection.

However, the 22-year-old Personal Data (Privacy) Ordinance has been reduced to a "toothless tiger", for its enforcement is ineffective and its penalties for contravention light.

Under the current laws of Hong Kong, only some guidelines on data breach handling are given, but there is no mandatory requirement for any organisation to file a notification to the PCPD in case of a data breach.

While the PCPD could issue an enforcement notice to the organisation involved after investigations were conducted, and that contravention of the notice is an offence, the maximum penalties are a mere fine of HK$50,000 and two years of imprisonment.

Such penalties can in no way be considered as commensurate, given the magnitude of the loss that is caused by a data breach.

For instance, Octopus Holdings Limited was found to have sold the personal data of 1.97 million cardholders under the "Octopus Rewards" programme in July 2010. The personal information was sold to six business partners of Octopus Holdings, and the company was able to amass HK$44 million from the deal.

Even though the PCPD found that Octopus Holdings violated the Ordinance, it did not issue an enforcement notice and no further action was taken.

When the Personal Data (Privacy) Ordinance was enacted back in 1996, the internet was just beginning to emerge, and there was no mobile communication. No one could have imagined the growth of internet services and the development of electronic payment.

As the volume of personal data collected by companies and organisations skyrockets, and that data leaks are becoming increasingly frequent, the problems of obsolete laws and ineffectual supervision would only get worse. Hong Kong must draw experience from others and review our current laws.

As an example, the European Union (EU) has just approved the General Data Protection Regulation (GDPR) this year. The law applies to all EU companies and those companies which offer goods or services to the citizens of EU, and imposes strict regulations on data transfers, breach notification mechanisms and penalties. Penalties for violating the GDPR could go up to £á20 million or 4 per cent annual global turnover, whichever is higher.

To protect personal privacy is to protect the interests of the public, of which there is a strong aspiration.

One hopes that the government will listen to the voice of the people and propose to review the Ordinance as soon as possible, so that the current loopholes in privacy protect could be rectified.

Exercise

1. ¦X³W

2. ¨pÁô±M­û

3. ³z©ú«×

4. ºôµ¸§ðÀ»

5. ¡]±ø¨Ò¡^¨î©w

Answer

1. compliance

2. the Privacy Commissioner

3. transparency

4. cyberattack

5. enactment

Ū¤å¶×³øPDFª©­±