European Banking Authority Releases Internet Payment Guidelines

This post was written by Cynthia O’Donoghue.

The European Banking Authority (EBA) released ‘Final guidelines on the security of internet payments’ (Guidelines). These Guidelines are based on the work published by the European Forum on the Security of Retail Payments (SecuRe Pay) and set the minimum security requirements that Payment Services Providers (PSPs) in the EU will be expected to implement by 1 August 2015.

Internal payment services covered in the scope of the Guidelines include the execution of card payments; the execution of credit transfers; the issuance and amendment of debit electronic mandates; and transfers of electronic money between two e-money accounts.

In particular, the Guidelines emphasise the importance of PSPs roles in providing assistance and guidance to their customers in relation to the secure use of Internet payment services. Among other things, the EBA requests that services should adopt formal security policies; conduct and regularly update security risk assessments; and strengthen customer identification, authentication and enrolment process.

Included within the Guidelines is a list of best practice examples which PSPs are encouraged, but not required, to adopt. One best practice example for strong customer authentication includes ensuring that there are elements linking the customer authentication to a specific amount and payee. The technology used in linking the two sets of data should be tamper-resistant and could help to provide customers with increased certainty when authorising payments.

These Guidelines are particularly welcome in light of the high levels of fraud on Internet payments. Latest reports from the ECB suggest that card fraud on Internet payments alone caused €794 million of losses in 2012 (a growth of 21.2% from 2011).

N.Y. AG Seeks To Have the 'Strongest, Most Comprehensive' Data Security Law in Nation

This post was written by Mark S. Melodia, Anthony J. Diana, and Frederick Lah.

Last week, New York Attorney General Eric Schneiderman announced that he would propose a new data security law in his state that would require companies to take increased safeguards for the protection of personal information. The bill, if passed, would broaden the scope of information that companies would be responsible for protecting, and would require stronger technical and physical security measures for protecting information. Specifically, the bill would apply to all entities doing business in New York that collect and store private information, and would require such entities to have reasonable security measures in place, including:

  • Administrative safeguards to assess risks, train employees and maintain safeguards
  • Technical safeguards to (i) identify risks in their respective network, software, and information processing, (ii) detect, prevent and respond to attacks, and (iii) regularly test and monitor systems controls and procedures
  • Physical safeguards to have special disposal procedures, detection and response to intrusions, and protect the physical areas where information is stored

Under the law, entities that obtain annual, independent third-party audits and certifications showing compliance with the state’s data security requirements would receive for use in litigation a rebuttable presumption of having reasonable data security measures in place. To incentivize companies to adopt tougher data security measures, the new bill will also include a safe harbor provision for those companies who certify that they have implemented heightened data security standards. In order to qualify for the safe harbor, entities would be required to categorize their data systems based on the risk a data breach imposes on the data stored. An appropriate data security plan considering such risks and other factors would then need to be implemented and followed. If this standard is met, the entity would need to obtain a certification, though it is not clear yet from whom the certification would need to be obtained. Upon obtaining the certification, the entity would be granted the benefit of a safe harbor that may eliminate its liability entirely under the law. In addition, the proposed law would amend the state’s existing data breach notification law to include in the definition of "private information" the combination of an email address and password, the combination of an email address with a security question and answer, medical data, and health insurance information (entities are currently not required under the law to notify consumers of a breach of any of these types of information).

The attorney general shared his ambitious goal for the bill, saying that he envisions that the "new law will be the strongest, most comprehensive in the nation." Citing the high number of data breaches last year, he said that he wanted New York's law to serve as "a national model for data privacy and security." While a copy of the proposed legislation is not yet publicly available, we envision that it will bear some similarities to Massachusetts' Data Protection Regulations in that both set forth specific minimum standards that companies are required to take in connection with the safeguarding of personal information. We have previously covered some of the requirements under the Massachusetts Regulations here. With President Obama also pushing his own privacy and cybersecurity agenda, 2015 could potentially result in a drastic change in the privacy law landscape. We will be following these legislative developments closely.

Turkish Parliament Approves E-Commerce Law

This post was written by Cynthia O’Donoghue and Kate Brimsted.

Turkey’s Parliament has approved Law No. 6563 on the Regulation of Electronic Commerce (Law) aimed at creating a more secure, transparent and accessible e-commerce environment. The Law is expected to come into force 1 May 2015.

The Law covers electronic communications, liabilities of service providers, contracts concluded electronically, and the information provided to consumers, as well as unsolicited electronic messages.

One of the key provisions under the Law requires service providers to: (a) clearly identify the terms of the contract and on whose behalf it is sent; (b) state the trade associations of which it is a member, the rules of conduct for the profession, and how the recipient may access these electronically; (c) give up-to-date and easy-to-access identifier information before a contract is concluded; and (d) state whether the concluded contract will be kept by the service provider and whether it will be accessible by the recipient and, if so, for how long. This information must be clearly communicated before and after the formation of the contract if such contract is entered into electronically.

The Law also hopes to put a stop to unsolicited SMS and email messages with the introduction of a new opt-in and opt-out regime. The opt-in system, also favoured by the EU, requires prior consent to be obtained by the individual consumers before any commercial electronic messages may be sent. The consent requirement does not apply to business-to-business marketing. Failure to comply could result in a penalty ranging from TL 1,000 to TL 5,000 (and up to 10 times the original fine for repeat offenders).

In introducing an opt-out system, the Law stipulated that recipients should be provided with the right to unsubscribe at any time to commercial electronic messages free of charge, and are not required to provide a reason in refusing further communication.

Turkey still lacks a comprehensive data protection law, but this new law takes the country a step closer to both providing transparency to consumers, and seeking to facilitate e-commerce.

OECD Releases Guidance for Digital Consumer Products

This post was written by Cynthia O’Donoghue.

The Organisation for Economic Cooperation and Development (OECD) released Consumer Policy Guidance on Intangible Digital Content Products (Guidance) for protecting online consumers of digital content.

With the expansion of the Internet and mobile devices, digital content has grown considerably. The OECD recognizes that this has brought consumers considerable benefits, “including ready access to a wide range of high-quality products, often at reduced costs”. It has also created issues that the OECD believes “countries and business now need to address”.

According to the Guidance, consumers acquiring and using intangible digital content products face several challenges, including, among others: inadequate information disclosure, and misleading or unfair commercial practices.

The Guidance provides recommendations to address six issues concerning:

  • Digital content product access and usage conditions
  • Privacy and security
  • Fraudulent, misleading and unfair commercial practices
  • Children
  • Dispute resolution and redress
  • Digital competence

The recommendations include provisions relating to privacy and security, and address fraudulent, misleading and unfair commercial practices. In particular, the OECD suggests that terms and conditions should be made available to consumers as early as possible in the transaction, and that consumers be provided with clear information about the collection, storage and use of their personal data, including steps consumers can take to manage their data.

In addition, the Guidance addresses children’s advertising and recommends that businesses have mechanisms in place to prevent children from making in-app or digital content purchases without parental consent.

The OECD has also called for effective dispute resolution and redress mechanisms.

Given the growth in the digital market in which businesses now operate, this Guidance calls for governments, businesses and other stakeholders to work collectively to develop education and awareness programs to facilitate consumer use of digital content. Importantly, the OECD acknowledges that protection of consumers and of their personal data should form the core of any legal framework, and should be read in conjunction with the OECD’s Privacy Principles, which tend to form the basis of the data protection and privacy laws in nearly 140 countries.

Federal Trade Commission Announces Adjusted HSR Thresholds for 2015

This post was written by Debra H. Dermody, P. Gavin Eastgate, Michelle A. Mantine, and William J. Sheridan.

On January 15, 2015, the Federal Trade Commission announced the annual threshold adjustments for premerger filings under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (15 U.S.C. § 18a) (“HSR”). The new thresholds have increased the dollar amount required to trigger HSR notification for both the size-of-transaction and size-of-person tests.

Click here to read the full issued alert.

FTC Chairwoman Rings in the New Year with 'Internet of Things' Warning

This post was written by Frederick Lah and Sulina D. Gabale.

While hundreds of tech companies are racing to develop the newest in Internet-connected “smart” devices, Federal Trade Commission (“FTC”) Chairwoman Edith Ramirez is sending a reminder to those companies of their responsibilities to consumers. At the 2015 Consumer Electronics Show held in Las Vegas, January 6-9, Chairwoman Ramirez highlighted some best practices to address the vast array of consumer privacy risks posed by the “Internet of Things.”

The “Internet of Things” refers to the growing ability of everyday devices to monitor and communicate information through the Internet. For example, mobile phones are used for far more purposes than originally intended by Mr. Alexander Graham Bell. They have become integral to our daily lives: waking us up in the morning, feeding us the news on our commute to work, and tracking our sleep patterns at night via Bluetooth technology.

However, with the widespread use of innovative “smart” technology comes a swath of potential privacy concerns for consumers and companies alike. In her speech, Chairwoman Ramirez warned that the data collected from these “smart” devices “will present a deeply personal and startlingly complete picture of each of us—one that includes details about our financial circumstances, our health, our religious preferences, and our family and friends.” In response to the risk of potential misappropriation of consumer data, the FTC is calling for companies to mitigate privacy risks and embrace principles of “security by design” and “data minimization,” where companies only collect requisite information for a specified purpose and then safely and immediately dispose of it afterwards. More specifically, Ramirez stated, “companies should: (1) conduct a privacy or security risk assessment as part of the design process; (2) test security measures before products launch; (3) use smart defaults – such as requiring consumers to change default passwords in the set-up process; (4) consider encryption, particularly for the storage and transmission of sensitive information, such as health data; and (5) monitor products throughout their life cycle and, to the extent possible, patch known vulnerabilities.” In addition, Ramirez suggested companies should implement technical and administrative measures to ensure reasonable security, “including designating people responsible for security in the organization, conducting security training for employees, and taking steps to ensure service providers protect consumer data.”

Though this isn’t the first time the FTC has taken a firm stance on “The Internet of Things,” it acts as an important reminder looking into the New Year. In November 2013, the FTC convened a public workshop in D.C. on the “Internet of Things” to study privacy and security concerns related to the industry, and then held a comment period lasting until January 2014. Then, in September 2013, the FTC brought its first enforcement action in this area, a case we previously covered on our blog. The agency is projected to issue a report with findings and recommendations sometime this year. We will be monitoring the FTC’s movement closely in this area.

New Jersey Requires Encryption for Health Insurance Carriers; May Open Door to Class Action Suits over Violations Under State Consumer Protection Law

This post was written by Paul Bond and Brad M. Rostolsky.

Gov. Chris Christie has signed into law S. 562, which, as its title states, “Requires health insurance carriers to encrypt certain information.”

Violation of this new law constitutes a facial violation of the New Jersey Consumer Fraud Act, a powerful consumer remedies statute. The NJCFA can be enforced by the state attorney general, or by private action. For private litigants showing ascertainable loss, the NJCFA allows for recovery of treble damages and attorney’s fees. The NJCFA is a favorite of the state class action bar.

For purposes of this Act, a “health insurance carrier” is “an insurance company, health service corporation, hospital service corporation, medical service corporation, or health maintenance organization authorized to issue health benefits plans in this State,” New Jersey.

Such health insurance carriers “shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” A simple password will not do. Unlike the Massachusetts data security regulation, the New Jersey Act does not expressly establish a duty to pass encryption standards on to vendors.

As defined by the Act, personal information “means an individual's first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver's license number or State identification card number; (3) address; or (4) identifiable health information.”

While the substantive requirements of this Act may not be onerous, the explicit link between this Act and the NJCFA should give pause to all New Jersey health carriers.

Cybersecurity Risks Are Higher than Ever and Are Proving Costly

This post was written by Cynthia O’Donoghue and Paul Bond.

Cybersecurity is an increasing concern for companies. Last April, the UK Department for Business, Innovation & Skills (BIS) published the 2014 information security breaches survey: technical report. The report comprises the findings from two online questionnaires completed by 1,125 respondents, and contains a number of important cyber-attack statistics for both large organisations and small businesses.

The results indicate that while UK businesses are paying more attention to cybersecurity, the scale and cost of security breaches has nearly doubled in the past year, with losses from the worst breaches ranging between £600,000-£1,500,000. In the United States, the number of companies reporting concerns about cybersecurity to U.S. regulators more than doubled in the past two years. to 1,174.

The following cybersecurity concerns affect corporates, start-ups, investors and shareholders. and highlight some of the obstacles to addressing cyber-attacks:

Businesses still continue to view cybersecurity as a purely technical matter. Businesses tend to focus on technological vulnerabilities (i.e., insufficient patching of servers or routers) rather than protecting the most critical business assets or processes (such as customer credit card information), which concern customers and consumers.

Businesses need to adapt to address security risks from new technologies. Businesses need to address security risks from the cloud, social media and mobile using a more holistic approach rather than protecting digital assets by targeting the data centre perimeter and managing user access, authorisation, and authentication from known locations and devices.

Businesses need to adapt to the challenge presented by the pervasive use of personal mobile devices by staff and security. A robust Bring Your Own Device policy ensures that employees are aware of the risks introduced when sending or receiving corporate information on a personal smartphone or tablet, and should address effective security to comprehensively manage user identity and access to sensitive corporate data.

Businesses need to make cybersecurity a board issue. C suite engagement can help address cybersecurity threats effectively to protect critical information assets without placing constraints on innovation and growth.

Businesses need to monitor cybersecurity and implement a rapid response program to address breaches. Audit committees should take a risk-based approach and address cybersecurity risks with appropriate frequency. Doing so would help minimise the risk that arises from such events as stolen passwords and unauthorised access. In addition, the board or the appropriate committee should satisfy itself that management has in place the resources and processes necessary to respond to a breach in order to minimise the effects. By having well-documented information security controls, processes, or certifications in place, businesses increase their appeal to clients by directly addressing any concerns.

Businesses need to adapt to deal with more sophisticated cybercrime. Antivirus software and firewalls alone are no longer adequate. As attacks against large companies such as Target, Adobe and Sony illustrate, businesses can no longer work on a prevention-first security strategy which purely relies on protecting the perimeter. Businesses need to innovate and focus on protecting their core data through data encryption, or even shape-shifting botwalls.

Failing to address these issues may result in a cybersecurity breach leading to lost revenue and significant damage to a business’ brand as it affects both customer and investor confidence. In addition, a breach may result in remediation costs to customers or partners, litigation, compromised intellectual property, and cuts to staff.

Both large companies and start-ups need to be aware of these risks and take steps for planning, implementing, and reviewing cyber-defences. Larger organisations may consider minimising their risk by making sure that all entities they do business with adhere to these standards.

Russia sets a new deadline for data localisation, and removes Hong Kong and Switzerland from Adequate Privacy Protection List

This post was written by Cynthia O’Donoghue.

The Russian Duma recently set a new deadline for companies to localise their data processing of Russian citizens on Russian soil, while the data protection authority published an order removing Hong Kong and Switzerland from its ‘adequate privacy protection list’.

The Russian Duma has voted through, on a first reading, an accelerated effective date for the data localisation law, moving the deadline forward by a year to 1 September 2015. Previously, Federal Law No. 242-FZ, which amends Russia’s 2006 data protection statute and primary data security law (Laws 152-FZ and 149-FZ), had been proposed to come into force as early as 1 January 2015, from the initial deadline of 1 September 2016.

In addition, the Russian data protection authority (Roscomnadzor) issued a new order removing Hong Kong and Switzerland from a list of countries that meet privacy protection adequacy standards in Russia. Nothing in the order indicates a reason for the removal. The order becomes effective 25 December 2014. The list of adequate countries includes all members of the Council of Europe Convention 108 on Data Protection, as well as Australia, Argentina, Israel, Canada, Morocco, Malaysia, Mexico, Mongolia, New Zealand, Angola, Benin, Cape Verde, South Korea, Peru, Senegal, Tunisia and Chile.

White House Previews Ambitious (if Familiar) Privacy and Cybersecurity Proposals for 2015

This post was written by Paul Bond and Divonne Smoyer.

On January 20, 2015, President Obama will address Congress with his annual State of the Union report. On Monday, the president spoke at the Federal Trade Commission, providing a “sneak peek” of the privacy and cybersecurity agenda that he intends to set.

Of the United States, the president remarked:
“We pioneered the Internet, but we also pioneered the Bill of Rights, and a sense that each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests.”

The president’s proposals were set forth in additional detail in a fact sheet.

The proposals include introduction of a “Personal Data Notification & Protection Act” to set a national, pre-emptive standard for data security notification. Aside from a change of the deadline to notify from 60 to 30 days after discovery, the proposal sounds similar to that proposed by the president in May 2011.

However, bills setting forth pre-emptive national data security breach notification requirements were put before the Senate and the House in the 113th Congress, and never got beyond committee.

While the case for a national, pre-emptive data security breach notification law is sound, we would expect state attorneys general to resist full pre-emption of their authority and to press for preservation of a significant enforcement role, as they have under HIPAA and COPPA. The attorneys general offered significant resistance to prior pre-emption efforts in other similar legislation.

The president also intends to introduce another so-called “Consumer Privacy Bill of Rights.” The administration has floated the idea of a “Consumer Privacy Bill of Rights” since the Commerce Department issued a green paper on privacy in 2012. A Consumer Privacy Bill of Rights was most recently introduced in May 2014, with S.2378 – the Commercial Privacy Bill of Rights Act of 2014. S.2378, like its predecessor S.799 in the prior Congress, was read twice and referred to committee. No further action was taken in either Congress. Notably, both S.2378 and S.799 were introduced to Senates controlled by the president’s own party, an advantage the White House no longer enjoys.

The White House also described its efforts to lead the creation of voluntary codes of conduct for privacy matters in the energy industry, and to push for stricter safeguards for information in the education sector. These smaller, less categorical initiatives may have a better chance of coming to fruition. However, the State of the Union, and Republican response to it, will provide a useful gauge of whether, as the president told Monday's audience, the privacy and security of consumer information is really an issue that “transcends politics, transcends ideology” in the Washington, D.C. of 2015.

EU Art. 29 Confirms Cookie Rules Apply to Digital Fingerprinting

This post was written by Cynthia O’Donoghue.

The Article 29 Data Protection Working Party (Working Party) released Opinion 9/2014 on ePrivacy Directive 2002/58/EC (amended in 2009), stating that the consent and transparency mechanisms apply to digital fingerprinting of devices (Opinion).

The Working Party issued the opinion to clarify that consent was required and to end “surreptitious tracking” of users in light of the increasing use of profiling technologies in an attempt to avoid reliance on cookies.

The Opinion defines ‘fingerprint’ as including “a set of information that can be used to single out, link or infer a user, user agent or device over time”, and that the consent requirement applies to website publishers, third parties and the use of Application Programming Interfaces.

The Opinion sets out practical guidance providing six scenarios and requires prior consent for:

  • First-party website analytics – there is no exemption to obtaining consent for cookies that are strictly limited to first-party anonymised and aggregated statistical purposes
  • Tracking for online behavioural advertising
  • User access and control – where fingerprinting comprises information elements which store or gain access to information of the user’s device because such purposes are not considered “strictly necessary” to provide functionality explicitly requested by a user

As with cookies, consent is not required if fingerprinting is used for adapting the user interface to the device solely for network management, or as a security tool to prevent unauthorised access to services those users have accessed in the past.

Companies will now have to make clear in cookie policies, uses of alternative technological processes that can enable them to create a profile of users. The UK Information Commissioner’s Office welcomed the Opinion.

EU Commission Publishes Work Program for 2015

This post was written by Cynthia O’Donoghue.

The European Commission’s work program for 2015 covers 10 actions for 2015, including a “connected digital single market” across the EU.

As part of the Digital Single Market Package, the Commission aims to conclude negotiations on the European data protection reform and the Regulation, and to propose changes to deal with existing challenges in the sector, such as enhancing cyber security, modernizing copyright, and simplifying rules for consumers making online and digital purchases.

Annex 3, Work Program, sets out REFIT actions (legislative initiatives to simplify and reduce regulatory burdens and ensure that EU legislation is fit for purpose). One proposed action in the “Digital Economy & Society” section includes an evaluation of the E Privacy Directive 2002/58/EC “following agreement on the data protection proposal”. This action however, is expected to be ‘ongoing’ until 2016.

This move towards a connected Digital Single Market, and the economic opportunities, should present positive opportunities for future innovation.

Presidency of the Council of Ministers publishes amendments to 'one stop shop' of the draft EU Data Protection Regulation

This post was written by Cynthia O’Donoghue.

In October 2013, we reported on the move towards a ‘One Stop Shop’ (OSS) approach to EU Data Protection.

The OSS principle aims to create consistency for international organisations to process personal data in multiple member states through the appointment of a single competent authority to monitor the data-controller’s activities across all EU Member States. In November, the Presidency of the EU Council of Ministers announced its latest plans to remodel the OSS mechanism in its updates to the draft General Data Protection Regulation.

These amendments seek to address some of the concerns with the OSS principle which we reported on in March. Rather than the OSS being automatic, the proposals adopt an elective system whereby a business must apply for a lead regulatory authority. The proposal also addresses the need for an effective uniform decision-making process in conjunction with an effective redress based on geographic proximity for citizens.

The Presidency also proposed a process to ensure a uniform decision-making by entrusting the European Data Protection Board with binding powers, albeit in limited cases, so long as decisions are made by a two-thirds majority.

In addressing proximity, the Presidency’s proposal attempts to address concerns raised by Data Protection Authorities (DPAs), by creating a cooperation mechanism for multi-jurisdictional matters involving several Member States’ DPAs. These proposed joint decisions seek to ensure that all interests are taken into account.

The Proposal suggests a more flexible and balanced methodology to OSS under the Regulation, balancing the interests of both EU citizens and of businesses operating among several EU Member States.

EU Art. 29 Working Party Announces Cooperation Procedure for EU Model Clauses

This post was written by Cynthia O’Donoghue.

The Article 29 Data Protection Working Party (Working Party) released a Working Document setting forth a co-operation procedure for issuing common opinions on “Contractual clauses” considered as compliant with the EC Model Clauses (Working Document). The aim of this Working Document is to facilitate the use of the EU model clauses across multiple jurisdictions in Europe, while ensuring a harmonised and consistent approach to the way these model clauses are approved by the national Data Protection Authorities (DPAs).

There is currently a patchwork of authorisation and registration procedures among the national DPAs. When assessing a particular set of model clauses, one DPA may reach a different conclusion from another, resulting in uncertainty and legal risk for organisations.

Under the new co-operation procedure, the Working Party hopes to streamline the approval process, with the appointment of a Lead DPA deciding whether the proposed contractual clauses conform to the Model Clauses. Reasons for selecting a particular DPA as the Lead DPA include, among others, ‘the location from which the Company’s Clauses are decided and elaborated’, and ‘the place where most decisions in terms of the purposes and the means of processing are taken’.

Once the Lead DPA is satisfied that the contract complies with the EU Model Clauses, the Lead DPA will draft a letter to the co-reviewer(s) to review within the next month (two co-reviewers must be appointed in the event of the data being transferred from more than 10 Member States).

The principal concern with this procedure is that the proposed contract is only reviewed for its compliance with the EU model clauses. Further steps may still be needed to comply with national laws, such as the supporting documentation requirements in Spain. Nonetheless, it is hoped that this co-operation procedure facilitates and speeds up the authorisation process, while also providing greater legal certainty for companies that transfer personal data outside of the EEA.

Hong Kong Privacy Commissioner Ends 2014 with Special Interest in Mobile Apps

This post was written by Joan Hon.

The Hong Kong Privacy Commissioner of Personal Data (the “Commissioner”) ended 2014 with a special interest in mobile applications (“apps”).

In a media statement published 15 December 2014, the Commissioner reported that versions 4.3 and earlier of Google’s Android operating system contained a flaw that allowed others to read shared memory in mobile devices without the proper user permission. The Commissioner had contacted Google twice to formally request it to “take corrective action and/or warn the end-users concerned that they are subject to the risk of data access by malicious apps without their knowledge and permission.”

This is not the first time the Hong Kong privacy regulator has reproached Google for its data practices. In 2010, Google undertook to investigate its Street View and WiFi data collection, to ensure practices complied with Hong Kong law. Also, earlier in 2014, the Commissioner pressed Google to apply the EU “right to be forgotten” safeguard to Hong Kong.

On the same date, the Commissioner completed two separate investigative reports on mobile travel apps by travel services companies,* finding that these apps had either inappropriately collected excessive personal information without giving customers notice as to how their data was to be used, or otherwise failed to safeguard customer personal information.

Finally, the Commissioner also issued a statement on a survey done in conjunction with the 2nd annual Global Privacy Enforcement Network Mobile Sweep. The survey reviewed 60 popular mobile apps developed by Hong Kong entities and found that “their transparency in terms of privacy policy was clearly inadequate and there was no noticeable improvement compared with the results of a similar survey conducted in 2013.”


* The Commissioner conducts investigations of suspected breaches of the Personal Data (Privacy) Ordinance (Cap. 486) based on complaints received, and publishes an investigation report when he opines that it is in the public interest to do so.