In July, it was reported that electronic payment services firm Octopus Holdings has been selling customers’ personal data for four years, and the Hong Kong privacy commissioner was investigating the sales. Octopus cards are used as “cashless payment” for mass transit or other purchases. Cardholders add money to the card and the value is deducted as they make purchases. They can refill the cards. (In April, the Wall Street Journal reported on privacy questions Octopus Holdings’ plans to expand into China.)
A couple of weeks later, the chief executive of Hong Kong Octopus Holdings “resigned over its scandal of selling almost two million customer’s private data to third party, and the firm will donate HK$44 million ($5.7 million) in revenue to charity,” reported the International Business Times.
Now, People’s Daily reports that the Hong Kong privacy commissioner, Allan Chiang, has finished his investigation into Octopus’s sale of consumer data:
The city’s leading e-payment operator Octopus holdings […] violated the principles of personal data protection, said Hong Kong’s privacy watchdog, which is seeking tighter law and larger power to protect the public’s privacy.
Releasing his investigation report on the issue on Monday, the city’s Privacy Commissioner for Personal Data Allan Chiang said the company collected excessive and unnecessary personal data, and did not take appropriate measures to inform customers where their personal data will be transferred to. […]
Octopus promised to delete excessive and unnecessary data collected under the program in two months’ time. Personal data which has been sold to the company’s five business partners will also be deleted. It will redesign the customer declaration form to make it more readable and give clearer definitions of data transferees.
Chiang said he decided not to issue an enforcement notice to Octopus because the company pledged not make the same mistakes again.
He also noted that the existing ordinance is inadequate to protect privacy because the commissioner has no power to penalize people or organizations violating the Personal Data (Privacy) Ordinance. […]
The Hong Kong Special Administrative Region government is working with the city’s privacy watchdog to table new legislation in an attempt to better protect the public as soon as possible.