The most sensational recent topic in the city absolutely must be the sale by Octopus Cards of its customer information database, receiving profitable commissions for doing so, while all the while keeping the people of Hong Kong in the dark. Who could imagine that our personal data can be sold in such casual manner, with information changing hands twice, thrice, or even countless times? No wonder mobile phone users receive random promotion calls all the time. The way that Octopus, as a public utility, "takes care of" personal privacy is indeed appalling and shocking! It is especially so as Octopus holds millions of Hong Kong citizens' personal data and was thus able to infringe severely the privacy of such a vast number of people while keeping all of them ignorant about what was happening to their personal data. Octopus has to be held fully responsible for these offenses and it is entirely out of the question that the company should escape blame.

In this incident, Octopus Rewards Limited, a company wholly owned by Octopus Holdings, gave out personal data of 1.97 million registered individuals to six companies participating in the Octopus Rewards Program. Octopus made a massive profit of HK$44 million dollars. It involved the privacy of people of various social strata and ages, including, I believe, most of the primary and secondary school students, who for the sake of necessity and convenience during their travel to and from their schools, would most likely have "a card in hand". Ordinary citizens are also willing to provide personal data in order to enjoy all sorts of purchasing discounts. Hong Kong has experienced a few instances of breached privacy in the past few years. There was the loss of patients' personal data at United Hospital. There were unrestricted downloads of files of complaints against police officers by members of the public. These were all unintentional and traced to carelessness or the installation of sharing software. The Octopus incident, however, amounted to calculated acts wherein personal data was sold intentionally and deliberately for profit. Not only did the company turn its back on the customer's trust, but also stood in direct defiance of the Personal Data (Privacy) Ordinance. This may have serious repercussions that the government must face squarely.

Generally, people buy Octopus cards for convenience and seldom pay attention to whether or not there are any disadvantageous rules, spelled out in those elongated terms and conditions, printed in microscopic font on the back of the application form. People remained in ignorance until the time they realized they had been cheated. The government and regulatory authorities must address these issues now to regulate and provide proper guidelines aimed at protecting citizens' rights vigorously.

As the Octopus Card has become a daily necessity indispensable for Hong Kong people, Octopus has gained access to an enormous amount of personal data comparable to what the Hong Kong Immigration Department holds. Moreover, as Octopus has gained a monopoly, the government ought to impose severe supervision and control over it as soon as possible to block any personal data leakage. Prudence Chan Bik-wan, chief executive of Octopus Holdings Limited, at first protested that the company did not sell its customer data. Later she said that there was a transfer of data, and finally she confessed to having sold private personal data to make money. She lied from the beginning and lost all creditability. The MTR, being the major shareholder of the Octopus Company, has already stated that it was not informed of the breach of privacy and pointed out that such conduct on the part of Octopus was wrong. MTR has apologized to the public, but it still has to give a clear account of its poor management to minority shareholders and the citizens of Hong Kong and put forward measures for improvement.

There are still quite a few suspicious matters to be clarified in the Octopus breach of citizens' privacy, such as the true account of the transferred data, whether or not there were restrictions to the further transfer of the data, the contents of the contracts between Octopus and the companies purchasing the data, the exact amount of money earned, etc. I strongly urge Octopus Holdings to confess fully to the Legislative Council (LegCo) as early as possible. If all those suspicious matters and worries cannot finally be resolved, I am afraid that the LegCo will again apply (Power and Privileges) Ordinance, the "Imperial Sword" in its arsenal, to establish a Select Committee to begin a carpet investigation of this incident or a bill committee to discuss whether it is necessary to amend the Personal Data (Privacy) Ordinance.

The author is a member of the Legislative Council and associate professor in the School of Law, City University of Hong Kong.

(HK Edition 08/13/2010 page2)