On 1 December 2015, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) commenced a compliance check resulting from the ‘data leakage incident’ of VTech Learning Lodge (VTech), a supplier of children’s learning and development toys. The incident was discovered on 24 November 2015. It involved the leakage of personal data of 5 million customer accounts (including more than 18,000 Australian accounts) and the profiles of around 200,000 children. The use of some interactive toys required the disclosure of certain information such as names, date of birth, addresses, gender, download history etc. The leakage of the personal data of such children has created a serious concern for their privacy and security. This incident is governed under Hong King’sPersonal Data (Privacy) Ordinance (the Ordinance), which grants certain powers to the PCPD to deal with the failure to properly secure personal data, including:

  1. The PCPD can serve an Enforcement Notice on the offending company to remedy the failure.
  2. If the Enforcement Notice is not complied with, the PCPD can issue penalties. The maximum penalty under the Ordinance is for HKD50,000 (approximately AUD9,000) and imprisonment for 2 years.
  3. If the failure continues after the conviction, a daily penalty of HKD1,000 (approximately AUD180) applies until the failure is rectified.

Under the Ordinance, businesses are required to implement and adhere to stringent data security measures. The punitive penalties are enforced as a means of encouraging the business to implement the security measures. However, aside from potential reputation damage, it is difficult to see how an organisation as large as VTech may be deterred by the types/quantum of penalties available under the Ordinance. The incident was reported to the Office of the Australian Information Commissioner (OAIC) in early December 2015.  The OAIC is working closely with the PCPD to handle the breach and consequences stemming from it. A copy of VTech’s press release can be found here.