Hong Kong’s Office of the Privacy Commissioner for Personal Data (Commissioner) recently released media statements on four mobile app developers that were found to have violated the Personal Data (Privacy) Ordinance (Chapter 486) (PDPO). The Commissioner found that one mobile app developer, Package Tours, collected "excessive data" including dates of birth and ID numbers, while another travel app had a serious security flaw that leaked private information.

In the case of Package Tours, the Commissioner stated that the app developer failed to inform customers about the purpose of data collection or their right to access and correct their personal data upon request. Further, it found that the collection of dates of birth and ID numbers was "unnecessary and excessive." Note that the Commissioner's Best Practice Guide for Mobile App Development encourages mobile app developers to "[o]nly access the types of data necessary for the app" and to state to users what data is being accessed, what the purpose is, and how it will be used.

For now, it appears that the Commissioner's response is limited to requiring the app developers to correct their respective data privacy issues and warning users about the data security issues. But, future enforcement action is possible for continued violations.

TIP: Mobile app developers who sell apps in Hong Kong app stores should become familiar with and implement the best practices found in the Guidelines. Failure to do so could result in reputational damage and possible enforcement action.