More Information
- Privacy Commissioner completed investigation on Octopus Holdings Ltd
- Investigation Report – Octopus Rewards Program
- Predator Cooperation
- Octopus escapes penalty for selling data
- Octopus slips off the hook after data privacy breach
First published: 19th October 2010
Hong Kong's Privacy Commissioner for Personal Data has released the results of his three-month investigation into the sale of personal data by Octopus Cards Limited. The current limit of the Privacy Commissioner's powers is to issue an "enforcement notice", but Commissioner Allan Chiang Yam-wang said that Octopus is unlikely to contravene the Personal Data Privacy Ordinance again, so no notice will be issued.
The investigation revealed that Octopus had broken three Data Protection Principles, but the company stopped after the investigation started and Brenda Kwok, the Office of the Privacy Commissioner's chief legal counsel, explained that an enforcement notice could be issued only if it was likely that a contravention would continue.
Yui Kee's Chief Consultant, Allan Dyer, commented, "Ms. Kwok's interpretation of 'likely' is very interesting. From a business standpoint, Octopus Cards made tens of millions of dollars from the sale of the data. If the Privacy Commissioner had issued an enforcement notice, Octopus would face fines or jail for another violation. However, in the current situation, Octopus could sell the data again, and the worst possibly penalty would be an enforcement notice. The rational business decision in this situation is to repeat the violation until an enforcement notice is issued, naturally apologising abjectly on each repeat."