Hong Kong’s Privacy Commissioner for Personal Data has initiated a compliance check on Facebook after the company revealed it was the victim of a hack that affected more than 50 million accounts.
In a statement issued on Wednesday, Privacy Commissioner Stephen Wong Kai-yi said he has contacted Facebook to express concern over the incident and to obtain further information on the case, given that Hong Kong account holders were likely affected by the hack.
Last week, Facebook pre-emptively logged out 90 million users after attackers exploited a system vulnerability, putting at least 50 million users’ data at risk.
Facebook said there is no need for account holders to change their passwords, and added that its investigation has so far found no evidence that the attackers accessed any third-party apps.
Cambridge Analytica scandal
The Privacy Commissioner completed a similar compliance check on Facebook in August over the Cambridge Analytica scandal, in which the firm harvested data from millions of Facebook profiles without users’ consent.
The Privacy Commissioner said at the time that Facebook’s office in Hong Kong did not control the collection, holding, processing or use of the data of Hong Kong account holders.
The data is controlled by Facebook Ireland, which said that no personal data of Hong Kong account holders was disclosed to Cambridge Analytica.
“At present, there is no evidence showing that Facebook’s account holders in Hong Kong were involved in the incident,” the Privacy Commissioner said, adding that it had received no complaints of data misuse from Hong Kong account holders.
Since Facebook’s Hong Kong entity does not control the data of its Hong Kong account holders, Facebook HK cannot be regarded as a “data user” under Hong Kong law, the Privacy Commissioner said.
“The relevant regulatory provisions in the Ordinance are therefore not applicable in this incident,” he said.
At the time, the Privacy Commissioner said Facebook could have done better, and that it fell short of public expectations in its handling of the incident.
“Although there is no evidence showing that Facebook’s operation in Hong Kong has contravened the PDPO, Facebook as a global social media leader must be accountable to the account holders of all the countries and regions (including Hong Kong) by adopting measures to safeguard their personal data privacy,” Wong said.