Privacy Commissioner Issues Latest Guidance Note on Use of Social Media and Instant Messaging Apps


Our Partner Charles To and Trainee Solicitor Lily Leung wrote a summary on PCPD’s recent guidance note which sets out practical advice for the public to mitigate privacy risks when using social media and instant messaging apps.
 Increasing reports on incidents of data breaches have alarmed the public on the importance of protecting their personal data privacy in the virtual world.  On 4 April 2021, the Privacy Commissioner for Personal Data’s (“PCPD”) media statement reported its commencement of compliance check on suspected data breach related to Facebook users. Following the report, the PCPD issued a practical guidance note setting out practical advice for the public to mitigate privacy risks when using social media and instant messaging apps on 5 April 2021. Risks to Personal Data Privacy Relating to the Use of Social Media and Instant Messaging apps The PCPD pointed out that the use of social media and instant messaging apps carries inherent yet non-negligible risks to users’ privacy in relation to personal data. Several risks are identified as follows:- 
  • Loss of Privacy: Users of social media could unwittingly reveal more personal data than they expect and most materials shared online leave a perpetual digital footprint that is difficult to remove.
  • Misuse of Personal Data: Signing in third-party apps using social media account may enable cross-platform tracking. Sharing personal data excessively may also provide materials for identity thefts, cyberbullying or doxxing.
  • Fake accounts and identities: Fake online identities may seek to induce users to disclose personal data or intimate photos in order to perpetuate frauds, other crimes or misconducts.
 PCPD’s Practical Advice in various circumstances  
  • Signing up for a new social media account: Observe privacy policies to understand how social media platforms handle one’s personal data, enable end-to-end encryption function in instant messaging apps whenever available and avoid submitting sensitive personal data such as address and date of birth when registering accounts.
  • Handling privacy settings: Examine and review default privacy settings regularly to retain control over the information to be disclosed. Consider limiting permissions granted to social media platforms, including but not limited to facial recognition, location function of one’s device, track activities across devices and the “look up” function by using one’s email address or telephone number.
  • Sharing and posting: Be cautious when sharing or sending information on social media and consider how widely information is being shared as such data would leave perpetual digital footprints. In particular, one should exercise due care when tagging other people in photos or sharing other’s personal data on social media platforms as this may enroll their facial images in biometric database.
  • Safeguarding personal data against online scams: Refrain from connecting with people one does not know in real life and beware of unsolicited benefits, prizes, charities or hyperlinks that requests “log-in” or provision of personal data.
 Where personal data is disclosed against one’s will, one shall take steps to mitigate the risks. If private, sensitive or inappropriate information is shared without consent, one could “report improper contents” to the service provider in order to remove the posts. Where such disclosure is malicious, one should report to the PCPD. When extortion for money or threats to personal safety is encountered, one should record evidence of the demand or threat and report to law enforcement agencies as soon as practicable. For details, please refer to the following link for the Guidance Note: Please contact our Partner, Mr. Charles To (email: [email protected]) or our Trainee Solicitor, Ms. Lily Leung (email: [email protected]) for more information.