Balancing Privacy Protection and Big Data Development


Youth I.D.E.A.S. 60


Balancing Privacy Protection and Big Data Development

16 May, 2021



There has been an increase in the development of digital identity worldwide with both public and private sectors utilising big data analysis and facial recognition to improve the efficiency and convenience of services. Through the support of artificial intelligence and deep learning, the accuracy of facial recognition by robots has surpassed that of humans, as shown in the GaussianFace algorithm developed by the Chinese University of Hong Kong in 2014.


According to a tech economy report, the global market of facial recognition will increase by US$3.3billion in 2024, with a compound annual growth rate of 12% from 2020 to 2024. This shows that facial recognition has great potential to develop in the age of big data.


In recent years, the HKSAR Government has been attempting to catch up with the rest of the world in terms of digital governance, including the introduction of the “LeaveHomeSafe” app and the “Multi-functional Smart Lampposts” Pilot Scheme. Yet, the recently proposed Real-name Registration Programme for SIM Cards and criminalisation of doxxing legislation has raised the public’s concerns regarding the legal protection of their personal privacy.


Currently, the protection of local-citizen personal data privacy comes under the Personal Data (Privacy) Ordinance (the “PDPO”) (Cap. 486), that is enforced by the Privacy Commissioner for Personal Data (PCPD). Since the PDPO came into force in 1996, it has been criticised for being outdated (e.g. regarding the definition of personal data and duration of retention i.e. there is no “right to be forgotten”). In addition, the PCPD has been criticised for lacking deterrence when it comes to monitoring data processors, especially in the execution of personal data breach notifications. Without criminal investigation and prosecution powers, the public has become concerned about the effectiveness of the PCPD to secure the public’s personal privacy.


There has been rapid development of privacy protection worldwide (e.g. the EU’s General Data Protection Regulation “GDPR”), with  citizens and relevant industry stakeholders placing increasing importance and paying more attention to the issue. It would therefore be worthwhile for the Hong Kong Government to consider updating the PDPO, especially in legal terms as it relates to such areas as sensitive personal data, data retention, and the accountability system of the data user. The Government could also review how the PCPD can better balance: crime prevention, securing the public’s right to know, technological advancement and citizens’ personal data privacy.


This research aims to understand the public’s concerns between their own privacy protection and using innovative technology for public health, public security, and news reporting purposes. It also aims to review and improve the system that monitors the use of personal data by private and public organisations, so that the interests of the various stakeholders involved can be better balanced in the age of Big Data.



  1. The laws that protect citizens’ privacy in Hong Kong are relatively outdated given the rapid development of big data analysis and artificial intelligence.
  2. Citizens are concerned with the safety of their privacy rights due to the outdated PDPO.
  3. The proposed amendments of the PDPO are controversial, and highlights why the interests of all stakeholders should be balanced between the privacy of individuals and public interest.3.1 The definition of personal data in the PDPO is outdated, and there is a lack of regulation on data retention. Despite such, citizens’ concerns about the privacy issues of the LeaveHomeSafe app have not been addressed.

    3.2 The PDPO has not yet adjusted the current data breach notification mechanism, undermining the accountability of data users; the Real-name Registration Programme for SIM Cards should not be implemented in a rush.

    3.3 The PDPO has not yet improved the protection of sensitive personal data despite the infringement to privacy by facial recognition, highlighting privacy concerns about Smart Lampposts and security cameras.

    3.4 The respondents agree that doxxing should be dealt with by granting more power to the PDPC. However, some interviewed experts worried that such a move would harm freedom of speech and the freedom of the press in Hong Kong.



  1. Expand the definition of Personal Data and introduce the category of ‘sensitive personal data’ in the PDPO.
  2. Introduce the “Accountability Principle” and a ‘“certification scheme”.
  3. Introduce a “tech supervisory sandbox” for start-ups.
  4. Provide access to a complaints agency and court-ordered remedies for victims of doxxing.
  5. Amend the PDPO first before enacting the Real-name Registration Programme for SIM Cards legislation.