In late January 2024, Hong Kong’s privacy watchdog, the Personal Data Privacy Commission (“PCPD”) raided six premises of Worldcoin, a cryptocurrency initiative co-founded by Sam Altman, that requires an iris scan from clients for identification purposes and also for earning tokens. The PCPD conducted an investigation into Worldcoin’s operations, suspecting that its sensitive personal data (i.e. iris information) collection practices might infringe the Personal Data Privacy Ordinance (Cap. 486).
The PCPD’s move was of its own volition and not in response to a complaint, and this proactive gesture has received mixed reactions – facial recognition and iris scans are not unusual identity verification measures for cryptocurrency platforms, although Worldcoin’s approach of giving a coin reward in exchange is likely what piqued the PCPD’s interest. Some fear that this might deter platform players’ interest in Hong Kong, whilst others welcome the tightened approach to offer more the public more protection. Nevertheless, this move might shed some light to the approach of the authorities going forward, which recently announced proposed legislative amendments to the city’s privacy laws.
By way of background, the Ordinance was passed in 1995, and only underwent two major amendments to combat direct marketing provisions in 2012 and doxing acts in 2021. Many consider the current Ordinance to be over-simplified compared to similar regimes in Asia, and some revisions are required to keep up with new data privacy challenges and to address public concerns, including the long overdue introduction of a mandatory data breach notification mechanism, stricter data retention policies, and the direct regulation of data processors.
While PCPD intends to consider data protection laws of other jurisdictions, comparisons between the upcoming amendments and the latest data protection and cybersecurity regulations in Mainland China can be expected given that China’s regulatory framework is much more stringent and advanced.