Hong Kong’s privacy watchdog is investigating risks to early users of HSBC’s popular PayMe mobile app after the Post discovered some remain unaware their personal details may have been exposed.
The Office of the Privacy Commissioner for Personal Data (PCPD) told the Post on Monday that the compliance review would “look into all relevant issues, including the vulnerability of legacy users and the need for in-app prompts”.
The watchdog said the bank must ensure the highest level of privacy protection by default.
This follows HSBC’s statement users have been able to choose the level of visibility of their transaction history within the app from day one.
One of Hong Kong’s largest e-payment platforms, PayMe serves more than 100,000 local and online merchants, from retail shops to taxis across the city.
At the centre of concern are early adopters of the app’s 3.2 million users who signed up during its initial phase as a peer-to-peer social payment app.
Some customers who adopted the app before 2019 were unaware that their transaction history could be viewed by friends within the platform.
Isaacson Ng, who started using PayMe before the default sharing setting changed to private, was shocked to learn from a Post reporter that he could access the payment records of a friend on the app.
He said he was unaware that his own transaction history could be viewed by others, or that there was an option to set his app preferences to “private.”
An accountant who joined PayMe before the default settings were made private in 2019 had a similar experience.
“I wasn’t sure [about it]. I never touched the settings at the beginning,” said the accountant, who identified himself only as Mr Lau. “No wonder my colleague once told me that people found out how much her husband gave her to buy a handbag.”
But the Post’s check of the app on Wednesday revealed that transaction amounts by friends were invisible.
Social media users had previously expressed confusion over the feature.
The regulator noted that users would be required to take “deliberate and informed action” to opt into any settings that lower their privacy, such as permitting others on the app to access their personal data.
But it added that service providers should follow the principle of “privacy by default,” meaning the highest level of protection should be enabled automatically.
“Service providers of mobile applications should adopt appropriate measures to ensure that all users are aware of their rights and options for controlling their levels of privacy protection,” the regulator said.
“‘Private’ is the default setting for newly joined PayMe users since August 2019,” the bank said on its website.
For those who joined before that date, the default remains “Friends”, allowing transaction records to be seen by them on the app unless manually changed.
HSBC told the Post that “all existing users were notified via email at that time about their options for public to private settings, and they can update their preferences at any time based on their privacy needs”.
“Since the launch of PayMe, the option to switch from public to private and vice versa, is always available to customers through the PayMe application,” the bank said. “We have not been notified of any privacy-related violations from regulators.”
A PCPD spokesman said that as the compliance check was ongoing, it “would not comment on the case at this stage”. -- SOUTH CHINA MORNING POST
