Hong Kong's privacy watchdog said in a report published on Monday that about one-third of online travel, platforms do not indicate the dates for which personal data will be retained, urging operators to designate staff to monitor compliance with regulations and to implement the most protective options as the default. 

In a joint statement, the Hong Kong Data Protection Commission and 15 international data protection agencies have outlined measures to promote privacy in social media platforms, amid growing concerns that information is being collected to train artificial intelligence (AI) for use in consumer products. The Privacy Commissioner of Hong Kong, Ada Chung Lai-ling, said on Saturday that, along with the AI development, a large-scale data collection was also carried out from social media users, hundreds of thousands of whose personal information had been scraped and shared with external companies to build data sets for advertising use. 

Several data privacy authorities around the globe are concerned about this practice - some involving legal actions and some not - that, according to Chung, has become a global issue, which concerns privacy authorities in countries like the United Kingdom, Canada, Mexico, and Spain. There are 16 authorities, including Hong Kong's Privacy Commissioner for Personal Data, who have signed a joint statement on Tuesday defining global standards for the protection of data and expressing their expectations of organizations to adhere to these standards. 

In an announcement on Monday, the Office of the Privacy Commissioner for Personal Data said it had reviewed 10 online travel platforms and found that two operators had indicated that users' data could be utilized in AI-powered services. In addition to that, they also aim to help residents gain a better understanding of how these platforms secure their data by providing them with easy access to their privacy policies and user interface design, thus strengthening their ability to protect their personal information when placing orders online for travel products. 

Ten platforms, using their websites and mobile applications, were assessed during the review, which was conducted between February and October. There were only five sites that included sections in their privacy policies about data retention, namely Agoda, EGL Tours, Expedia, Trip.com, and WWPKG, and the others did not. 

The watchdog commended Expedia for setting clear deadlines and conditions for the retention of user data and for acting proactively, which it believes other companies should learn from. When contacted by the office, two of the platforms - Goldjoy Holidays and Wing On Travel - confirmed that they had added data retention clauses to their privacy policies as part of their processes. Despite this, Miramar Travel, Sunflower Travel, and Travel Expert have not provided such information to customers so far, it was stated. According to the review, both Expedia and Agoda have clearly stated that they use AI for the enhancement of their services, which may include the collection and use of personal information as part of the process. 

Expedia states that it uses such data to provide customers with destination recommendations, price comparisons and other features as described in its policy. There was a similar concern raised by the UK's Information Commissioner's Office about the company's collection of British users' data in September and as a result, the company suspended the collection of users' data. According to Chung, the measures and principles outlined in the joint statement would be applicable globally, and it would be the legal authorities' responsibility to enforce them. There was a report that the watchdog was investigating a platform that was not under the jurisdiction of Hong Kong, which was suspected to be violating the Personal Data (Privacy) Ordinance, by a report. 

It is important to note, however, that she did not go into much detail about this case. According to the watchdog, even though some platforms still did not contain sections on data retention, all the platforms did provide their privacy policies to users, and they all explained why user information was collected and what it was used for. Furthermore, according to the operators, several third parties may be able to receive the data of their customers, including airlines and insurance companies. In its review report, the office stated that all the platforms were tracking users' activities, collecting data such as their location information and browsing histories, and obtaining their consent to engage in direct marketing activities. 

A recommendation made by the office suggests that the platforms implement a personal data privacy management program and that they appoint a data protection officer to monitor compliance with privacy regulations regularly Also, the report recommended that the companies adopt the privacy-by-design principle, which would entail setting the most protective option as the default, and disclosing in their policies whether or not AI had been used in the process of processing personal information. 

Travel policies are considered by only 8% of travellers before accepting a job before accepting a new one, but they play an important role in deciding whether they will stay with the company or leave. Travellers' perceptions of the impact this has on their job tenure vary significantly across regions, with nearly half of those living in APAC certifying that it has an impact, compared to 27% living in EMEA and 21% living in North America. Creating policies that are tailored to regional needs may enhance the retention and compliance of employees. 

In addition to data breaches, Chung noted that one other challenge global privacy authorities have to deal with is data breaches. He said the agency had tracked 155 reports in the first three quarters, compared to 157 reports last year. A recent data breach at the South China Athletic Association has compromised the personal information of over 70,000 individuals. This incident follows a similar cyberattack on the charity Oxfam in August, which exposed sensitive data of more than 470,000 users. 

Cybersecurity expert Chung commented on the growing prevalence of such breaches, noting that they have become an expected challenge in today’s digital age. She emphasized that while data breaches are increasingly common, they serve as critical reminders for organizations in both the public and private sectors to prioritize robust data and privacy safeguards. Chung also highlighted that every reported breach contributes to a broader awareness among businesses and institutions, urging them to take proactive steps in fortifying their cybersecurity measures. 

These incidents underscore the pressing need for organizations to adopt advanced security protocols and maintain strict vigilance in managing personal and sensitive data. As threats continue to evolve, the collective effort to safeguard digital infrastructure remains paramount.