Hong Kong: Closed Privacy Commissioner for Personal Data Investigation of Carousell for Unauthorised Scraping of Users' Personal Data

On 21 December 2023, the Hong Kong Privacy Commissioner for Personal Data (PCPD) closed its investigation of Carousell for unauthorised scraping of its users' personal data. The PCPD found Carousell had deficient assessment procedures and data safeguarding policies in place during a system migration in January 2022, resulting in a data breach affecting over 320'000 Hong Kong users and 2.6 mln Carousell users worldwide. The PCPD has issued an enforcement notice to Carousell, directing them to remedy the contraventions and strengthen data security around system migrations. The report was also shared with the Personal Data Protection Commission (PDPC) of Singapore, where Carousell is based, in accordance with the Memorandum of Understanding signed between the Hong Kong PCPD and Singapore PDPC.