The investigation stems from investigative reporting by the South China Morning Post, which uncovered that some long-time users—referred to as “legacy” or early adopters—remain unaware of potential privacy vulnerabilities in the app. PayMe, launched initially as a peer-to-peer social payment platform, allowed users to share transaction histories more openly in its early days, a feature reminiscent of social networking elements. As the app evolved into a mainstream e-wallet serving over 3.2 million users and more than 100,000 merchants (including retail shops and taxis), privacy expectations shifted, but not all early settings appear to have been updated proactively.
The PCPD confirmed it is examining “all relevant issues, including the vulnerability of legacy users and the need for in-app prompts.” A spokesperson emphasized that HSBC “must ensure the highest level of privacy protection by default,” aligning with global best practices like “privacy by design” under Hong Kong’s Personal Data (Privacy) Ordinance.
In response, HSBC stated that “users have been able to choose the level of visibility of their transaction history within the app from day one,” suggesting the issue may revolve around user awareness rather than a technical flaw. However, critics and the watchdog’s focus on prompts indicate a potential gap: early users might still have default settings that make transaction details visible to others without recent notifications or easy opt-out reminders.
This case highlights a broader challenge in digital finance: apps that start with social features often carry legacy risks as they scale. PayMe’s transition from a fun, Venmo-like social payment tool to a utility for everyday transactions (integrated with Hong Kong’s Faster Payment System) underscores how initial designs can inadvertently expose data if not retroactively secured.
No breaches or unauthorized access have been reported, but the probe raises questions about proactive user protection in an era where mobile wallets handle sensitive financial data. The PCPD’s review could lead to recommendations for mandatory privacy audits or alerts for legacy accounts across similar apps.
As Hong Kong pushes for greater digital economy adoption, balancing innovation with robust data safeguards remains critical. Users concerned about their PayMe settings are advised to review visibility options directly in the app.
