After several high profile, large data breach incidents in Hong Kong, including involving companies such as Cathay Pacific, long-anticipated data privacy law reform has commenced in Hong Kong.
On 20 January 2020, the Hong Kong Legislative Council Panel on Constitutional Affairs (LegCo Panel) met to discuss proposed reforms to Hong Kong’s data protection law, the Personal Data (Privacy) Ordinance (Cap 486) (PDPO). The proposed law reform (Privacy Reforms) are set out in a discussion paper released by the Constitutional and Mainland Affairs Bureau (CMAB) and the Hong Kong Privacy Commissioner for Personal Data (Privacy Commissioner).
The proposed Privacy Reforms represent a major enhancement of personal data protection in Hong Kong, including strengthening of enforcement powers of the Privacy Commissioner. Given handling and use of data is a critical aspect of all businesses, understanding and planning for the proposed reforms will be important for all businesses that operate in Hong Kong or collect personal data from Hong Kong.
What do the Hong Kong Privacy Reforms Involve?
The Privacy Reforms involve the following changes in six key areas to the PDPO:
1. Mandatory data breach notification
In line with many other jurisdictions, the Privacy Commissioner proposed replacing the current voluntary data breach notification mechanism with a mandatory data breach notification mechanism. The mandatory data breach notification regime would involve:
- requiring companies to report to the Privacy Commissioner and affected individuals data breaches which meet a notification threshold of a “real risk of significant harm” (with factors being considered that would trigger the notification threshold including type and amount of data leaked and security level of data involved);
- the notification timeframe to be “as soon as practicable, and under all circumstances, in not more than five business days”; and
- a prescribed manner of notification to apply.
2. Sanctioning powers
The Privacy Commissioner is seeking to strengthen its power of enforcement with the power to impose administrative fines. Similar to the European General Data Protection Regulation (GDPR), the Privacy Commissioner proposes administrative fines to be linked with the annual turnover of the data users. The Privacy Reform paper makes reference to the maximum administrative fine that can be imposed under the GDPR - EUR 20 million or 4% of the company's global annual turnover in the preceding year (whichever is higher). There is a possibility of classifying data users of different scales according to their turnovers to match with different levels of administrative fines.
To improve the fairness of the administrative fines systems, the Privacy Commissioner proposed to give time for data users to make representations and provide for an appeal mechanism for data users to appeal against notices imposed. To raise the deterrent effect, the Privacy Commissioner also proposes to raise the current criminal fine levels for the penalty for contravening an enforcement notice (currently HK $50,000).
3. Regulation of data processors
With outsourcing activities such as sub-contracting data processing becoming more prevalent, and data processors merely indirectly regulated under the PDPO, the Privacy Commissioner proposes to directly regulate the data processors by imposing legal obligations on them or sub-contractors. The proposals include requiring data processors to be directly accountable for data retention and data security and to notify the Privacy Commissioner upon their being aware of any personal data breaches.
4. Definition of personal data
In light of the wide use of data tracking, analytics and big data technology, the Privacy Commissioner is seeking to expand the definition of "personal data" – from personal data which relates to an "identified person" to personal data which relates to an "identifiable person".
This would largely expand the parameters of the “personal data”, which would be extended to cover all location data and online identifiers such as IP address, email address, user name which may be traceable to an individual to be "personal data".
5. Data retention policy and period
Currently, data users are obliged to erase personal data when it is no longer necessary. However, this creates varying practices across businesses and vagueness surrounding the meaning of "no longer necessary". Noting the relevance between the length of data retention to the risks of data breach, the Privacy Commissioner proposes amending the PDPO to require data users to formulate a clear data retention period which specifies a retention period (or periods) for personal data collected (including for different categories of data held).
It also proposes amending Data Protection Principle 5 to expressly require data users to include a data retention policy in their privacy policies, to improve individuals' right to monitor the execution of the policy and to improve transparency. The Privacy Commissioner will provide templates and guidelines on retention policies for industry stakeholders to refer to.
6. Regulation of disclosure of personal data of other data subjects
There has been a large increase in complaints about ‘doxxing’ – which generally refers to the non-consensual disclosures of personal data such as photographs, name and other details, with an intent to cause psychological harm or other loss often through social media platforms and websites. In the period from 14 June 2019 alone, the Privacy Commissioner received some 4,700 doxxing related complaints and enquiries.
In response to this, the Privacy Commissioner is proposing amending the PDPO to give it the statutory power to request the removal of doxxing content from social media platforms or websites, and the power to carry out criminal investigations (including in the absence of a compliant from the data owner) and prosecution.
Osborne Clarke comments
The proposed Privacy Reforms do not represent a total overhaul or re-write of Hong Kong data privacy law, with the proposal only for targeted six key reforms to modernise the PDPO. Nonetheless, the Privacy Reforms are the most significant series of proposed data privacy law changes in Hong Kong since the PDPO was first enacted.
Some of these proposed reforms have been generally seen by the industry as being long overdue in light of businesses' increasing reliance and use of technology and data, and given current status of international data privacy law and standards, in which arguably Hong Kong’s PDPO has fallen behind some international data privacy norms.
The proposal for mandatory data breach notification for serious data breaches is increasingly common in many jurisdictions, with Hong Kong remaining one of a reducing number of jurisdictions not to impose a duty on data users to notify the Privacy Commissioner (or affected users) in the event of a data breach. This set of Privacy Reforms should therefore not come as a surprise. The timeframe of up to five business days for mandatory breach notification outlined in the Privacy Reforms represents a middle ground compared to strict jurisdictions like the EU under GDPR – which imposes a notification timeframe of 72 hours – and jurisdictions like Australia (which allows up to 30 days from becoming aware of a data breach likely to cause serious harm) and Singapore (which allows up to 30 days to investigate a data breach, and within 72 hours of determining a data breach is notifiable). Further detail will be required on to clarify what amounts to “real risk of significant” harm for Hong Kong’s mandatory data breach notification regime in order to mitigate against the risk of over-reporting of data breach notifications by businesses.
No public consultation with these Privacy Reforms have been scheduled. While some stakeholders and members of the LegCo Panel were critical of the Privacy Reform non-consultation process, the CMAB Secretariat and Privacy Commissioner noted that public consultation is a time-consuming and costly process and the fact that stakeholders have already provided some input and the some major privacy-related incidents meant a more rapid privacy law reform process was needed.
Certain data privacy matters are not under consideration under the Privacy Reforms, meaning such data privacy reform is not on the current Hong Kong government agenda. Some of these data privacy matters not under consideration in the Privacy Reforms include:
- Implementing section 33 of the PDPO and the issue of cross-border data transfers. Despite the Privacy Commissioner encouraging compliance, section 33 of the PDPO, which generally prohibits offshore transfers of data unless certain conditions are met has never been implemented formally in Hong Kong. Those conditions include consent to transfer, or reasonable precautions and due diligence being made to ensure the offshore recipient of the data transfer has a comparable level of data protection as that in Hong Kong. This delay in enacting section 33 was raised by some LegCo Panel members as a concern.
- ‘Sensitive personal data’, with some LegCo Panel members criticising the fact that there is no mention of ‘sensitive’ personal data, including biometrics, facial recognition and DNA, and proposing safeguards in line with international standards as part of the Privacy Reforms.
The proposed added sanctions powers of the Privacy Commissioner as part of the Privacy Reforms broadly meets expectations where there has been a general sense that the Privacy Commissioner’s powers were lacking, especially in context of doxxing incidents and data breaches/fines. The lack of the Privacy Commissioner’s sanction powers and ability to impose administrative fines/penalties was recently highlighted in the recent decision by the Information Commissioner’s Office of the United Kingdom (ICO). The ICO imposed a maximum financial penalty of £500,000 against Cathay Pacific for a serious data breaches for a period prior to 2018 (being the maximum amount imposed by the ICO under the pre-GDPR data privacy regime in the UK). The Privacy Commissioner also issued a media statement in March 2020, noting that the PDPO does not currently empower it to impose such a fine, but explaining that such powers and raising of fines were currently under review as part of Hong Kong’s legislative reform process to be implemented to act as a deterrent for such serious breaches.
Given technological advancements over the past two decades and a number of high profile data breach incidents such as the Cathay and Vtech data breaches, the proposed areas of data privacy reform raised in the Privacy Reform paper should be considered a positive step in modernising Hong Kong’s data protection regime to suit the demands of the current digital era and to more align with international best practice. If these Privacy Reforms are enacted into Hong Kong legislation, businesses will need to assess and possibly adjust their data collection and storage systems and processes and policies, conduct appropriate training as well as review their contracts for contractual enhancements to mitigate risk and liability.
As there is no public consultation period proposed, the next step will probably be for the Hong Kong government to propose a draft Bill to amend the PDPO to be introduced into Legislative Council. This is likely to take several months after LegCo met to discuss the Privacy Reform paper. In the meantime, businesses should familiarise themselves with the Privacy Reforms and start considering the significant organisational changes which may be needed to comply with these Privacy Reforms once enacted and start planning early. Osborne Clarke will monitor developments concerning these Privacy Reforms and provide a further update at the appropriate time.