The Organization for Economic Cooperation and Development ("OECD") established in Paris in 1961 was a convention of European member countries of the European Economic Community.
A significant and early action by OECD was to establish a set of principles for protection of personal data.
It is most important in all consideration of personal data privacy issues to realize and acknowledge that privacy of personal data is not privacy per se. That is a huge subject and often not the matter of legislation.
But, taking OECD personal data protection principles as a model for domestic legislation, the legislature of widely varying countries around the world have enacted personal data privacy legislation.
One of these was Hong Kong which enacted its Personal Data (Privacy) Ordinance ("PDPO") in 1996.
The PDPO was, and remains, principally concerned to control the collection and use of personal data.
"Personal Data" is defined in the PDPO as anything which enables a living individual to be identified. The most common item of such personal information is the Hong Kong identity card number of an individual.
The PDPO in its operational reality concerns three possible parties who are:
- the Data User – the collector of the personal data of an individual for the use by that collector;
- the Data Subject – the object (the individual concerned) whose personal data is collected by the Data User;
- "Data Processor" – the party engaged by the Data User to process for any reason the Personal Data of the Data Subject under instruction from the Data User.
The PDPO was structured around eight Data Protection Principles ("DPPs") which were, and are:
Data Principle 1 – Collection must be for a novel purpose necessary for that purpose but not excessively so. At the time of collection the Data Subject must be informed whether he has no option but to supply it and, where it is obligatory for him to supply it, what are the consequences for him if he fails to supply it.
The established convention in Hong Kong to incorporate Data Principle 1 is through the Personal Information Collection Statement ("PIC") to which all Data Users are subject.
The practice is to establish a form of consent by Data Subjects to exemptions for the Data User from onerous requirements of the PDPO by including express reference whether in hard copy or on a Data User's website requiring a signed or "tick the box" confirmation by the Data Subject. Under the authority of the Electronic Transactions Ordinance unless there is a specific rule of law that requires actual writing to evidence a commitment, the electronic transmission of consent is sufficient.
Data Principle 2 – All practicable steps must be taken to ensure the maintained accuracy and the known limited duration of retention of personal data.
Data Principle 3 – Use of Personal Data. The Data Subject must voluntarily give express consent to the use and must also give express further consent for the use of the collected personal data for any new use.
Data Principle 4 – The Data User is obliged to take all practicable steps to ensure that the collected personal data is protected against unauthorized or accidental access, processing, erasure or other use, and if a Data Processor is engaged by the Data User the contract between the appointing Data User and the appointed Data Processor must be carefully drawn to provide for liability of the Data Processor to the Data Subject for failure by the Data Processor.
Data Principle 5 – Information on the use by the Data Users of the collected data must be generally available.
Data Principle 6 – A Data Subject is entitled to access both the fact of holding, the content of and length of holding time for the personal data collected and to receive clear reasons for any refusal by the Data User to comply.
From the date of its enactment in Hong Kong in 1996, and under the able direction of a succession of Personal Data Privacy Commissioners ("PCs") the PDPO has developed a substantial body of legal/regulatory mandates all of which comprehensively indicate and support the full application of the PDPO. The developing bodies of substantial publication about the obligations under the PDPO have generated an increasingly important influence on the community in Hong Kong as a growing user – and abuser – of personal data in the Territory.
Of course, the PDPO was enacted before the internet became a reality in the lives of all individuals throughout the entire World.
The 1996 enactment included a Section 33 which did then, and continues today to contain prohibition on the transfer of personal data out of Hong Kong unless certain exemption requirements apply or are complied with.
However, in – and well before – 1996, substantial and growing use was made by Data Users of the personal data of Data Subjects for purposes such as pay roll, leave/holiday recording, medical history and other related employment statistical functions whether directly by the Data Users or through the engagement of Data Processors. Much personal data was transmitted overseas from Hong Kong largely due to the high Hong Kong cost both of labour and of rentals of premises to house the labour which would otherwise be necessary for the processing of the personal data in Hong Kong. Because the bulk of the recording functions were too expensive to carry out in Hong Kong and given that a very substantial bulk of personal data had been remitted out of Hong Kong to service providers in a number of places overseas but particularly China, India and the Philippines there was a distinct danger of dramatic economic destruction of this established state of affairs with possibly unfairly damaging catastrophic results if Section 33 would have been implemented. In the years leading up to 1996 and as an important role played by China in the "Open Door" policy initiated by Dung Xiao Ping in 1992 massive transmission from Hong Kong of personal data to service providers in Guangdong Province bordering Hong Kong was the established way to structure economic recording for many different reasons and purposes and, of course, China being a communist party controlled state there was – and still is – no privacy or personal data privacy regulation on the ground in any way equivalent to the OECD principles and the PDPO.
This was because Section 33(1) has a curt and peremptory wording that Data Users shall not transfer personal data to a place outside Hong Kong unless one or more of six possible exemptions is available. Briefly, they are:-
- if a place outside Hong Kong has been
specified by the PC in a list prepared by the PC for the purposes
of ensuring that the domestic law of that place secures personal
We understand that the PC has in fact prepared such a list covering approximately 51 countries but this list has not been published yet. However, given that the necessary research to establish data protection equivalence in the laws of these other countries is an extensive, expensive and time consuming exercise it is good that the PC has prepared this list which will of course be very useful for Data Users to adopt in the context of future cross-border transmission of personal data; or
- that the Data User – having made specific due diligence enquiry – reasonably believes that in that foreign place there is an equivalent law to the PDPO; or
- the Data Subject has consented in writing to the transfer; or
- the Data User can establish reasonable grounds for belief that in all the circumstances the transfer is to avoid adverse action against the Data Subject and it is not practicable to obtain his consent and that if consent could have been obtained the Data Subject would give it; or
- the data is exempt from Data Protection Principle 3 by virtue of an exemption under Part 8 of the PDPO dealing with matters of public policy importance which should prevail over the PDPO controls such as preservation of evidence of criminal liability or the avoidance of civil damage; or
- the Data User can clearly show taking reasonable precautions and exercise of all due diligence to ensure that the foreign place will not collect, hold, process or use the personal data in any manner which if that foreign place were Hong Kong would be a contravention of the PDPO.
As stated above, in the years up to 1996 and in the absence of any controlling legislation such as the PDPO, the transmission of personal data outside Hong Kong to any one or several of a number of countries was huge and although the well-intentioned thrust of the legislature was to control all such transmission for the benefit of the Hong Kong Data Subject, it would have been impossible to bring Section 33 into effect.
For that reason therefore, Section 33 was deliberately not brought into effect and has not been brought into effect yet.
In 2013 the PDPO was amended both to provide for responsibility of the Data User to contract specifically with any outsourced Data Processor but also to increase penalties by substantial amounts for breach under the PDPO.
Accordingly, and given the predominant traffic of personal data on the internet the ease of transmission of personal data out of Hong Kong has now become an arguably dangerous flouting of the control which the PDPO seeks to impose on Data Users in accordance with the six data collection principles set out in the PDPO.
Over what is now a five year tenure the present PC incumbent has been extremely diligent in applying the Data Protection Principles to all manner of Data User activity in Hong Kong with the result that the envelope of liability for abuse of the PDPO of the six Data Protection Principles has spread wider and deeper than ever imagined although without sanction of, or amendment to, the PDPO as enacted in 1996.
One of the principal current thrusts of the PC is to draw attention to Section 33 as a dormant giant which it is the responsibility of the community to wake up to and through bringing it into effect and thereby rounding off the full force and control of the PDPO over use and abuse of personal data.
We do not have direct inside knowledge, but the indications are that the present PC has quite possibly achieved a liaison with the administration of the Hong Kong Government effectively clearing the way for the introduction of Section 33 into effect.
It is therefore possible to perceive a link in that one major personal data development instigated by the PC was the introduction and publication in December 2014 of the most recent of the "Guidance Notes" which the PC is empowered to issue.
This December 2014 Guidance Note is expressly headed "Guidance on Personal Data Protection in Cross-Border Data Transfer."
The Guidance Note sets out what is described as a practical guide to Data Users to prepare for the implementation of Section 33 of the PDPO.
The thrust is to confirm and illustrate understanding of the compliance obligations of Data Users with cross-border data transfer under the full impact of Section 33.
The Guidance Note sets out the available exemptions under the Section 33(2) fully setting out the effective bite of the PDPO upon cross-border data transfer, the available exemptions from the application of the PDPO to any particular cross-border data transfer, and the detailed assistance provided to Data Users in their conditions of data collection even to the extent of suggesting that they include model clauses set by the PC in their contracts with Data Processors with the intention of enabling those adopting the model clauses to continue the collection of personal data for cross-border transfer.
The December 2014 Guidance Note should be regarded as a wake-up call to the community in all aspects of its operations to what really should be seen as the impending bringing of Section 33 into effect. Given the substantial penalty increases brought in in 2013, it is important for all Data Users to be mindful of transgression against the rights of Data Subjects who are all becoming increasing aware of those rights in this day and age.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.