As the storage of personal data increasingly moves online, security of personal data is a major concern for multinational companies. With the increased use of online storage solutions, data breaches have increased as well. To address such shifting risks to personal data, draft amendments to the existing laws safeguarding personal data in Hong Kong were recently published which could affect how companies can go about its storage of data online.
This article provides an overview of the existing laws relating to the use and storage of personal data online, the proposed amendments to such laws, and suggests some best practices in this connection.
- Risks Arising From Increasing Use Of Online Data Storage / Transfer
The Hong Kong government has recently published a review paper1 on proposed amendments to Hong Kong's data protection laws, the Personal Data (Privacy) Ordinance ("PDPO"). The Review Paper and the changes to the existing laws discussed therein place a clear focus on combating online attacks of personal data. To that extent, the Review Paper notes the challenges for personal data protection arising from the widespread use of the internet and mobile communication, in particular as recent incidents of personal data privacy breaches have shifted from improper collection and use of personal data for direct marketing, to those related to data breaches concerning digital platforms and hacker attacks resulting from security loopholes.2
If such data breaches occur, companies are exposed to a range of risks, from reputational issues if data breaches are made public, civil suits brought by those whose personal data was exposed, to regulatory enforcement for failures to properly safeguard personal data stored online. In order to sharpen the enforcement tools available to Hong Kong regulator, the Review Paper suggests a number of potentially substantial changes to the PDPO. Once such changes take effect, Hong Kong's current laws on personal data would follow regimes in other regions, most notably the General Data Protection Regulation ("GDPR") passed by the European Parliament in 20163, and allow for much higher fines for companies who fail to properly secure personal data collected by them.
- Current Regulatory Regime for the Collection of Personal Data
The PDPO defines "personal data" as information which (i) relates to a living individual; (ii) can be used to identify that individual; and (iii) must exist in a form which may be accessed or processed.4 This scope is wide and includes information ranging from a person's identity card number, name, email, residential address and login credentials (these may have to be considered together for them to constitute "personal data" under the PDPO) to biometric data such as a person's fingerprint images or their numeric representations.5
The PDPO sets out a number of general rules for collecting and managing personal data that apply in all situations including for online storage of personal data. These general rules are recorded in Data Protection Principles ("DPPs"): DPP 1 provides that personal data can only be collected for a lawful purpose directly related to a function or activity of the data user (i.e. the entity which collects the personal data).6 DPP 1 further provides that a data user needs to inform the data subjects (i.e. the person whose personal data is collected) whether it is obligatory or voluntary to provide the personal data, the purpose of using their personal data and the classes of persons to whom their data may be transferred.7 This is usually done by providing the data subject with a Personal Information Collection Statement ("PICS"). DPP 3 prohibits personal data to be used for any new purpose (of which the data subject has not originally been informed) and requires fresh consent to be obtained prior to any such new use.8 These general principles are aimed at making the owner of the personal data aware of the purpose of the collection and use of the personal data prior to such collection to enable that person to make an informed choice of whether personal data should be submitted, and also to prevent unauthorised use of personal data that has not been consented to.
The following general principles have more direct application in the context of online data storage: DPP 2 provides that personal data should not be stored longer than necessary for the intended purpose,9 and DPP 4 requires the data user to adopt sufficient safeguards to protect the personal data from unauthorised access or accidental loss.10 Both principles directly address potential issues arising from companies engaging third parties to handle the personal data they collect. The PDPO defines such third parties as "data processors", i.e. persons or entities that process personal data on behalf of someone else and not for their own purposes.11 Cloud storage providers that simply provide hosting / storage solutions for companies would fall within this category. For such data processors, the PDPO requires that companies must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than necessary for processing the data.12 Similarly, a company must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor.13 The PDPO applies whether such data processor is located in or outside of Hong Kong. Finally, the PDPO currently does not include a mandatory notification requirement for data breaches.
In summary, while the PDPO currently does not directly regulate data processors, it places an obligation on companies using services of third-party data processors for the purpose of online storage of personal data (among other purposes) to ensure that the same standards such companies themselves have to apply in terms of data security and retention also apply to the handling of such data by these third-party providers.
It is worth noting that the PDPO currently does not prohibit the transfer of personal data out of Hong Kong without consent from the person from whom the personal data is collected. Whilst a provision to this effect was drafted many years ago, it has not entered into force.14
- Enforcement and Sanction Powers under the PDPO
The PDPO is enforced by the Privacy Commissioner. For violations of the principles set out above in relation to the storage and safeguarding of personal data, the Commissioner may issue enforcement notices directing data users to rectify data breaches, and may, on first conviction for non-compliance with the notice, impose fines of up to HK$50,00015 (HK$100,000 on a subsequent conviction16; and in extreme cases, recommend prosecution).17 In addition to fines, non-compliance with the notice is punishable by imprisonment of 2 years. In summary, while the scope of the current legal regime is wide, the power of the Privacy Commission to hand down fines that serve as a practical deterrent and encourage companies to adopt more stringent measures safeguarding personal data is limited as the level of available fines under the PDPO is widely regarded as too low.
Similarly, cases directly relating to data breaches resulting in the loss or unauthorised access and distribution of personal data stored online are relatively rare in Hong Kong which at least partly is due to the absence of a mandatory reporting requirement for data breaches under the current laws. That being said, a recent case of a credit rating agency dealt with risk assessment aspects of securing personal data stored online including what level of security is appropriate to safeguard access to personal data stored online.18 Considering the volume and significance of personal data collected by the credit rating agency, the Privacy Commissioner concluded that a contravention of DPP 4 (1) took place and noted that DPP 4 (1) calls for an assessment of whether the security measures undertaken by the data user in respect of the personal data held were proportional to the degree of sensitivity of the data and the negative impact of unauthorised or accidental access to such data.19 Although the case did not result in large scale data breaches or heavy sanctions, it demonstrates the Privacy Commissioner's increasing focus on the security of personal data stored online.
- Proposed Changes to the Law in Hong Kong
This increased focus on the security of personal data stored online is further manifested in the government's proposed amendments to the PDPO as outlined in the Review Paper.
As noted, apart from the requirement to safeguard personal data from unauthorised access, there is no mandatory reporting requirement under the PDPO when a data breach occurs. As such, data breaches currently are only reported on a voluntary basis. The paper has identified this as a potential weakness of the current regime and amendments to the PDPO will likely include a mandatory requirement to report data breaches to the person from whom personal data was collected as well as the Privacy Commissioner.20 Such potential changes are aimed at improving awareness of data breaches but also allowing the Privacy Commissioner to monitor the response to such data breaches more actively.21
As part of the potential amendments, the Review Paper proposes to require companies to specify a data retention period for the personal data they collected.22 This would make the current requirement for not keeping personal data longer than required more tangible and also provide the Privacy Commissioner with the ability to assess and review data retention practices adopted by companies. Such changes would also affect a company's engagement of third-party providers for online storage etc., as they would have to ensure that the retention period they define for the personal data they collect is also applied by the third parties they engage to handle or store such personal data.23
The proposed amendments also recognise that data processors, such as third-party providers of data / cloud storage, are currently not directly regulated under the PDPO.24 The focus on the liability of online storage providers follows recent global data breach cases where the attribution of liability between the company collecting the personal data and the online storage provider who provided hosting for such personal data became an issue.25 One such case concerns a data breach involving personal data collected by a financial service provider.26 The relevant personal data was stored with one of the largest providers of cloud storage globally and prosecutors in this case alleged that a firewall misconfiguration causing a server vulnerability of the cloud storage provider contributed to the data breach.
Under the current PDPO, the liability of the cloud storage provider would be limited. In order to strengthen the protection of personal data and minimise any potential loopholes under the existing laws, the proposed amendments to the PDPO suggest extending the coverage of the PDPO to data processors,27 holding them liable for data security and retention and require them to independently report data breaches.28 Such change would help to balance the burden of safeguarding personal data as such burden would no longer be solely placed on the company collecting the personal data.
The proposed amendments also include an extension of the definition of "personal data" to also cover data relating to an "identifiable person".29 This extension would cover (inter alia) Internet Protocol addresses.
Finally, as set out above, in its current form, the sanctioning power under the PDPO is relatively weak. In the Review Paper makes, particular reference to the GDPR which provides for substantial administrative fines of up to EUR € 20 million or 4% of a company's global annual turnover. On that basis, the Review Paper is assessing whether a similar system of administrative fines could be adopted under the PDPO which would serve to substantially increase the enforcement risks for companies failing to comply with the PDPO.
- Best Practices For Using Third-Party Online / Cloud Data Storage Solutions
As it is likely that some if not all of the proposed amendments will make it into an amended version of the PDPO, we set out best practices for the online storage of personal data that take into account some of the suggested amendments to the PDPO.
- As a matter of continuous review of business practices, companies should assess what personal data is collected by them and how such personal data is stored.
- On the basis of such initial assessment and the nature and sensitivity of the personal data collected, companies should assess whether sufficient safeguards are in place to prevent unauthorised access or loss of personal data (the recent case referred to above has made it clear that the Privacy Commissioner will look for a proportionality of the sensitivity and quantity of personal data stored and the safeguards put in place to secure such data).30
- Part of a company's exercise to assess the safeguards put in place for personal data is to assess who apart from the company's staff has access to such personal data, i.e. is personal data being shared with others, or are third parties assisting with the handling and/or storage of such data.
- A company should formulate or update relevant internal policies on handling and storage of personal data, making sure all personal data controlled and handled by the company is covered.
- In light of the proposed amendment, a company should proactively formulate a data retention policy including identified data retention periods and make sure that such policy is properly implemented. While it is currently not a requirement under the PDPO to formulate a data retention period, as a matter of best practice, it is recommended to define such period(s) in accordance with the type and use of the personal data collected.
- To prepare for potential data breaches, a company should create a protocol to deal with incidents and the relevant notifications to the persons whose personal data may have been subject to a data breach and to the Privacy Commissioner.
- Before entering into any contracts with third party providers for the processing or storage of personal data, companies should carefully assess potential third-party providers of online / cloud data storage, making sure to choose reputable providers with good track records in terms of data security.
- When engaging such third party providers, companies should update or adopt relevant contracts to ensure the third-party provider:
- deploys sufficient security measures to secure the personal data entrusted to it (and has similar internal policies in place to regulate the security protocols applied by such provider and its staff);
- abides by the data retention policies formulated by the company and returns, destroys or deletes personal data entrusted to such provider in accordance with such policies;
- only uses the personal data for the purpose that it was entrusted to such provider (i.e. for a storage provider, any other use or access to the data by such provider should be prohibited);
- does not further sub-contract the handling or storage of the data entrusted to it;
- has a protocol in place to monitor the personal data handled by or stored with it and notify the company (and potentially the Privacy Commissioner) of any data breach;
- agrees to periodic audits of its systems and measures updated to secure the personal data entrusted to it.
- If any such third-party provider is located overseas, a company should ensure that relevant contracts it enters into with such providers are enforceable in Hong Kong.
- Following the engagement of third-party providers, companies should keep records of the data that is transferred to such third-party providers in order to be able to trace and retrieve such data at any time and ensure that the data is destroyed in accordance with the agreed retention period.
- In order to limit risks of data breaches and ensure that personal data is not used for any purpose which has not been consented to by the owner of such data, a company should assess, prior to any transfer of personal data, whether such transfer is necessary and whether the personal data could be anonymised or redacted.
- For data processors, while the PDPO is currently not directly applicable to them, it is likely that future amendments will extend the PDPO's reach to cover them. As such, and insofar as not already in place, third-party providers should adopt their own policies to safeguard personal data they handle on behalf of their customers and make sure that proper procedures of data retention and notification of possible breaches exist in such policies.
The public is increasingly focused on the handling of personal data by large companies and whether such data is properly secured from unauthorised access. As data breaches may cause the loss or disclosure of personal data affecting many people, the reputational risks for companies are already very high. Proposed amendments to the PDPO and recent enforcement actions suggest that the Hong Kong government is aware of the danger of large scale data breaches and the public interest in making sure that companies properly safeguard personal data entrusted to them. While it is currently unclear when the proposed amendments will be implemented and to what degree, it appears likely that Hong Kong will soon be broadening the scope of its data privacy laws to provide for stricter sanctions for data breaches, potentially comparable to the high level of administrative fines available under the GDPR. Once enacted, these amendments will place more pressure on companies to enhance their safeguards for personal data as they will face higher enforcement risks in addition to the existing reputational risks arising from data breaches.
Companies should therefore watch this space carefully and, as part of their proactive and continuous risk assessment, review their internal policies and contractual provisions with third-party cloud storage providers to ensure an adequate level of safeguards is implemented to secure personal data handled and stored by them.
1 Constitutional and Mainland Affairs Bureau, 'Review of the Personal Data (Privacy) Ordinance – Legislative Council Panel on Constitutional Affairs' (LC Paper No. CB(2)512/19-20(03), published on 20 January 2020) (the "Review Paper").
2 ibid, paragraph 1.
4 PDPO, section 2.
5 Office of the Privacy Commissioner for Personal Data, 'Guidance on Collection and Use of Biometric Data' (first published in July 2015).
6 PDPO, schedule 1, section 1.
8 PDPO, schedule 1, section 3.
9 PDPO, schedule 1, section 2.
10PDPO, schedule 1, section 4.
11 PDPO, schedule 1, section 2(4).
12 PDPO, schedule 1, section 2(3).
13 PDPO, schedule 1, section 4(2).
14 PDPO, section 33.
15 PDPO, section 50A(1)(a)(i).
16 PDPO, section 50A(b)(i).
17 For contravention of the PDPO stipulations on use and provision of personal data in direct marketing, a fine of up to HK$1 million may be imposed (various provisions under section 35 of PDPO).
18 Office of the Privacy Commissioner for Personal Data, Data Breach Incident Investigation Report – TransUnion Limited – Unauthorised online access to credit reports (R19-17497, 9 December 2019).
19 ibid, paragraph 76.
20 Constitutional and Mainland Affairs Bureau, 'Review of the Personal Data (Privacy) Ordinance' (n 1) paragraphs 4 and 5.
21 ibid paragraph 4.
22 ibid, paragraph 8.
23 PDPO, schedule 1, section 2(3).
24 Constitutional and Mainland Affairs Bureau, 'Review of the Personal Data (Privacy) Ordinance' (n 1) paragraph 14.
26 Christian Berthelsen, Matt Day, and William Turton, 'Capital One Says Breach Hit 100 Million Individuals in U.S.' https://www.bloomberg.com/news/articles/2019-07-29/capital-one-data-systems-breached-by-seattle-woman-u-s-says accessed 30 July 2019.
27 Constitutional and Mainland Affairs Bureau, 'Review of the Personal Data (Privacy) Ordinance' (n 1) paragraph 15.
29 Constitutional and Mainland Affairs Bureau, 'Review of the Personal Data (Privacy) Ordinance' (n 1) paragraph 16.
30 See footnote 19 above.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.