Summary

To enhance protection of personal data protection, the Hong Kong government currently is considering to raise the level of fines for offences under the Personal Data (Privacy) Ordinance and exploring the feasibility of imposing administrative penalties for contravention of the PDPO. This article sets out more details of these proposed amendments and what businesses need to know.

This post is the third in the series of six articles in which we discuss the proposed amendments to the data protection regime in Hong Kong.

This post deals with that part of the proposed amendments that will increase the sanctioning power of the Personal Data (Privacy) Ordinance.

See links below for our previous articles on the proposed amendments:

Sanctions under the current PDPO

At present, criminal fines under the Personal Data (Privacy) Ordinance generally range from HK$10,000 to HK$100,000, depending on the offence. Offences relating to direct marketing attract higher levels of fine. The offences under Part 6A of the PDPO (Use of Personal Data in Direct Marketing and Provision of Personal for Use in Direct Marketing) come with criminal fines of HK$500,000 and HK$1,000,000.

The PCPD is empowered under the PDPO to issue enforcement notices to data users to remedy breaches of data protection principles. If the data user continues the contravention or breach after receiving an enforcement notice, it could be liable to a fine or imprisonment. Although the current maximum fine for non-compliance with an enforcement notice is HK$50,000, the amount of fines imposed by the court so far has ranged only from HK$1,000 to HK$5,000.

The PCPD does not currently have the power directly to impose administrative penalties for contravention of the PDPO. All fines mentioned above have to be imposed by the court after the relevant criminal proceedings have been concluded.

Direction for change

Firstly, the Hong Kong Government takes the view that the current levels of criminal fine are not high enough to reflect the severity of the offences. The Government therefore is proposing to raise the relevant criminal fine levels to enhance the deterrent effect of the PDPO.

It is not entirely clear from the Government's paper for which offences the level of fines is intended to be increased. The current criminal penalties in respect of direct marketing offences already are on the higher end when compared to other jurisdictions, and therefore of further increase. We expect that the proposed increase in criminal fines will relate to non-compliance with an enforcement notice issued by the PCPD. Such an increase would go hand in hand with the proposed broadening of the PCPD's power as discussed below.

Secondly, the Hong Kong Government is considering to follow the footsteps of a number of other jurisdictions such as the EU, Singapore and the United Kingdom in empowering the data protection authority (i.e. the PCPD) directly to impose administrative fines. This will help close the regulatory gap that is present in the existing PDPO.

For example, under the GDPR of the EU, administrative fines can be as high as ?20 million (approximately HK$185 million) or 4% of the offending company's global annual turnover in the preceding financial year, whichever is higher1. Such fines are able to be imposed directly by data protection authorities, without having to resort to the national courts.

The Hong Kong Government's paper makes reference to a number of jurisdictions, when proposing the amendments to introduce administrative fines. In particular, Singapore recently amended its Personal Data Protection Act (PDPA) with such amendments taking effect in phases, beginning 1 February 2021. The Hong Kong Government likely will have reference to Singapore's amendments when suggesting and finalising its own.

The amendments under consideration

The following details currently are under consideration:

1. Threshold for imposing administrative fines. If the PCPD is to be empowered to impose administrative fines, a set of factors should be in place for it to determine whether a data breach warrants a fine. The threshold factors suggested by the Hong Kong Government include the severity of the data breach in question, the data user's intent behind the breach, the data user's attitude when handling the breach, the remedial actions undertaken by the data user, and the track record of the data user.

The PCPD may decide not to impose any administrative penalty if it considers that the data breach in question falls below the minimum severity threshold for a fine. If the PCPD does decide to impose a fine, these threshold factors together also would help to inform a decision as to how culpable or blameworthy a data user is in the context of a breach, which then links to the level of fine to be imposed.

2. Level of administrative fines. As mentioned above, the Hong Kong Government made reference to the penalties in a number of jurisdictions. The maximum fines which may be imposed under the GDPR are the highest. The Hong Kong Government is considering the feasibility of imposing fines which link to the global annual turnover of the offending data user, and the possibility of devising a classification system of data users into different bands according to their turnovers to match with corresponding levels of fines. That said, a specific level of fine is yet to be put forward by the government for consultation and discussion. As of now, more concrete legislative proposals by the Government are needed for businesses to be able to consider and to assess the potential impacts that will be brought about by the amendments.

3. Mechanism to impose administrative fines. It is proposed that the administrative fines be imposed by way of the issuance of an "administrative fine notice" by the PCPD. It seems to be intended that such notice broadly should take the form of a judicial decision, in the sense that it should specify the circumstances of the breach, investigation findings, the penalty imposed and the underlying reasons.

It is not clear whether or not the data user or processor2 will be able to make representations to the PCPD before the PCPD finalizes its decision regarding a proposed breach/fine. It might be the case that the data user or processor will have been given the chance to make its representations at the investigation stage before the "administrative fine notice" is issued. Based on the current proposals, it appears that the data user or processor is to be given the opportunity to make representation after the "administrative fine notice" is issued. The data user or processor will be given no less than 21 days to make representation in response. The current proposals also suggest to provide to the data user or processor a right to appeal against the notice within 28 days, either to the Hong Kong courts or to the Administrative Appeals Board.

These proposed amendments to the PDPO aim to empower the PCPD, to align the Hong Kong position with international standards, and ultimately to strengthen the "bite" of the legislation. It is expected that further details and more concrete proposals will be put forward for consultation and discussion within the year 2021.

Footnotes

1 Article 83(5) of the GDPR.

2 Note that the current PDPO does not directly regulate data processors. However, one of the proposals currently put forward by the Government is the direct regulation of data processors by the PCPD. The proposed power to issue administrative fine notices therefore covers both data users and data processors.

Originally published 21 April 2021.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.