The General Data Protection Regulation ("GDPR") introduced by the European Union two years ago has been an interested clarion call to world personal data privacy regulators in demonstrating how the GDPR structure is a great deal stronger and more far reaching than those previously enacted in many other jurisdictions worldwide.
1. Hong Kong is no exception and one particular event has highlighted this deficit which was the March 2018 hacking of Cathay Pacific Airways personal data information of 9.4 million customers which was an event immediately discovered by the airline but which did not report it to the Personal Data Privacy Commissioner until October 2018. The fact of the hacking exposed the airline to the charge that it had not taken all practicable steps to protect the personal data against unauthorized access or loss contrary to the requirement of the airline as data user that it takes all practicable steps to protect the personal data as provided in Data Principle 4 in the Schedule to the PDPO.
Under the current PDPO individuals or companies involved in data breaches are under no obligation to report incidents. Accordingly, the only remedy is for the Commissioner to issue an enforcement notice against violation of privacy laws in respect of which a failure to comply would attract a possible fine of HK$50,000.00 or two years in prison. The process is drawn out and cumbersome.
However, given the horrendous possible consequences of the Cathay Pacific data custody breach an amendment to the PDPO is now proposed to require a data user to report a major breach with immediate effect to the Commissioner giving him the power to fine offenders a substantial portion of their global annual turnover much along the lines of the fining powers of competition authorities in a number of overseas jurisdictions.
Under the new proposals the Commissioner will not need to issue an enforcement notice but would directly impose a fine based upon the severity of the incident. The normal process for legislative amendment in Hong Kong is for the issue of a consultation paper giving a period of three to six months for public consultation. However, in order to cure this current lacuna in the PDPO with greater urgency, the government proposes to enact the amendment without the public consultation period – a recognition of urgency which is much approved by legal sources in Hong Kong although some commentators have indicated that a transition period of one or two years would be a reasonable notification of the transition if the enactment is passed by the legislature.
2. Under the PDPO the application of the Ordinance is to data users collecting and holding personal data of data subjects. In fact since the enactment of the PDPO there has been an enormous growth in the way in which personal data is handled not by the data users but by sub-contracted parties known as data processors. There is no direct application of the PDPO to data processors and the Commissioner is now considering introduction of the direct bringing of data processors into obligatory performance and observance of the PDPO directly rather than, as at present, through compulsory contractual obligations of the engagement by data users of the data processors.
3. On the 6th November 2019 I posted a Passle on the increasingly viral doxxing through social media by protestors of the personal data details of police officers and their families. In 2018 doxxing was a very minor matter but since the commencement of these huge protest activities since June 2019, 4,370 doxxing complaints have been reported to or discovered by the Privacy Commissioner and 36% of complaints were related to police officers and their families; their names, photos, addresses and phone numbers posted online by the protestors. The Commissioner has referred 1,402 cases to the police for investigation as criminal doxxing but as of December 31 only 8 people have been arrested leading to one prosecution. Clearly this almost negligible remedying of the practice needs a much more focussed attention so that the intimidation of the doxxing targets can cease but the main problem has been gathering evidence because of the publication of posts through overseas IP addresses. Accordingly, the Commissioner is proposing a number of amendments to the PDPO to deal with this including direct prosecution powers handled by the Commissioner and additional powers to compel social media platforms to take down all doxxed content. We shall have to see how these proposals which are clearly necessary are enacted into law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.