On 20 January 2020, the Constitutional and Mainland Affairs Bureau (CMAB) together with the Privacy Commissioner for Personal Data (Privacy Commissioner), published a consultation paper raising important data protection issues and proposing possible amendments to the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), after having reviewed the existing data protection regime in Hong Kong. These include possibly introducing a mandatory data breach notification mechanism, requiring data users to specify a retention period for personal data collected, raising the sanctioning powers of the Privacy Commissioner as well as potentially making data processors more accountable.
The consultation paper seeks feedback from members of the Legislative Council and we expect that more specific proposals for reforms to the PDPO will be made in due course. The consultation paper did not indicate an express timeframe for the completion of this review process or when specific amendments to the PDPO would be proposed.
In light of the spate of major data breach incidents in Hong Kong, the rapid technological advancements resulting in new uses of personal data in new technologies as well as recent regulatory developments such as the enactment of the General Data Protection Regulation (GDPR) in the European Union (EU), the consultation caper recognised a need for enhancing the level of protection currently afforded under the PDPO, and bring it closer in line with international data protection standards. The Privacy Commissioner had considered the regulatory regimes in other jurisdictions such as Australia, Canada, the EU, New Zealand and Singapore.
We set out below an overview of the key proposals.
A. Key Proposals
1. Mandatory Data Breach Notification Mechanism
The consultation paper recommended the introduction of a mandatory data breach notification mechanism. This would require a report to the Privacy Commissioner and impacted individuals in the event of a data breach carrying “a real risk of significant harm”. The CMAB suggested that a mandatory breach notification mechanism would ensure that the Privacy Commissioner could monitor the handling of data breaches by relevant organisations more effectively and organisations could also seek instructions from the Privacy Commissioner in respect of any follow-up actions to mitigate or prevent further loss and damage resulting from the data breach incident.
The proposal for a mandatory data breach notification mechanism would bring Hong Kong closer to international data protection standards (whereby an obligation of this nature is effectively considered the norm). For example, EU member states and the province of Alberta in Canada, as well as the state of California in the United States and other countries in Asia such as the PRC, Australia, Indonesia, South Korea, Taiwan and Thailand, all have mandatory data breach notification mechanisms in place and other common law jurisdictions such as Singapore and New Zealand are expected to introduce similar mechanisms in their data protection regimes . We note that the notification timeframe of not more than five business days as recommended in the consultation paper is significantly longer than the 72 hour notification requirement under the GDPR.
2. Data Retention Period
At present, data protection principle 2 of the PDPO requires data users to take all practicable steps to ensure that personal data is not kept longer than is necessary for the fulfilment of the purpose(s) for which the personal data is to be used. The PDPO does not specify a definitive retention period and as such data users are left to their own accord in interpreting the meaning of what is considered “no longer necessary”.
The consultation paper suggested that there is a higher risk of a data breach in instances where data is retained for a longer period of time, especially if such data should have been purged and retaining such information was in fact unnecessary. Whilst the consultation paper acknowledges that it would be inappropriate to propose a uniform retention period in the PDPO that would apply to all types of personal data held by different organisations for different purposes; it was suggested that the PDPO be amended requiring data users to formulate a clear retention policy, specifying a retention period for the personal data collected. In particular, such retention policy should address the maximum retention periods for the different categories of personal data and data users should disclose how the retention period would be calculated.
3. Sanctioning Powers
The fining power under the PDPO as it currently stands is modest.
The consultation paper considered raising the amount of criminal fines in order to strengthen the deterrent effect of breaching the provisions of the PDPO. It was also suggested that the Privacy Commissioner should be empowered to directly impose administrative fines for the contravention of the PDPO, similar to other data protection authorities such as that in the EU, Singapore and the United Kingdom.
In particular, the CMAB and Privacy Commissioner are contemplating whether it would be feasible to introduce an administrative fine linked to the annual turnover of the data user. As a point of comparison, under the GDPR, a maximum administrative fine of €20 million or 4% of the data user’s global annual turnover in the preceding financial year, whichever is higher, may be imposed on organisations for failing to comply with the GDPR.
4. Regulation of Data Processors
Under the current regime, the obligation to comply with the PDPO applies to “data users” (ie an organisation that controls the collection, holding, processing or use of personal data). The PDPO does not directly regulate “data processors” (ie an organisation that processes personal data on behalf of data users). Data users are required to ensure by way of contractual means that data processors adopt suitable measures to ensure the safety of a data subject’s personal data. The consultation paper concludes that this level of protection is inadequate, especially as outsourcing of data has become a common practice in the digital age.
In light of this, it was suggested that the PDPO may be amended so that data processors are directly accountable for personal data retention and security, and render them responsible for notifications to the Privacy Commissioner and the data user upon becoming aware of any data breach incidents.
5. Definition of Personal Data
The consultation paper also mentioned possible amendments to the definition of “personal data”. At present, the definition of “personal data” in the PDPO includes information that relates to an “identified person”. The CMAB is exploring whether to expand this definition so as to include data that relates to an “identifiable natural person” instead.
This proposed amendment was raised in order to tackle the widespread practice of tracking and data analytic technology which is commonly being deployed today by global technology companies. We note this would also bring Hong Kong closer in line with the approach taken in a number of jurisdictions such as Australia, Canada, the EU and New Zealand.
The issue of doxing was the final area of possible reform raised by the CMAB. The consultation paper mentions the Privacy Commissioner’s efforts in recent times to curb the adverse consequences of doxing by, amongst other measures, requesting certain social media platforms remove links and content resulting from doxing activities.
According to the consultation paper, the HKSAR Government is considering whether it would be feasible to amend the PDPO to address the issue of doxing more effectively. For example, it was suggested that the Privacy Commissioner could be granted statutory powers to order the removal of doxing-related material from social media platforms or websites and be given the power to institute criminal investigations and prosecutions.
B. Our Observations
Given the considerable technological advancements over the past two decades since the enactment of the PDPO, the proposed areas of reform raised in the consultation paper should be considered as a step in the right direction in terms of modernising Hong Kong’s data protection regime to suit the demands of the current digital era.
A number of changes, such as a mandatory data breach mechanism (particularly in light of the Cathay Pacific data breach incident in 2018) would bring Hong Kong closer in line with emerging international norms and expectations. Nonetheless, specific amendments should be considered on their merits in light of the particular circumstances in Hong Kong.
Certain members of the Legislative Council did raise questions for further thought during their discussions such as querying the meaning of “real risk of significant harm”, whether the Privacy Commissioner will consider defining “sensitive personal data”, the degree to which the PDPO applies to new technologies such as facial recognition and artificial intelligence (given these were unaddressed in the current consultation paper) and how a notification obligation would be triggered remains unclear. Further, it will be interesting to see whether a full public consultation will be launched in due course, to allow input from all impacted constituencies. In particular, if data processors are to be regulated, we anticipate the views from the tech sector will be important.
Finally, we note that the consultation paper is silent on section 33 of the PDPO and whether it is intended that this section (which places restrictions on the offshoring of personal data out of Hong Kong) will come into effect. There is no indication on whether or when this may happen. It was mentioned during the Legislative Council discussions that the Privacy Commissioner has devised two sets of guidance on the topic of data transfers which is expected to be published in the first half of 2020.