Airlines, general aviation operators, ground handling companies, aircraft maintenance organisations, the airport and the rest of the local aviation supply chain will have to consider their exposure to sweeping changes to Hong Kong privacy law that were recently discussed in Legislative Council and brace themselves for potentially serious consequences if they fail to comply.
On 17 January 2020, the Constitutional and Mainland Affairs Bureau published a paper to discuss the review of Hong Kong's primary legislation on data protection, the Personal Data (Privacy) Ordinance Cap 486 (PDPO). Three days later, the Legislative Council's Panel on Constitutional Affairs and the Privacy Commissioner for Personal Data (Privacy Commissioner) met in session to share their views on whether the PDPO is still fit purpose or is now ready for a legislative 'shop visit'.
Many rightfully argue that the PDPO, enacted in 1996 and last amended in 2012, is outdated and behind the curve when compared to privacy rules in say the EU, Australia, Brazil, Japan, South Korea, Thailand and, notably, the State of California. This is for several reasons, but particularly the case with respect to accountability for safeguarding personal data and the consequences for any failure to do so. Data is a symbol of new found wealth. Airlines, airports and other industry operators are veritable treasure troves of data and the industry has been quick to embrace new technologies that enable them to understand passenger behaviour better in order to maximise their opportunities to improve yields and load factors.
The PDPO is therefore ripe for an overhaul and the Panel focused on six preliminary amendment directions on reforming the PDPO. We briefly consider each direction and what it might mean to the aviation industry.
At present, there is no mandatory requirement under the PDPO to notify the Privacy Commissioner or data subjects in the event of a data breach. If compared to the EU General Data Protection Regulation's (GDPR) mandatory breach notification obligations, notification on a voluntary basis only is widely perceived to be a compliance shortcoming of privacy law in Hong Kong.
One key issue is determining if and when a notification must be made. The briefing paper proposed that breaches should be reported when there is 'a real risk of significant harm' to data subjects. The approach under GDPR is that reporting should be made 'unless the personal data is unlikely to result in a risk to the rights and freedoms of natural persons' . A criticism of this language is that supervisory bodies in various Member States have ended up being unduly burdened with notifications often made out of an abundance of caution. The Privacy Commissioner will therefore need to ensure that the meaning of a real risk of significant harm is clearly defined in any guidance. The proposal also suggested that notifications should be made as soon as practicable but within no more than 5 working days from discovery of the breach. This is more lenient than the requirement under GDPR in which notifications are required to be made without undue delay and, where feasible, no later than 72 hours after having become aware of the breach.
Since Hong Kong based and foreign carriers operate into and out of the EU, they will already have adopted higher standards of compliance in order to target and attract EEA citizens to purchase their services and to mitigate the damage arising from such data breaches. As we have seen with one airline based in Hong Kong and an airline in the UK, international airlines are vulnerable everywhere they operate to and from so a homogenous rule book should be welcome. Regulatory divergence just adds operational complexity.
The PDPO currently requires data users not to keep personal data for longer than is necessary for the fulfilment of the purpose for which the data is used. What is deemed 'necessary' is not defined under the Ordinance and it would be impractical to dictate a prescribed retention period. However, the PDPO may be amended to oblige HK organisations to draft and publish specific data retention policies.
Likewise, for international airlines used to operating under GDPR this will not be particularly challenging since they will have such policies in place. For more local industry stakeholders, such a ground handlers and aviation service providers and indeed the Airport Authority HK, they will eventually need to create, amend or update their policies accordingly. There is also an increasing trend of airlines appointing personal data controllers and data protection officers. These positions handle requests from the data owners (e.g. withdrawal of personal data or data access requests) and are the contact point in the event of any data breach.
Sanctions may change fundamentally and it could be a game changer. At present, under Hong Kong law, breaches of enforcement notices can result in a HKD 50,000 criminal fine and imprisonment for two years.
The Panel mulled over whether to grant the Privacy Commissioner the power to issue administrative fines directly, calculated on the basis of annual turnover. Under GDPR administrative fines may be levied up to the higher of EUR 20m or 4% of global annual turnover. Whether the PDPO would be limited to turnover relating to activity in Hong Kong remains to be seen.
In the context of drone use, criminal sanctions under the PDPO remain a deterrent against the threat of any serious privacy violations committed using camera-enabled UAS in the skies over Hong Kong. The PDPO will continue handle data protection offences although amendments to the Air Navigation Order (Cap 448C), which will significantly tighten rules on drone operations, are expected in due course.
The lion's share of compliance obligations have traditionally fallen on data users and controllers whilst processors stand in behind them. GDPR has addressed this to a certain extent by making data processors directly accountable to data subjects. The Panel will consider similar requirements such being accountable for data retention and security and reporting breaches to the Privacy Commissioner. In fact, the Panel did not discuss adopting the concept of accountability more generally under the PDPO. That would be a welcome inclusion and match an underlying principle of the GDPR.
Those in the aviation supply chain should take note. End customers (particularly airlines) will no doubt continue to demand that a plethora of contractual indemnities are incorporated into any services agreement. However, ground handlers who handle personal data of passengers will need to consider how they process and store any data to ensure they have technically robust systems and eventually know what do in the event of a breach. Whilst freight forwarders and other cargo operators may generally handle less personal data, they should still be alive to the impact that stricter privacy rules will have on their business in Hong Kong, especially with respect to breach notifications and administrative sanctions.
The Panel did not discuss enacting s33 of the PDPO to prohibit cross-border transfers of personal data. The provision still remains dormant. Passenger details and records are already transferred globally in discrete circumstances related to flight operations and immigration, but bringing in s33 and adopting a meaningful regime to manage such transfers should be considered.
Personal data includes data relating to an 'identified person'. This definition falls short when applied to various individual pieces of data, such as website cookies, URL addresses etc., which alone do not identify a data subject but collectively will enable identification. Adjusting the language to 'identifiable' should remedy this issue.
Surprisingly, there is no proposal to develop the definition to create any special categories of data, colloquially known as sensitive personal data, requiring adherence to heightened compliance obligations such as processing subject to express consent etc.
To the aviation industry, notable sensitive personal data concerning passengers includes:
History of requesting escort or specific medical assistance (e.g. wheelchair assistance) from any airline or airport operator;
History of seeking clearance to fly because of pregnancy or medical conditions (carrying syringes or medical equipment);
Preferences on special meals (which might indicate a religious beliefs or the state of health).
Passenger medical conditions and health records are in the spotlight on account of the novel coronavirus. However, just as GDPR makes an exception to the general prohibition on processing sensitive personal data on the grounds of public health, the Hong Kong Prevention and Control of Disease Ordinance (Cap 599) enables disclosure of such records to combat public health emergencies. An amended PDPO is unlikely to change this, but disclosure would still need to factor in legitimate privacy concerns.
Since 14 June 2019, the Privacy Commissioner has received over 4,700 doxxing-related complaints. Doxxing is the unauthorised publication of personal details of other data subjects without consent is unlawful under s64 of the PDPO and is a form of cyber-bullying. Details of those sitting either side of the political divide in the protest-riddled city have been victims of this.
Specific to aviation, there was also an alleged doxxing incident reported in local media last month when a crew list was disclosed on social media in Hong Kong. A passenger allegedly posted the cabin crew list on Instagram after feeling dissatisfied about the services provided on her flight and demanded that the airline discipline the relevant crew members. If the allegation is true then such action would likely constitute a breach of s64. However, the Privacy Commissioner would require the data owner to make a complaint in order to investigate.
It is therefore hoped that the Privacy Commissioner after the amendment of PDPO will be given greater powers to tackle this problem, including the ability to investigate in the absence of a complaint from the data owner and prosecute offenders and force websites and other social media platforms to remove content.
It is unclear when these amendments to the PDPO will be made, but aligning Hong Kong's privacy laws would be broadly welcome despite the obvious burden and risk if data users get things wrong. A robust data protection regime will however generate public confidence and in turn attract investment. That means greater inbound traffic which airlines and other aviation industry stakeholders will sorely need once the city has weathered the fallout from both the political unrest and the on-going public health crisis.
 Privacy Amendment (Notifiable Data Breaches) Act 2017 (Australia), Lei Geral de Proteçao de Dados (LGPD) (Brazil), Act on Protection of Personal Information 2017 (Japan), Personal Information Protection Act 2011 (South Korea), Personal Data Protection Act 2019 (PDPA) (Thailand) and the California Privacy Act (CCPA)
 GDPR Article 33 (Notifications)
 s50A of the PDPO
 GDPR Article 28 (Processors)
 GDPR Article 9.2(i)
 s8(3)(a) of Cap 599
 LC Paper No. CB(2)512/19-20(03) paragraph 18