Hong Kong’s personal data protection reforms

Reforms in Hong Kong’s personal data privacy laws have been under review since the publication of a government paper in January 2020 (LC Paper No CB(2)512/19-20(03)), an acknowledgment that the present laws need to be modernised in line with the increasing liability and exposure of data users

These proposed reforms are summarised as follows:

1. The introduction of mandatory data breach reporting
2. Imposing a requirement that data users formulate an express and clear data retention policy
3. Administrative fines for breaches of the Personal Data (Privacy) Ordinance, Cap 486 (“PDPO”)
4. Direct regulation of data processors
5. Extending the scope of the PDPO to “identifiable persons”
6. Anti-doxxing legislation and related powers of the Privacy Commissioner.

Mandatory reporting

In Hong Kong, there is currently no mandatory reporting requirement in the event of a data breach. However, the reforms under consideration provide for this and includes the following:

• Mandatory reporting to the Privacy Commissioner in the event of a data breach, with notification to be made as soon as possible and in any event within an express specified period (say, for example, within 5 business days) of becoming aware of a breach;
• “Data breach” for these purposes would mean any accidental or unlawful destruction, loss, alteration of personal data or any unauthorised disclosure of or access to personal data;
• A data breach would only be notifiable if there was  a “real risk of significant harm” and both the Privacy Commissioner and relevant data subjects in such circumstances would need to be informed;
• Notification (to include specified information) would be required to be made in writing and sent by email, fax or post.

Express data retention periods

Under the PDPO, data users are required to take all practicable steps to ensure that personal data is kept no longer than is reasonably necessary for the purpose for which it was collected. There is no express retention period provided for and therefore the question of the period which is deemed to be necessary is highly dependent upon the facts and circumstances.

With regard to the proposed reforms, data users would be required to do the following:

• Establish and set up a clear retention policies within their organisations, addressing details of their retention periods in respect of the personal data collected.
• Establish maximum retention periods in line with various categories of personal data. The  Office of the Privacy Commissioner for Personal Data (“PCPD”) proposes to issue guidelines on this in due course.
• Expressly inform data subjects of such retention policies.

Administrative fines and appeals

Under the present regime, the level of fines do not act as deterrents. In addition, the Privacy Commissioner is not empowered to directly impose administrative fines:

• Fines for breach of the PDPO range from HK$10,000 to HK$1 million (US$1,285 to US$128,535).
• Fines for offences relating to direct marketing range from HK$500,000 to HK$1 million.
• Non-compliance with enforcement notices is subject to a maximum fine of HK$5,000.

Accordingly, the proposed changes include:

• Vesting in the Privacy Commissioner discretionary powers to directly impose fines subject to certain stated thresholds (depending on the severity of the breach, handling of the breach and taking into account any remedial action taken by the data user) . There would be a range of fines and penalties depending on the given circumstances.
• To link the amount of fine to the offending data user/entity’s annual turnover (akin to the General Data Protection Regulation (GDPR).
• Empower the Privacy Commissioner/PCPD to issue “administrative fee notices” whereby the data user or data processor is given 21 days within which to make representations  and a 28-day period within which to appeal against the decision of the Privacy Commissioner to the Hong Kong Court or Administrative Appeal Tribunal.

Direct regulation of data processors

At present, data users control the personal data collected and are responsible for the protection of such data. Data processors, that is a party which processes personal data on behalf of the data user rather than for their own purposes, are under no such obligation save if expressly provided for under a contract with the data user. Accordingly, steps are being taken towards the direct regulation of data processors (such as third party/external service providers).

The proposed reforms include the following:

• Imposing mandatory reporting requirements on data processors, compliance with data retention requirements and duties towards the protection and security of data.
• It is intended that such data processors would be required to set up protocols to ensure the security of data and prevention of data leakage and loss.

Extending scope to “identifiable persons”

Under the PDPO, “personal data” relates to the personal data of a living person whose identity can be ascertained and which comes in a form in which access to or processing of the data is practicable ( that is, an identified person).

Under the proposed reforms, consideration is being given to extend the application of the PDPO to “identifiable persons”. This would, in effect, mean that data captured with the use of data analytics technology (such as the data obtained from IP addresses, website cookies and online tracking tools) which enable data users to link such information to or point to a relatable person (that is, an “identifiable person”), would fall within and be governed by the provisions of the PDPO.

Anti-doxxing legislation and related powers of the Privacy Commissioner

On 16 July 2021, the Personal Data (Privacy)(Amendment) Ordinance 2021 (“Amendment Ordinance”) was published in the gazette with a view to criminalising doxxing and to conferring statutory powers upon the Privacy Commissioner to act against this. This subsequently came into effect on 8 October 2021 .

Under the Amendment Ordinance, any person who discloses or conspires to disclose any personal data of a data subject or any of his/her family members without his/her express consent, whether recklessly or with intent to cause harm to the person or his/her family, commits an offence punishable by fine(s) and/or imprisonment.

The Privacy Commissioner can now institute criminal investigations and prosecutions in relation to doxxing- related offences. The powers conferred on the Privacy Commissioner are wide and include the following:

• To search premises , seize materials/evidence and access electronic devices (such as mobiles and computers) provided that a Court warrant has been applied for and granted.
• In circumstances where the Privacy Commissioner is satisfied that to apply for a Court warrant would result in delay which would prejudice the accessing of the device(s), the privacy Commissioner may , without a warrant, access such device(s) which is suspected of containing  data/information relating to doxxing.
• There is no right to silence or privilege against self-incrimination.
• A person may claim legal professional privilege.
• The Privacy Commissioner may require a person to attend a specified place to answer questions, to respond to written questions, to provide assistance which may be reasonably required during the investigation and/or to make a statement.

Conclusion

The proposed reforms are still very much at discussion stage with no time-table as yet for implementation. It is generally accepted that important changes are required to the PDPO to bring the Hong Kong’s data protections laws in line with international standards as well as to meet the increasing liability and exposure of data users. These proposed reforms will be a good start to this process.

If you wish to discuss this article or any data privacy issues, please contact Rosie Ng or Sharon Lam.