On 20 January 2020, the Constitutional and Mainland Affairs Bureau ("CMAB"), together with the city's number one privacy watchdog, the Privacy Commissioner for Personal Data ("PCPD"), published a paper ("PDPO Review Paper") to map out large scale reforms of the city's privacy laws for discussion and review by the Legislative Council Panel on Constitutional Affairs.
A cry for reform from recent incidents
A review of the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO") has been long awaited.
When the PDPO was enacted in 1995, it was considered as state-of-the-art legislation in the data privacy arena, representing the first comprehensive set of privacy laws in the region. Since its enactment in 1995, the PDPO has only undergone review once in 2009 – 2012, which resulted in the strengthening of restrictions on the use of personal data for direct marketing purposes in 2013.
In recent years, many countries have revised and updated their data privacy laws to keep pace with technological advancements, emerging needs that arise from globalization, as well as the public's increasing expectations on the protection of privacy rights. Countries which have recently undergone reform include Japan, China, Australia and Vietnam.
Hong Kong's paused new legislation is therefore very welcome.
Apart from many HK and international high profile data breaches, another motivating reason for reform is doxxing. Since the city's social and political unrest in 2019, the unauthorized public disclosure of people's personal information online has become increasingly common. From June last year, the PCPD has received or uncovered over 4,700 doxxing-related complaints.
Against the backdrop of an evolving global and regional data privacy regulatory landscape and the significant limitations in the city's privacy laws, a comprehensive reform and modernization of the legislation has become particularly important.
Main areas of reform proposed
We highlight the six key areas for reform identified in the PDPO Review Paper below:
- Introduction of a mandatory data breach notification mechanism;
- Formulation of a clear data retention policy;
- Enhanced fines and sanctions to replace the "enforcement notice";
- Regulation of data processors;
- Regulation of doxxing activities; and
- Expansion of the definition of personal data.
Mandatory Data Breach Notification Mechanism
At present, in the event of a data breach, data users have no legal obligation to notify the PCPD or the affected individuals. The CMAB is probing the possibility of compelling data users to notify the PCPD within five business days if any data breach has a real risk of significant harm, to better protect data subjects.
The mandatory data breach notification mechanism is no stranger in many other jurisdictions. Mandatory data breach notifications have already been adopted in many US States. The trend has also spread across various continents. In the Asia-Pacific region, jurisdictions such as Australia, South Korea, the Philippines, Taiwan, Indonesia and the mainland China have similar provisions in place. Of course, the mechanism is also in force in the EU via GDPR.
It is undeniable that mandatory data breach notification has become the international norm, or trend. The challenge lies in setting a sensible materiality threshold which avoids over-reporting (and related costs), whilst ensuring that data subjects are informed about important breaches and take remedial steps to mitigate harm in good time.
From the PDPO Review Paper, it appears that the CMAB is preferring a stricter approach than many other jurisdictions; in the form of a reporting threshold of "real rick". Whilst this deserves praise, some parts of the market are of the new that there needs to be a fairer balance between protecting data subjects, and commercial reality and practicality.
Enhanced fines and sanctions in replacement of the enforcement notice
The increasing number of data breaches suggests that the current penalties are insufficient.
Under the existing mechanism, a breach of current six Data Protection Principles (DPP's) does not in itself constitute an offence. Instead of directly imposing a penalty on the data user for breach of any of the DPPs, the PCPD is only empowered to issue an enforcement notice to direct the data user to remedy its contravention. Only if the breach is not rectified after the service of the enforcement notice will the data user be subject to a fine / imprisonment.
This practice is inconsistent with the international approach, which generally permits the data watchdog to directly impose correct fines. The lack of teeth of the PDPO renders a breach of DPPs a mere reputational issue, rather than have a financial impact for the company.
In the PDPO Review Paper, the CMAB pledges to consider dispensing with the requirement to firstly file an enforcement notice, and toughening the level of fines to be imposed. The CMAB intends to introduce a two-step test, consisting of (1) a determination of whether or not an administrative fine is necessary; and (2) if so, the amount of the fine to be imposed.
Whilst the revamped regime may add compliance and business costs to local companies, the change is necessary to keep data violations at bay, and keep pace with International standards.
Formulation of a clear data retention policy
In line with the data protection laws of other jurisdictions, the current legislation is silent on the duration for which data can and should be kept.
The CMAB is considering amending the PDPO to require data users to formulate a clear data retention policy which would include specifying the following information: (a) the maximum retention period for the different categories of personal data collected, (b) the legal requirements which may affect the designated retention policy (e.g. mandatory retention period stipulated for taxation, employment and certain professors like the medical or legal sector) and (c) from when the retention period starts running (e.g. on receipt of personal data).
In making the above proposal, the CMAB has rightly noted that the diverse service nature and unique business needs of data users render it practically unfeasible, and therefore inappropriate, to mandate a blanket retention period across the board.
Regulation of data processors
Our current legislation only obligates data users to protect personal data. Data processors, who are persons who process personal data on the data user's behalf without processing information for their own purpose, remain unregulated. However, it is not uncommon for data breaches to occur at the data processor level.
The CMAB has rightly stated that the absence of direct regulation on data processors is problematic, because data processors may become less conscious of the need to protect personal data against leakage.
GDPR has introduced a range of direct compliance obligations on data processors, such as restrictions on sub-contracting, duty to keep record of processing activities, introduction of security measures and data breach notification requirements. The CMAB is considering adopting a similar approach.
Regulation of doxxing activities
At the time when the PDPO was drafted, legislators obviously had not contemplated the widespread popularity of doxxing acts online.
In the past year, with the occurrence of social and political unrest in the community, the number of online doxxing activities has surged. Out of the 4,700 doxxing-related cases the PCPD have received / handled from last year, over 1,400 cases have been referred to the Police for further investigation. As a result of the PCPD's action, 70% of doxxing-related posts have been successfully removed from social media platforms or websites.
The Government promises to study the ways to more effectively curb doxing behaviour, such as conferring on the PCPD statutory powers to request the removal of doxxing content, or powers to carry out criminal investigation and prosecution.
Although the report is brief on the ways to possibly regulate doxing, we expect the reformed regime to balance online users' rights of free speech and data users' right of protection of their confidential information, as required by RPK's Mini-Constitution, the Basic Law.
Expansion of the definition of personal data
The current definition of "personal data" under the PDPO refers to information that relates to an "identified" living individual. The CMAB suggests expanding the definition to cover information relating to an "identifiable" natural person.
The difference between an "identified" and "identifiable" person may appear subtle and fine. The PDPO Review Paper explains that the proposed change is made in response to the wide use of tracking and data analytics technology. The significance of the change is to bring location trackers and online identifiers, such as cookie identifiers and IP addresses, within the regulatory ambit of the PDPO. These online tracking tools render identification of an actual person possible, through gathering of information relating to network users' behaviours, browsing patters, preferences and interests.
The Government's much-anticipated overhaul of the aged privacy legislation is very welcome and transports our laws to the level of international standards, if adopted. The PDPO Review Paper has effectively identified areas that merit reform so as to keep pace with international and regional developments, as well as to target unique challenges arising in the local context. However, the drafting of any bill to adopt the PCPD's recommendations may still take some time. There is currently no indicative timeline as to when any formal amendments may take place.
Businesses who have yet to update their privacy programme in line with international standards will have a greater compliance requirement to bear if the recommendations are adopted. It is therefore recommended that businesses continue to monitor and update their privacy statements in line with international standards, together with their own IT related protections.