Plans to strengthen Hong Kong data privacy laws
The Hong Kong Legislative Council is currently considering plans to strengthen Hong Kong’s data privacy laws. Nicholas Blackmore discusses the proposed changes and what they would mean for Hong Kong businesses.
Hong Kong’s Legislative Council (“Legco”) has no shortage of pressing problems to deal with at the moment: the COVID-19 pandemic and the pro-democracy protests foremost among them. However, it has recently been able to consider proposed amendments to the Personal Data (Privacy) Ordinance (the “PDPO”).
When the PDPO was first introduced in 1996, it made Hong Kong one of the few countries outside Europe to have a data privacy law. In 2012, the PDPO received a shot in the arm when strict new direct marketing rules were introduced. But as more countries have introduced and strengthened their data privacy laws over the past 24 years, the PDPO now lags behind the personal data protections provided by the laws of many other countries.
Privacy reform has been on the agenda of both the Privacy Commissioner for Personal Data (“Commissioner”) and the Constitutional and Mainland Affairs Bureau for several years now. In 2014, there was a public consultation in respect of the proposed enactment of section 33 of the PDPO, which would restrict the transfer of personal data outside of Hong Kong. According to the Commissioner, that process is ongoing. A consultant has been commissioned to look into the compliance measures which would be required of data users to meet the requirements of section 33, to study the relevant practices in other jurisdictions and to examine the implementation requirements (including the list of places which would be deemed to have comparable protections for personal data). However, there is no timetable for completion of that consultation nor for the enactment of section 33. Before that can happen, we anticipate draft best practice guidelines will be produced for further consultation.
The current proposals, which are raised in LC Paper No CB(2)512/19-20(03) (the “Discussion Paper”), do not revisit the section 33 issue. But they do propose a number of possible amendments to the PDPO which would have a significant impact on Hong Kong businesses.
Mandatory data breach notification
Mandatory data breach notification is a concept which has been in place in the United States for almost two decades. However, it has only recently gained traction in other parts of the world, following on from the European Union (“EU”) including mandatory data breach notification requirements in its General Data Protection Regulation (“GDPR”). There has also been some take up in Asia. The Philippines and Australia already require data breach notification. Thailand will introduce notification requirements later this year. New Zealand and Singapore have both proposed to implement notification requirements.
A mandatory data breach notification regime would require data users to report serious data breaches to the Commissioner and affected data subjects. The Discussion Paper proposes that:
- a “data breach” would mean any accidental or unlawful destruction, loss, alteration of personal data or any unauthorised disclosure of or access to personal data;
- a data breach would only be notifiable if it involved a “real risk of serious harm” to an affected data subject;
- a data breach would need to be notified as soon as practicable, and in any event, within a specified maximum timeframe (the Discussion Paper suggests within five business days of becoming aware of the breach);
- a notification would need to include a description of the incident and its cause, the types of personal data involved, the risk of harm to affected data subjects, the remedial actions taken by the business, and any actions the data subjects should take to protect themselves against the risk of harm; and
- a notification may be provided by email, fax or post.
While these provisions are broadly similar to data breach notification rules in other countries, there are a few interesting points to note.
The requirement for a “real risk of serious harm” reflects the standard in Canada and the Philippines. Australia uses “likely risk of serious harm”, which means that notification is not required in cases where the chance of serious harm occurring is less than 50%. This is an important distinction, because for many data breaches, there is some potential for serious harm to occur, and so arguably a “real” risk of serious harm, but that harm is not likely. Whether these breaches would require notification will depend on the exact wording of this requirement if it were to become law.
The requirement for a data breach to be notified within five business days allows more time than the requirement in the EU and the Philippines of 72 hours, but is stricter than the Australian requirement that breaches merely be notified “as soon as practicable”. The difficulty with setting a maximum timeframe for notification is that the process of investigating a data breach and determining whether it is notifiable is potentially a lengthy exercise. In our experience, arranging and conducting a forensic investigation of a business’s information technology systems can take several weeks. Following the investigation, the data user will generally need to obtain legal advice on whether the data breach is notifiable, and then draft the notification itself. While it is possible to make an interim notification before this process is complete, basing a notification on incomplete information can lead to unnecessary concern and panic. In our view, it is preferable to avoid specifying timeframes and to simply require notification as soon as practicable.
In terms of the mode of notification, we think it will be important for the Commissioner to allow notification through a simple online form, and to allow businesses to issue notifications to data subjects by electronic means.
Data retention policy
Data Protection Principle 2 in the PDPO already requires data users to take all practicable steps to ensure that personal data is not retained longer than necessary for a legitimate purpose.
To comply with this principle, Hong Kong businesses need to determine how long they need to keep various kinds of records containing personal data for various purposes - for example, to manage commercial relationships, to comply with statutory requirements, and to defend against potential legal action. Many Hong Kong businesses already have a data or document retention policy in place to help them manage this issue. The Discussion Paper proposes to expressly require Hong Kong businesses to have such a retention policy in place. This seems a sensible measure.
The current fines and penalties under the PDPO are low by international standards. A data user who contravenes the Data Protection Principles only risks a maximum penalty of HK$50,000, and then only after receiving and failing to comply with an enforcement notice from the Commissioner. By contrast, maximum fines in other jurisdictions are generally in the millions of dollars. The Discussion Paper proposes reviewing and increasing the maximum fines and penalties under the PDPO.
The Discussion Paper also proposes empowering the Commissioner to issue administrative fines. To impose the penalties currently available under the PDPO, the Commissioner must apply to a court. This means it incurs legal costs and it is subject to the risk that a court will disagree with their view of the offence. By contrast, an administrative fine functions like a parking ticket - the regulator can impose the fine directly by issuing a notice to a data user. The data user must then decide whether to pay the fine or contest it in court. Experience from the EU, Singapore and Australia shows that regulators are generally far more willing to exercise their powers to impose administrative fines than to apply for traditional civil or criminal penalties.
The Discussion Paper also suggests that Legco should explore the feasibility of linking the amount of an administrative fine to the offender’s annual turnover. This is a measure first implemented in the GDPR and which is becoming increasingly popular as what is seen as a more effective deterrent for large corporations, for whom dollar value fines may be insignificant.
Direct regulation of data processors
The PDPO does not currently directly regulate data processors. “Data processors” are businesses which process personal data on behalf of another person, rather than for their own purposes – for example, outsourced service providers, payroll processors and mailing houses. The PDPO does require data users to impose data retention and security obligations on data processors in their contracts, but it does not apply to data processors directly.
This has always been an unusual feature of the PDPO. Most data privacy laws in other jurisdictions impose at least some obligations on data processors, although they vary widely in their approach. Many laws, including the GDPR, impose obligations on data processor that are less onerous than the full set of obligations imposed on data users. A few laws go further – Australia’s Privacy Act makes no distinction between data users and data processors, and simply imposes the same obligations on both.
The Discussion Paper proposes imposing some obligations directly on data processors, particularly in relation to data retention and security. Where a data processor suffers a data breach, it also proposes requiring the data processor to notify the Commissioner directly – by contrast, the GDPR only requires data processors to notify the relevant data user, who is the person responsible for notifying the authorities and affected data subjects.
We think that regulating data processors directly would be a sensible measure, and one that would be important for data users as well as for data subjects. Until now, the PDPO has held data users accountable for the actions of their data processors, while not holding the data processors themselves accountable. Data users have had to resort to detailed contractual obligations to protect themselves against the actions of their data processors. Regulating data processors directly would relieve data users of some of this burden.
Broader definition of “personal data”
The Discussion Paper proposes broadening the definition of “personal data” under the PDPO to extend beyond “identified” individuals to also include “identifiable” individuals.
This is a somewhat curious proposal, because the current definition of “personal data” in the PDPO is not in fact limited to identified individuals. Personal data covers any data “from which it is practicable for the identity of the individual to be directly or indirectly ascertained”. The Commissioner has stated that this covers both “identified” individuals (individuals whose identity is immediately evident from the information under consideration) and “identifiable” individuals (individuals whose identity can be determined by reference to the information under consideration and other information to which the data user has access). As such, it questionable whether this proposal would actually make the definition of “personal data” any broader.
However, it seems likely that Legco will consider broadening the definition of “personal data” to include information that is not currently considered personal data under the current definition. For example, the Commissioner has previously stated that internet protocol (IP) addresses are not personal data, because they do not relate to a specific individual (rather, they relate to a household or business). However, many other data privacy regulators have taken the contrary position, and so Legco may decide to fall into line with international practice. This may mean that Hong Kong businesses who collect data about internet users may need to review their compliance with the PDPO.
The Discussion Paper proposes introducing more specific offences to prevent “doxxing”, which is the practice of disclosing personal data of another person online, particularly for the purpose of encouraging or inciting harassment, bullying or violence against that person. Doxxing gained particular prominence in Hong Kong during the recent protests, during which the Commissioner received and uncovered over 4,700 cases.
A person who engages in doxxing may already commit an offence under section 64(2) of the PDPO, which carries a maximum penalty of a fine of HK$1,000,000 or five years’ imprisonment. However, that offence requires that the relevant personal data was obtained from a data user without the data user’s consent, which will not always be the case, or be able to be proven beyond reasonable doubt.
Legco’s Panel on Constitutional Affairs considered the Discussion Paper on 20 January. The Commissioner is now scheduled to present to the Panel at their April meeting (assuming this goes ahead).
In summary, the Discussion Paper proposes the following reforms:
- introducing mandatory data breach reporting requirements;
- increasing the amount of penalties and introducing administrative fines for contraventions of the PDPO, and linking such fines and penalties to the offender’s annual turnover;
- directly regulating data processors under the PDPO;
- broadening the definition of “personal data” under the PDPO; and
- introducing a specific offence for doxxing.
At present, these are only proposals for discussion and have relatively little detail. That detail will be set out in a draft bill amending the PDPO. However, the experience of previous reform proposals, together with the sheer volume of more pressing issues on Legco’s agenda for 2020, suggests we should not expect these proposals to be implemented too soon, if at all.
However, it is generally acknowledged that the PDPO has fallen behind international standards, and we expect that there would be broad support in Legco for most or all of the reforms proposed by the Discussion Paper in some form.
As such, we think it would be worthwhile for Hong Kong businesses to start to consider what the proposed reforms would mean for them if and when they are introduced, and to watch for opportunities for raise their concerns and proposals with the government.