The Hong Kong Personal Data (Privacy) Ordinance (“PDPO”) was first enacted in 1996 with the only substantive amendments being enacted in 2012 substantially to incorporate strict regulation upon obtaining consent to use of personal data in direct marketing with severe penalties for infringement.
However, with the dramatic rise in the use of the internet for the substantially increased number and range of social media postings on different platforms, greater need has developed for amendment of the PDPO to address problems and evils have emerged and developed which were not previously important but are now not only very much available for maluse but also very much conspicuous by an absence of definite curative attention and amendment.
In this connection the Government prepared a brief to the Legislative Council in January 2020 and the Commissioner has prepared and now outreaches into the market to deliver a PowerPoint slide presentation.
Both the Legislative Council brief and the PowerPoint slide presentation highlight the need to amend the PDPO to take account of the following current gaps in legal remedy and protection :-
1. Considering the definition of “Personal Data”
The PDPO currently only applies to data that can be practicably used in ascertaining the identity of a person which basically restricts the meaning and remedies to personal data which can only be related to a known person. The proposal of extending the definition is to include data that relates to an “identifiable natural person” which can therefore also involve matter data and IP address of a person thus expanding the meaning scope of personal data and giving a stronger protection of privacy of the personal data of that person. This amendment would tackle the enormously grown practice of personal tracking and the technology of data analytics commonly deployed today by global technology companies.
2. New Mechanism of Mandatory Notification of Data Breach
Under the current Data Protection Principle 4 in the Schedule to the PDPO data users are required to take all practicable steps to prevent unauthorised or accidental access, processing, erasure or loss of use of personal data. There is no current requirement for or sanction against failure to inform or notify a data breach.
The proposed introduction of such a mandatory notification relates to a data breach being a suspected breach of security exposing personal data to the risk of unauthorised or accidental access, processing, erasure or loss of use. This has come about both by virtue of the common occurrence of leakage of personal data on the internet in this information age in tandem with the increasing numbers of data breaches and there is no current obligation to inform or notify whereas other Asia Pacific jurisdictions and the EU have introduced notification thresholds basically such as may involve serious harm as a result with an associated minimum time period following the breach for achieving notification. These other jurisdictions now impose very substantial penalties for this kind of breach. The Hong Kong proposal is that any breach be notified both to the Commissioner and the impacted individuals on the basis that the breach creates a real risk of significant harm with notification being required within a short period of days after the breach with failure resulting in the Commissioner being able to impose an administrative fine.
This whole concern and focus in Hong Kong on the statutory omission of notification requirement arose from the recent incident in 2018 when Cathay Pacific Airways suffered a data breach when the personal data comprising a number of personal details were hacked and transmitted out in respect of several million individual passenger records. It is not known that this breach resulted in significant damage to any of the impacted passengers but this is not considered to be a reason to avoid a change in the law to require notification to be mandatory as at least a measure to enable steps to be taken to prevent further damage.
3. Data Retention Period
Under Data Protection Principle 2 in the Schedule to the PDPO, the requirement does not define when “personal data is no longer necessary” and there is no fixed retention period. A number of Asia Pacific and EU provision are also imprecise in retention period definition and this is seen as risky. Amendment is proposed that Data Protection Principal 5 expressly to require a data user to make available its retention policy for personal data and to set a maximum retention period for each separate category of personal data.
4. Sanctioning Powers of the PDPO Commissioner
The Commissioner finds the current penalty provisions in the PDPO to be both so weak and complex as to be impossible to restrain contravention which of itself is not an offence. The Commissioner may issue an enforcement notice but non compliance with the enforcement notice is not a criminal offence and although there is a penalty for non compliance it is small and not reflecting the seriousness of the offence in Hong Kong. The Hong Kong Monetary Authority and the Securities and Futures Commissioner are empowered to impose monetary penalties for infringement under their respective ordinances and the same applies to overseas jurisdictions such as the EU, UK and Singapore. It is therefore proposed that additional powers be given to the Commissioner to impose administrative fines with the maximum level to be on a fixed amount or a percentage of the annual turnover of offending organization whichever is the higher.
5. Direct Regulation of Data Processors
Under the present PDPO there is no direct liability of data processors for any breach of the provisions of the PDPO. The present mechanism is for data users subcontracting to a data processor to oblige the data processor by contract to observe the same principles as are binding upon the data user under the PDPO. This indirect non-involvement of the data processors has been found wanting and the proposal is accordingly to enact an amendment to bring data processors into direct liability under the PDPO for any breach. This would bring the PDPO in line with equivalent legislation in Asia Pacific territories and the EU with specific exposure of data processors to liability on obligations for retention period, security and mandatory notification of data breaches.
The Commissioner proposes to bring an end to doxxing which is the disclosure of the personal data of police officers, their wives, their children and any related parties without their consent and which was extensively used in the latter half of 2019 for purposes of harassment and intimidation causing psychological harm to the data subjects concerned. At present the Commissioner can follow up on each incident urging the operator of the online social media platform to remove the illegal doxxing content and postings without delay. However, this is a provision which requires action to be taken by the Commissioner and is not of itself creating an offence which would be seen as a better way to permit the Commissioner to compel the removing of doxxing contents from social media platforms/websites and to carry out criminal investigation and prosecution.