Proposal to modernise Hong Kong privacy laws on the horizon
The Hong Kong Government is considering possible amendments to the Personal Data (Privacy) Ordinance.
Read our update on this here
Proposal to modernise Hong Kong privacy laws on the horizon
The Hong Kong Government is formally considering possible amendments to the Hong Kong Personal Data (Privacy) Ordinance (Cap.486) (PDPO). The Hong Kong Panel on Constitutional Affairs has published a discussion paper(Discussion Paper) aimed at strengthening the protection of personal data and seeking views on proposed amendments in six selected areas. Feedback from the Legislative Council Panel on Constitutional Affairs on this Discussion Paper will form the basis of further consultations with stakeholders and more concrete legislative amendment proposals.
What’s covered?
While these proposals come amidst rapid development of privacy laws on the global stage, as well as technological advances which require new thinking around issues of privacy and data protection, the six areas under review are clearly propelled by the unique issues that have arisen in Hong Kong in recent years – and in particular, key issues that have come to light as a result of major data breaches in Hong Kong in recent years and the doxxing complaints that have inundated the Hong Kong Privacy Commissioner for Personal Data (Privacy Commissioner) in the latter part of 2019.
The proposed amendments and key points covered by the Discussion Paper are:
Mandatory data breach notification
The data breach notification proposal takes reference from the data
breach notification regimes under the GDPR and key jurisdictions in
the APAC region.Views are requested on the appropriate notification threshold - with
the threshold of a real risk of significant harm suggested and
questions being raised as to whether the notification threshold
should be different for mandatory notification to the Privacy
Commissioner as opposed to affected individuals.The appropriate time frame for reporting is also in consideration,
with a possible suggestion of not more than five business days
cited. An additional period of time to allow investigation and
verification of a suspected data breach is also in contemplation.
Data retention governance requirements
Views are requested on a new proposal to require data users to put in
place formal data retention (and data purging) policies for personal
data.Views are also requested on making it a mandatory requirement to
publish such data retention policies as part of a data user’s privacy
policy – something that is quite novel compared to the privacy policy
requirements in other jurisdictions, and clearly arises from major
data breach incidents in Hong Kong in recent years.
Penalties and sanctions
New powers for the Privacy Commissioner to issue administrative fines
are in contemplation.Views are requested on the appropriate level of administrative fines,
with a proposal of fines linked to a percentage of annual turnover of
a data user under consideration – this would represent a paradigm
shift in Hong Kong, if brought into effect.The ability and mechanism for data users to challenge administrative
fines is also under consideration.
Regulation of data processors
- Direct regulation of data processors (currently a gap in the PDPO) is
under consideration, with suggestions of data processors being
directly accountable for data retention, security and notification of
data breaches.
Definition of personal data
- A step change to amend the definition to cover not only “identified”
persons, but also “identifiable” persons – something that brings Hong
Kong closer to the definition found in other key jurisdictions and
which better deals with the way data is held, handled and used in
modern business.
Disclosure of personal data of others
A call for views on how to better regulate the practice of “doxxing”
(the practice of publishing private or identifying information about
a person without their consent (typically with malicious intent)).Potential measures include new powers for the Privacy Commissioner to
require social media platforms and websites to remove content and new
powers of criminal investigation and prosecution.
What’s missing?
The proposals cover selected areas and do not represent a comprehensive review of the PDPO.
Conspicuously missing from the list of proposed updates is mention of section 33 of the PDPO – a section of law which governs cross-border data transfers and which has never been brought into operation despite being in the language of the Hong Kong privacy legislation for many years. The free-flow of data in Hong Kong has long been said to be a key and unique feature of doing business in the Asia region, though changes in data protection laws both regionally and globally mean that the Hong Kong position is increasingly out of step with other key jurisdictions. We expect that this may well be addressed separately, given the focus on the Greater Bay Area initiative and the need for a coordinated approach to data transfer rules across Guangdong, Hong Kong and Macau to truly facilitate doing business across the Greater Bay Area.
The Discussion Paper may also be a missed opportunity to consider broader issues in the PDPO, such as updating historical views on the meaning of collection of data.
With this development following closely from a spate of updates in Hong Kong on artificial intelligence, data ethics and accountability in the latter half of 2019, we expect some significant step changes in this area in the coming year.
