Update on panel discussions to amend Hong Kong privacy law

As mentioned in our previous update, the Hong Kong Panel on Constitutional Affairs has published a discussion paper (Discussion Paper) seeking views on proposed amendments to the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) in six selected areas.

The Legislative Council considered the discussion paper on 20 January 2020 (Discussion). Not surprisingly, most of the debates revolved around recent data breaches and doxxing practices in Hong Kong. In addition, Panel members also raised concerns about the lack of regulation on cross-border data transfers (a topic on which views were not sought in the Discussion Paper) and the scope of power of the Privacy Commissioner for Personal Data (Commissioner).

Key Points Covered by the Discussion included:

Expanding the power of the Commissioner

Sanctioning power

One of the proposals raised in the Discussion Paper was whether to grant the Commissioner a power to directly impose administrative fines on data users for contravention of data protection laws. However, in the context of doxxing and online anonymity, it could be difficult for the Commissioner to trace the ultimate data user. One suggestion made during the Discussion was to expand such sanctioning powers to allow the Commissioner to impose fines on any platforms (such as social media or messaging platforms) which permit or facilitate data breach practices. We expect strong pushback from the technology industry if the Hong Kong government seriously considers adopting this suggestion, as imposing liability on online platforms (such as Facebook, Twitter, Telegram) for user-generated content raises questions about whether these platforms should be required to proactively monitor online content (and effectively assume the role of policing the internet) and also has broader ramifications for freedom of speech. It also raises some hard questions about intermediary liability. Lawmakers and courts around the world are increasingly grappling with similar themes around intermediary liability in the context of copyright infringement, online publication and, more recently, the role of mega platforms in controlling the spread of harmful, violent or illegal content (and more broadly, disinformation).

With mega platforms in the regulatory limelight across the world, these suggestions do not seem as improbable as they might have a few years ago (despite the strong industry lobbying we expect to see). If the Hong Kong government moves forward with considering this proposal, we expect to see rigorous discussion around clear guidance and appropriate guardrails (for example, whether knowledge of the platform operator should be required, the baseline standards expected of platform operators etc).

Investigative power

Currently the Commissioner is considered a “paper tiger” because it does not have adequate powers of investigation. Under the existing regime, after receiving complaints, the Commissioner can only refer cases that may be offences under the PDPO to the police for further investigation.

The Discussion Paper raised the question of whether the Commissioner should be granted more expansive powers to conduct investigations in the context of doxxing. This suggestion was generally welcomed by the Legislative Council members. It will be interesting to see whether the Legislative Council moves forward with amendments to the PDPO to extend these proposed investigative powers to matters beyond doxxing.

Mandatory data breach reporting

The proposal of implementing a mandatory data breach reporting mechanism was generally welcomed, although Panel members asked for further clarifications as to what constitutes “real risk of significant harm”. There are some clear lessons to be learnt from other jurisdictions on setting an appropriate threshold for mandatory data breach reporting (and the risks of reporting fatigue and overreporting).

Still Missing…

Timetable for implementing section 33 of the PDPO

Unfortunately, the Hong Kong government does not have a concrete timetable to bring section 33 of the PDPO (which governs cross-border data transfer) into effect. Currently, there are no restrictions on the transfer of personal data outside of Hong Kong. This is an enormous gap in the Hong Kong law, as compared with other key jurisdictions, which usually require certain conditions to be met (such as voluntary consent from the data subject, the receiving jurisdictions having “adequate protection” etc.) before cross-border data transfers can be lawfully effected.

The Commissioner’s office is currently working on a draft guideline to corporates on (1) intra-group cross-border transfers of personal data; and (2) transfers of personal data to data processors. The draft guideline is expected to be completed in the first half of 2020 (though, as with other guidelines, they will not be legally binding).

“Sensitive Personal Data”

Facial recognition technology was also discussed by the Panel members. It is somewhat surprising that the Discussion Paper does not raise proposals for enhancing the protection of sensitive personal data, in light of the increasingly widespread use of biometric data and the Commissioner’s recognition of the heightened privacy risks around biometric data.

Other remaining issues

The Discussion Paper also failed to address issues such as having a specific provision governing “profiling” and “automatic decision making”. In light of advances in other jurisdictions in this area (notably, Singapore), and given Hong Kong’s smart city ambitions, we expect that more work in this area will be needed to ensure that Hong Kong remains a competitive and trusted jurisdiction for consumers of high technology.

We will continue to monitor updates and developments.